Add generated code from adding spec fields to CredentialIssuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -36,8 +36,83 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            default:
+              impersonationProxy:
+                mode: disabled
+                service:
+                  type: LoadBalancer
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                default:
+                  mode: disabled
+                  service:
+                    type: LoadBalancer
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If the proxy is enabled and this
+                      field is not set, a Service of type LoadBalancer will be automatically
+                      provisioned and its external name will be advertised. \n Setting
+                      this field disables the automatic creation of this LoadBalancer
+                      Service."
+                    type: string
+                  mode:
+                    default: disabled
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuraiton
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig

generated/1.17/README.adoc

@@ -232,7 +232,8 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | Spec describes the intended configuration of the Concierge.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
@@ -275,6 +276,23 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+CredentialIssuerSpec describes the intended configuration of the Concierge.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -333,6 +351,70 @@ CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxymode"]
+==== ImpersonationProxyMode (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec"]
+==== ImpersonationProxyServiceSpec 
+
+ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+ If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
+| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
+==== ImpersonationProxyServiceType (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuraiton
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be advertised. 
+ Setting this field disables the automatic creation of this LoadBalancer Service.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 
 

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,7 +3,9 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
@@ -40,6 +42,95 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	//
+	//+kubebuilder:default:={"mode": "disabled", "service": {"type": "LoadBalancer"}}
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	//
+	// +kubebuilder:default:="disabled"
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuraiton
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this
+	// field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be
+	// advertised.
+	//
+	// Setting this field disables the automatic creation of this LoadBalancer Service.
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 // CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
@@ -134,7 +225,14 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	// +kubebuilder:default:={"impersonationProxy": {"mode": "disabled", "service": {"type": "LoadBalancer"}}}
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	in.ImpersonationProxy.DeepCopyInto(&out.ImpersonationProxy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +197,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -36,8 +36,83 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            default:
+              impersonationProxy:
+                mode: disabled
+                service:
+                  type: LoadBalancer
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                default:
+                  mode: disabled
+                  service:
+                    type: LoadBalancer
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If the proxy is enabled and this
+                      field is not set, a Service of type LoadBalancer will be automatically
+                      provisioned and its external name will be advertised. \n Setting
+                      this field disables the automatic creation of this LoadBalancer
+                      Service."
+                    type: string
+                  mode:
+                    default: disabled
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuraiton
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig

generated/1.18/README.adoc

@@ -232,7 +232,8 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | Spec describes the intended configuration of the Concierge.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
@@ -275,6 +276,23 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+CredentialIssuerSpec describes the intended configuration of the Concierge.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -333,6 +351,70 @@ CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxymode"]
+==== ImpersonationProxyMode (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec"]
+==== ImpersonationProxyServiceSpec 
+
+ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+ If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
+| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
+==== ImpersonationProxyServiceType (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuraiton
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be advertised. 
+ Setting this field disables the automatic creation of this LoadBalancer Service.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 
 

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,7 +3,9 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
@@ -40,6 +42,95 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	//
+	//+kubebuilder:default:={"mode": "disabled", "service": {"type": "LoadBalancer"}}
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	//
+	// +kubebuilder:default:="disabled"
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuraiton
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this
+	// field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be
+	// advertised.
+	//
+	// Setting this field disables the automatic creation of this LoadBalancer Service.
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 // CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
@@ -134,7 +225,14 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	// +kubebuilder:default:={"impersonationProxy": {"mode": "disabled", "service": {"type": "LoadBalancer"}}}
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }

generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	in.ImpersonationProxy.DeepCopyInto(&out.ImpersonationProxy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +197,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -36,8 +36,83 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            default:
+              impersonationProxy:
+                mode: disabled
+                service:
+                  type: LoadBalancer
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                default:
+                  mode: disabled
+                  service:
+                    type: LoadBalancer
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If the proxy is enabled and this
+                      field is not set, a Service of type LoadBalancer will be automatically
+                      provisioned and its external name will be advertised. \n Setting
+                      this field disables the automatic creation of this LoadBalancer
+                      Service."
+                    type: string
+                  mode:
+                    default: disabled
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuraiton
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig

generated/1.19/README.adoc

@@ -232,7 +232,8 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | Spec describes the intended configuration of the Concierge.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
@@ -275,6 +276,23 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+CredentialIssuerSpec describes the intended configuration of the Concierge.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -333,6 +351,70 @@ CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxymode"]
+==== ImpersonationProxyMode (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec"]
+==== ImpersonationProxyServiceSpec 
+
+ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+ If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
+| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
+==== ImpersonationProxyServiceType (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuraiton
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be advertised. 
+ Setting this field disables the automatic creation of this LoadBalancer Service.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 
 

generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,7 +3,9 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
@@ -40,6 +42,95 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	//
+	//+kubebuilder:default:={"mode": "disabled", "service": {"type": "LoadBalancer"}}
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	//
+	// +kubebuilder:default:="disabled"
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuraiton
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this
+	// field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be
+	// advertised.
+	//
+	// Setting this field disables the automatic creation of this LoadBalancer Service.
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 // CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
@@ -134,7 +225,14 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	// +kubebuilder:default:={"impersonationProxy": {"mode": "disabled", "service": {"type": "LoadBalancer"}}}
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }

generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	in.ImpersonationProxy.DeepCopyInto(&out.ImpersonationProxy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +197,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -36,8 +36,83 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            default:
+              impersonationProxy:
+                mode: disabled
+                service:
+                  type: LoadBalancer
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                default:
+                  mode: disabled
+                  service:
+                    type: LoadBalancer
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If the proxy is enabled and this
+                      field is not set, a Service of type LoadBalancer will be automatically
+                      provisioned and its external name will be advertised. \n Setting
+                      this field disables the automatic creation of this LoadBalancer
+                      Service."
+                    type: string
+                  mode:
+                    default: disabled
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuraiton
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig

generated/1.20/README.adoc

@@ -232,7 +232,8 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | Spec describes the intended configuration of the Concierge.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
@@ -275,6 +276,23 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+CredentialIssuerSpec describes the intended configuration of the Concierge.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -333,6 +351,70 @@ CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxymode"]
+==== ImpersonationProxyMode (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec"]
+==== ImpersonationProxyServiceSpec 
+
+ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+ If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
+| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
+==== ImpersonationProxyServiceType (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuraiton
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be advertised. 
+ Setting this field disables the automatic creation of this LoadBalancer Service.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 
 

generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,7 +3,9 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
@@ -40,6 +42,95 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	//
+	//+kubebuilder:default:={"mode": "disabled", "service": {"type": "LoadBalancer"}}
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	//
+	// +kubebuilder:default:="disabled"
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuraiton
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this
+	// field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be
+	// advertised.
+	//
+	// Setting this field disables the automatic creation of this LoadBalancer Service.
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 // CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
@@ -134,7 +225,14 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	// +kubebuilder:default:={"impersonationProxy": {"mode": "disabled", "service": {"type": "LoadBalancer"}}}
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }

generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	in.ImpersonationProxy.DeepCopyInto(&out.ImpersonationProxy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +197,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -36,8 +36,83 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            default:
+              impersonationProxy:
+                mode: disabled
+                service:
+                  type: LoadBalancer
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                default:
+                  mode: disabled
+                  service:
+                    type: LoadBalancer
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If the proxy is enabled and this
+                      field is not set, a Service of type LoadBalancer will be automatically
+                      provisioned and its external name will be advertised. \n Setting
+                      this field disables the automatic creation of this LoadBalancer
+                      Service."
+                    type: string
+                  mode:
+                    default: disabled
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuraiton
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig

generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,7 +3,9 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
@@ -40,6 +42,95 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	//
+	//+kubebuilder:default:={"mode": "disabled", "service": {"type": "LoadBalancer"}}
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	//
+	// +kubebuilder:default:="disabled"
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuraiton
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If the proxy is enabled and this
+	// field is not set, a Service of type LoadBalancer will be automatically provisioned and its external name will be
+	// advertised.
+	//
+	// Setting this field disables the automatic creation of this LoadBalancer Service.
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 // CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
@@ -134,7 +225,14 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	// +kubebuilder:default:={"impersonationProxy": {"mode": "disabled", "service": {"type": "LoadBalancer"}}}
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }

generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	in.ImpersonationProxy.DeepCopyInto(&out.ImpersonationProxy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +197,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in