Merge pull request #148 from vmware-tanzu/supervisor-with-discovery

Beginning of a Pinniped Supervisor Server, starting with an OIDC Discovery Endpoint

CONTRIBUTING.md

@@ -109,7 +109,7 @@ docker build .
 1. Create a local Kubernetes cluster using `kind`:
 
    ```bash
-   kind create cluster --image kindest/node:v1.18.8
+   ./hack/kind-up.sh
    ```
 
 1. Install Pinniped and supporting dependencies using `tilt`:
@@ -123,11 +123,11 @@ docker build .
 1. Run the Pinniped integration tests:
 
    ```bash
-   source ./hack/lib/tilt/integration-test.env && go test -v -count 1 ./test/integration
+   source /tmp/integration-test-env && go test -v -count 1 ./test/integration
    ```
 
 To uninstall the test environment, run `./hack/tilt-down.sh`.
-To destroy the local Kubernetes cluster, run `kind delete cluster`.
+To destroy the local Kubernetes cluster, run `./hack/kind-down.sh`.
 
 ### Observing Tests on the Continuous Integration Environment
 

Dockerfile

@@ -20,18 +20,20 @@ COPY hack ./hack
 
 # Build the executable binary (CGO_ENABLED=0 means static linking)
 RUN mkdir out \
-  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \
+  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-concierge/... \
+  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-supervisor/... \
   && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/local-user-authenticator/...
 
 # Use a runtime image based on Debian slim
 FROM debian:10.5-slim
 
 # Copy the binaries from the build-env stage
-COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server
+COPY --from=build-env /work/out/pinniped-concierge /usr/local/bin/pinniped-concierge
+COPY --from=build-env /work/out/pinniped-supervisor /usr/local/bin/pinniped-supervisor
 COPY --from=build-env /work/out/local-user-authenticator /usr/local/bin/local-user-authenticator
 
 # Document the port
 EXPOSE 443
 
 # Set the entrypoint
-ENTRYPOINT ["/usr/local/bin/pinniped-server"]
+ENTRYPOINT ["/usr/local/bin/pinniped-concierge"]

apis/config/v1alpha1/register.go.tmpl

@@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialIssuerConfig{},
 		&CredentialIssuerConfigList{},
+		&OIDCProviderConfig{},
+		&OIDCProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl

@@ -0,0 +1,72 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:validation:Enum=Success;Duplicate;Invalid
+type OIDCProviderStatus string
+
+const (
+	SuccessOIDCProviderStatus = OIDCProviderStatus("Success")
+	DuplicateOIDCProviderStatus = OIDCProviderStatus("Duplicate")
+	InvalidOIDCProviderStatus = OIDCProviderStatus("Invalid")
+)
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+type OIDCProviderConfigStatus struct {
+	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
+	// represent success or failure.
+	// +optional
+	Status OIDCProviderStatus `json:"status,omitempty"`
+
+	// Message provides human-readable details about the Status.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+  // LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
+  // around some undesirable behavior with respect to the empty metav1.Time value (see
+  // https://github.com/kubernetes/kubernetes/issues/86811).
+  // +optional
+  LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"spec"`
+
+	// Status of the OIDC provider.
+	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

cmd/pinniped-concierge/main.go

@@ -13,7 +13,7 @@ import (
 	"k8s.io/component-base/logs"
 	"k8s.io/klog/v2"
 
-	"go.pinniped.dev/internal/server"
+	"go.pinniped.dev/internal/concierge/server"
 )
 
 func main() {

cmd/pinniped-supervisor/main.go

@@ -0,0 +1,152 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/client-go/pkg/version"
+	"k8s.io/client-go/rest"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/component-base/logs"
+	"k8s.io/klog/v2"
+
+	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
+	"go.pinniped.dev/internal/controller/supervisorconfig"
+	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/downward"
+	"go.pinniped.dev/internal/oidc/provider/manager"
+)
+
+const (
+	singletonWorker       = 1
+	defaultResyncInterval = 3 * time.Minute
+)
+
+func start(ctx context.Context, l net.Listener, handler http.Handler) {
+	server := http.Server{Handler: handler}
+
+	errCh := make(chan error)
+	go func() {
+		errCh <- server.Serve(l)
+	}()
+
+	go func() {
+		select {
+		case err := <-errCh:
+			klog.InfoS("server exited", "err", err)
+		case <-ctx.Done():
+			klog.InfoS("server context cancelled", "err", ctx.Err())
+			if err := server.Shutdown(context.Background()); err != nil {
+				klog.InfoS("server shutdown failed", "err", err)
+			}
+		}
+	}()
+}
+
+func waitForSignal() os.Signal {
+	signalCh := make(chan os.Signal, 1)
+	signal.Notify(signalCh, os.Interrupt)
+	return <-signalCh
+}
+
+func startControllers(
+	ctx context.Context,
+	issuerProvider *manager.Manager,
+	pinnipedClient pinnipedclientset.Interface,
+	pinnipedInformers pinnipedinformers.SharedInformerFactory,
+) {
+	// Create controller manager.
+	controllerManager := controllerlib.
+		NewManager().
+		WithController(
+			supervisorconfig.NewOIDCProviderConfigWatcherController(
+				issuerProvider,
+				clock.RealClock{},
+				pinnipedClient,
+				pinnipedInformers.Config().V1alpha1().OIDCProviderConfigs(),
+				controllerlib.WithInformer,
+			),
+			singletonWorker,
+		)
+
+	pinnipedInformers.Start(ctx.Done())
+
+	go controllerManager.Start(ctx)
+}
+
+func newPinnipedClient() (pinnipedclientset.Interface, error) {
+	kubeConfig, err := restclient.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
+	}
+
+	// Connect to the core Kubernetes API.
+	pinnipedClient, err := pinnipedclientset.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
+	}
+
+	return pinnipedClient, nil
+}
+
+func run(serverInstallationNamespace string) error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	pinnipedClient, err := newPinnipedClient()
+	if err != nil {
+		return fmt.Errorf("cannot create k8s client: %w", err)
+	}
+
+	pinnipedInformers := pinnipedinformers.NewSharedInformerFactoryWithOptions(
+		pinnipedClient,
+		defaultResyncInterval,
+		pinnipedinformers.WithNamespace(serverInstallationNamespace),
+	)
+
+	oidProvidersManager := manager.NewManager(http.NotFoundHandler())
+	startControllers(ctx, oidProvidersManager, pinnipedClient, pinnipedInformers)
+
+	//nolint: gosec // Intentionally binding to all network interfaces.
+	l, err := net.Listen("tcp", ":80")
+	if err != nil {
+		return fmt.Errorf("cannot create listener: %w", err)
+	}
+	defer l.Close()
+
+	start(ctx, l, oidProvidersManager)
+	klog.InfoS("supervisor is ready", "address", l.Addr().String())
+
+	gotSignal := waitForSignal()
+	klog.InfoS("supervisor exiting", "signal", gotSignal)
+
+	return nil
+}
+
+func main() {
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	klog.Infof("Running %s at %#v", rest.DefaultKubernetesUserAgent(), version.Get())
+	klog.Infof("Command-line arguments were: %s %s %s", os.Args[0], os.Args[1], os.Args[2])
+
+	// Discover in which namespace we are installed.
+	podInfo, err := downward.Load(os.Args[1])
+	if err != nil {
+		klog.Fatal(fmt.Errorf("could not read pod metadata: %w", err))
+	}
+
+	if err := run(podInfo.Namespace); err != nil {
+		klog.Fatal(err)
+	}
+}

deploy/concierge/README.md

@@ -4,7 +4,7 @@
 
 If you would like to try Pinniped, but you don't have a compatible identity provider,
 you can use Pinniped's test identity provider.
-See [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
+See [deploy/local-user-authenticator/README.md](../../deploy/local-user-authenticator/README.md)
 for details.
 
 ## Installing the Latest Version with Default Options
@@ -26,14 +26,14 @@ kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.2
 ## Installing with Custom Options
 
 Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
-in the [deploy](../deploy) directory.
+in the `deploy/concierge` directory.
 Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
 
 1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
-1. The configuration options are in [deploy/values.yml](values.yaml).
+1. The configuration options are in [deploy/concierge/values.yml](values.yaml).
    Fill in the values in that file, or override those values using additional `ytt` command-line options in
    the command below. Use the release version tag as the `image_tag` value.
-2. In a terminal, cd to this `deploy` directory
+2. In a terminal, cd to this `deploy/concierge` directory
 3. To generate the final YAML files, run `ytt --file .`
 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
    For example: `ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file -`

deploy/concierge/values.yaml

@@ -4,8 +4,8 @@
 #@data/values
 ---
 
-app_name: pinniped
+app_name: pinniped-concierge
-namespace: pinniped
+namespace: pinniped-concierge
 
 #! Specify how many replicas of the Pinniped server to run.
 replicas: 2

deploy/local-user-authenticator/README.md

@@ -31,14 +31,14 @@ kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.2
 ## Installing with Custom Options
 
 Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
-in the [deploy-local-user-authenticator](../deploy-local-user-authenticator) directory.
+in the `deploy/local-user-authenticator` directory.
 Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
 
 1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
-1. The configuration options are in [deploy-local-user-authenticator/values.yml](values.yaml).
+1. The configuration options are in [deploy/local-user-authenticator/values.yml](values.yaml).
    Fill in the values in that file, or override those values using additional `ytt` command-line options in
    the command below. Use the release version tag as the `image_tag` value.
-2. In a terminal, cd to this `deploy-local-user-authenticator` directory
+2. In a terminal, cd to this `deploy/local-user-authenticator` directory
 3. To generate the final YAML files, run `ytt --file .`
 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
    For example: `ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file -`
@@ -79,7 +79,7 @@ kubectl get secret local-user-authenticator-tls-serving-certificate --namespace
 
 When installing Pinniped on the same cluster, configure local-user-authenticator as an Identity Provider for Pinniped
 using the webhook URL `https://local-user-authenticator.local-user-authenticator.svc/authenticate`
-along with the CA bundle fetched by the above command. See [doc/demo.md](../doc/demo.md) for an example.
+along with the CA bundle fetched by the above command. See [doc/demo.md](../../doc/demo.md) for an example.
 
 ## Optional: Manually Testing the Webhook Endpoint After Installing
 

deploy/supervisor/README.md

@@ -0,0 +1,110 @@
+# Deploying the Pinniped Supervisor
+
+## What is the Pinniped Supervisor?
+
+The Pinniped Supervisor app is a component of the Pinniped OIDC and Cluster Federation solutions.
+It can be deployed when those features are needed.
+
+## Installing the Latest Version with Default Options
+
+```bash
+kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/latest/download/install-supervisor.yaml
+```
+
+## Installing an Older Version with Default Options
+
+Choose your preferred [release](https://github.com/vmware-tanzu/pinniped/releases) version number
+and use it to replace the version number in the URL below.
+
+```bash
+# Replace v0.3.0 with your preferred version in the URL below
+kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.3.0/install-supervisor.yaml
+```
+
+## Installing with Custom Options
+
+Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
+in the `deploy/supervisor` directory.
+Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
+
+1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
+1. The configuration options are in [deploy/supervisor/values.yml](values.yaml).
+   Fill in the values in that file, or override those values using additional `ytt` command-line options in
+   the command below. Use the release version tag as the `image_tag` value.
+2. In a terminal, cd to this `deploy/supervisor` directory
+3. To generate the final YAML files, run `ytt --file .`
+4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
+   For example: `ytt --file . | kapp deploy --yes --app pinniped-supervisor --diff-changes --file -`
+
+## Configuring After Installing
+
+### Exposing the Supervisor App as a Service
+
+Create a Service to make the app available outside of the cluster. If you installed using `ytt` then you can use
+the related `service_*_port` options from [deploy/supervisor/values.yml](values.yaml) to create a Service, instead
+of creating them manually as shown below.
+
+#### Using a LoadBalancer Service
+
+Using a LoadBalancer Service is probably the easiest way to expose the Supervisor app, if your cluster supports
+LoadBalancer Services. For example:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: pinniped-supervisor-loadbalancer
+  namespace: pinniped-supervisor
+  labels:
+    app: pinniped-supervisor
+spec:
+  type: LoadBalancer
+  selector:
+    app: pinniped-supervisor
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 80
+```
+
+#### Using a NodePort Service
+
+A NodePort Service exposes the app as a port on the nodes of the cluster.
+This is convenient for use with kind clusters, because kind can
+[expose node ports as localhost ports on the host machine](https://kind.sigs.k8s.io/docs/user/configuration/#extra-port-mappings).
+
+For example:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: pinniped-supervisor-nodeport
+  namespace: pinniped-supervisor
+  labels:
+    app: pinniped-supervisor
+spec:
+  type: NodePort
+  selector:
+    app: pinniped-supervisor
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 80
+    nodePort: 31234
+```
+
+### Configuring the Supervisor to Act as an OIDC Provider
+
+The Supervisor can be configured as an OIDC provider by creating `OIDCProviderConfig` resources
+in the same namespace where the Supervisor app was installed. For example:
+
+```yaml
+apiVersion: config.pinniped.dev/v1alpha1
+kind: OIDCProviderConfig
+metadata:
+  name: my-provider
+  namespace: pinniped-supervisor
+spec:
+  issuer: https://my-issuer.eaxmple.com
+```

deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,86 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+          status:
+            description: Status of the OIDC provider.
+            properties:
+              lastUpdateTime:
+                description: LastUpdateTime holds the time at which the Status was
+                  last updated. It is a pointer to get around some undesirable behavior
+                  with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+                format: date-time
+                type: string
+              message:
+                description: Message provides human-readable details about the Status.
+                type: string
+              status:
+                description: Status holds an enum that describes the state of this
+                  OIDC Provider. Note that this Status can represent success or failure.
+                enum:
+                - Success
+                - Duplicate
+                - Invalid
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

deploy/supervisor/deployment.yaml

@@ -0,0 +1,112 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: #@ data.values.namespace
+  labels:
+    name: #@ data.values.namespace
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: #@ data.values.app_name + "-static-config"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+data:
+  #@yaml/text-templated-strings
+  pinniped.yaml: |
+    names:
+      dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @)
+---
+#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
+apiVersion: v1
+kind: Secret
+metadata:
+  name: image-pull-secret
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
+#@ end
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+spec:
+  replicas: #@ data.values.replicas
+  selector:
+    matchLabels:
+      app: #@ data.values.app_name
+  template:
+    metadata:
+      labels:
+        app: #@ data.values.app_name
+    spec:
+      serviceAccountName: #@ data.values.app_name
+      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
+      imagePullSecrets:
+        - name: image-pull-secret
+      #@ end
+      containers:
+        - name: pinniped-supervisor
+          #@ if data.values.image_digest:
+          image:  #@ data.values.image_repo + "@" + data.values.image_digest
+          #@ else:
+          image: #@ data.values.image_repo + ":" + data.values.image_tag
+          #@ end
+          imagePullPolicy: IfNotPresent
+          command: #! override the default entrypoint
+            - /usr/local/bin/pinniped-supervisor
+          args:
+            - /etc/podinfo
+            - /etc/config/pinniped.yaml
+          resources:
+            requests:
+              memory: "128Mi"
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/config
+            - name: podinfo
+              mountPath: /etc/podinfo
+      volumes:
+        - name: config-volume
+          configMap:
+            name: #@ data.values.app_name + "-static-config"
+        - name: podinfo
+          downwardAPI:
+            items:
+              - path: "labels"
+                fieldRef:
+                  fieldPath: metadata.labels
+              - path: "namespace"
+                fieldRef:
+                  fieldPath: metadata.namespace
+      #! This will help make sure our multiple pods run on different nodes, making
+      #! our deployment "more" "HA".
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 50
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: #@ data.values.app_name
+                topologyKey: kubernetes.io/hostname

deploy/supervisor/rbac.yaml

@@ -0,0 +1,34 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+
+#! Give permission to various objects within the app's own namespace
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+rules:
+  - apiGroups: [config.pinniped.dev]
+    resources: [oidcproviderconfigs]
+    verbs: [update, get, list, watch]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+subjects:
+  - kind: ServiceAccount
+    name: #@ data.values.app_name
+    namespace: #@ data.values.namespace
+roleRef:
+  kind: Role
+  name: #@ data.values.app_name
+  apiGroup: rbac.authorization.k8s.io

deploy/supervisor/service.yaml

@@ -0,0 +1,59 @@
+#@ load("@ytt:data", "data")
+
+#@ if data.values.service_nodeport_port:
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: #@ data.values.app_name + "-nodeport"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+spec:
+  type: NodePort
+  selector:
+    app: #@ data.values.app_name
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+      nodePort: #@ data.values.service_nodeport_port
+#@ end
+
+#@ if data.values.service_clusterip_port:
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: #@ data.values.app_name + "-clusterip"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+spec:
+  type: ClusterIP
+  selector:
+    app: #@ data.values.app_name
+  ports:
+    - protocol: TCP
+      port: #@ data.values.service_clusterip_port
+      targetPort: 80
+#@ end
+
+#@ if data.values.service_loadbalancer_port:
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: #@ data.values.app_name + "-loadbalancer"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+spec:
+  type: LoadBalancer
+  selector:
+    app: #@ data.values.app_name
+  ports:
+    - protocol: TCP
+      port: #@ data.values.service_loadbalancer_port
+      targetPort: 80
+#@ end

deploy/supervisor/values.yaml

@@ -0,0 +1,29 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@data/values
+---
+
+app_name: pinniped-supervisor
+namespace: pinniped-supervisor
+
+#! Specify how many replicas of the Pinniped server to run.
+replicas: 2
+
+#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+image_repo: docker.io/getpinniped/pinniped-server
+image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+image_tag: latest
+
+#! Specifies a secret to be used when pulling the above container image.
+#! Can be used when the above image_repo is a private registry.
+#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
+#! Optional.
+image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+
+#! Specify how to expose the Supervisor app as a Service.
+#! Typically you would set a value for only one of the following.
+#! Setting any of these values means that a Service of that type will be created.
+service_nodeport_port: #! e.g. 31234
+service_loadbalancer_port: #! e.g. 443
+service_clusterip_port: #! e.g. 443

doc/demo.md

@@ -11,7 +11,7 @@
 
    Don't have an identity provider of a type supported by Pinniped handy? No problem, there is a demo identity provider
    available. Start by installing local-user-authenticator on the same cluster where you would like to try Pinniped
-   by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md).
+   by following the directions in [deploy/local-user-authenticator/README.md](../deploy/local-user-authenticator/README.md).
    See below for an example of deploying this on kind.
 
 1. A kubeconfig where the current context points to the cluster and has admin-like
@@ -22,7 +22,7 @@
 Installing and trying Pinniped on any cluster will consist of the following general steps. See the next section below
 for a more specific example of installing onto a local kind cluster, including the exact commands to use for that case.
 
-1. Install Pinniped. See [deploy/README.md](../deploy/README.md).
+1. Install Pinniped. See [deploy/concierge/README.md](../deploy/concierge/README.md).
 1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest).
 1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information.
 1. Run `kubectl` commands using the generated kubeconfig. Pinniped will automatically be used for authentication during those commands.
@@ -38,9 +38,9 @@ as the identity provider.
 
 <!-- The following image was uploaded to GitHub's CDN using this awesome trick: https://gist.github.com/vinkla/dca76249ba6b73c5dd66a4e986df4c8d -->
 <p align="center" width="100%">
-<img 
+<img
   src="https://user-images.githubusercontent.com/25013435/95272990-b2ea9780-07f6-11eb-994d-872e3cb68457.gif"
-  alt="Pinniped Installation Demo" 
+  alt="Pinniped Installation Demo"
   width="80%"
   />
 </p>
@@ -88,7 +88,7 @@ as the identity provider.
 
    The `install-local-user-authenticator.yaml` file includes the default deployment options.
    If you would prefer to customize the available options, please
-   see [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
+   see [deploy/local-user-authenticator/README.md](../deploy/local-user-authenticator/README.md)
    for instructions on how to deploy using `ytt`.
 
 1. Create a test user named `pinny-the-seal` in the local-user-authenticator identity provider.
@@ -115,7 +115,7 @@ as the identity provider.
    ```
 
    The `install-pinniped.yaml` file includes the default deployment options.
-   If you would prefer to customize the available options, please see [deploy/README.md](../deploy/README.md)
+   If you would prefer to customize the available options, please see [deploy/concierge/README.md](../deploy/concierge/README.md)
    for instructions on how to deploy using `ytt`.
 
 1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using local-user-authenticator.

generated/1.17/README.adoc

@@ -95,6 +95,65 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfig"]
+==== OIDCProviderConfig 
+
+OIDCProviderConfig describes the configuration of an OIDC provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfigstatus[$$OIDCProviderConfigStatus$$]__ | Status of the OIDC provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfigspec"]
+==== OIDCProviderConfigSpec 
+
+OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
+ See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfigstatus"]
+==== OIDCProviderConfigStatus 
+
+OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`status`* __OIDCProviderStatus__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
+| *`message`* __string__ | Message provides human-readable details about the Status.
+| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+|===
+
+
 
 [id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
 === idp.pinniped.dev/v1alpha1

generated/1.17/apis/config/v1alpha1/register.go

@@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialIssuerConfig{},
 		&CredentialIssuerConfigList{},
+		&OIDCProviderConfig{},
+		&OIDCProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -0,0 +1,72 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:validation:Enum=Success;Duplicate;Invalid
+type OIDCProviderStatus string
+
+const (
+	SuccessOIDCProviderStatus = OIDCProviderStatus("Success")
+	DuplicateOIDCProviderStatus = OIDCProviderStatus("Duplicate")
+	InvalidOIDCProviderStatus = OIDCProviderStatus("Invalid")
+)
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+type OIDCProviderConfigStatus struct {
+	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
+	// represent success or failure.
+	// +optional
+	Status OIDCProviderStatus `json:"status,omitempty"`
+
+	// Message provides human-readable details about the Status.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+  // LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
+  // around some undesirable behavior with respect to the empty metav1.Time value (see
+  // https://github.com/kubernetes/kubernetes/issues/86811).
+  // +optional
+  LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"spec"`
+
+	// Status of the OIDC provider.
+	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

generated/1.17/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -131,3 +131,100 @@ func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStra
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus) {
+	*out = *in
+	if in.LastUpdateTime != nil {
+		in, out := &in.LastUpdateTime, &out.LastUpdateTime
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigStatus.
+func (in *OIDCProviderConfigStatus) DeepCopy() *OIDCProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -14,6 +14,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	CredentialIssuerConfigsGetter
+	OIDCProviderConfigsGetter
 }
 
 // ConfigV1alpha1Client is used to interact with features provided by the config.pinniped.dev group.
@@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) Credent
 	return newCredentialIssuerConfigs(c, namespace)
 }
 
+func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+	return newOIDCProviderConfigs(c, namespace)
+}
+
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
 func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
 	config := *c

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.
 	return &FakeCredentialIssuerConfigs{c, namespace}
 }
 
+func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+	return &FakeOIDCProviderConfigs{c, namespace}
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go

@@ -0,0 +1,127 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
+type FakeOIDCProviderConfigs struct {
+	Fake *FakeConfigV1alpha1
+	ns   string
+}
+
+var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
+
+var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *FakeOIDCProviderConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *FakeOIDCProviderConfigs) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *FakeOIDCProviderConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Create(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Update(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeOIDCProviderConfigs) UpdateStatus(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(oidcproviderconfigsResource, "status", c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *FakeOIDCProviderConfigs) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOIDCProviderConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *FakeOIDCProviderConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -6,3 +6,5 @@
 package v1alpha1
 
 type CredentialIssuerConfigExpansion interface{}
+
+type OIDCProviderConfigExpansion interface{}

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,178 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
+// A group's client should implement this interface.
+type OIDCProviderConfigsGetter interface {
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
+}
+
+// OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
+type OIDCProviderConfigInterface interface {
+	Create(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
+	Update(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
+	UpdateStatus(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
+	List(opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
+	OIDCProviderConfigExpansion
+}
+
+// oIDCProviderConfigs implements OIDCProviderConfigInterface
+type oIDCProviderConfigs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCProviderConfigs returns a OIDCProviderConfigs
+func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
+	return &oIDCProviderConfigs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *oIDCProviderConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *oIDCProviderConfigs) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OIDCProviderConfigList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *oIDCProviderConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Create(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Body(oIDCProviderConfig).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Update(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		Body(oIDCProviderConfig).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *oIDCProviderConfigs) UpdateStatus(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		SubResource("status").
+		Body(oIDCProviderConfig).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *oIDCProviderConfigs) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *oIDCProviderConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *oIDCProviderConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/informers/externalversions/config/v1alpha1/interface.go

@@ -13,6 +13,8 @@ import (
 type Interface interface {
 	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
 	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	OIDCProviderConfigs() OIDCProviderConfigInformer
 }
 
 type version struct {
@@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
 	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
+
+// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.17/client/informers/externalversions/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigInformer provides access to a shared informer and lister for
+// OIDCProviderConfigs.
+type OIDCProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OIDCProviderConfigLister
+}
+
+type oIDCProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(options)
+			},
+		},
+		&configv1alpha1.OIDCProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
+}
+
+func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
+	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
+}

generated/1.17/client/informers/externalversions/generic.go

@@ -44,6 +44,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	// Group=config.pinniped.dev, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):

generated/1.17/client/listers/config/v1alpha1/expansion_generated.go

@@ -12,3 +12,11 @@ type CredentialIssuerConfigListerExpansion interface{}
 // CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
 // CredentialIssuerConfigNamespaceLister.
 type CredentialIssuerConfigNamespaceListerExpansion interface{}
+
+// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderConfigLister.
+type OIDCProviderConfigListerExpansion interface{}
+
+// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderConfigNamespaceLister.
+type OIDCProviderConfigNamespaceListerExpansion interface{}

generated/1.17/client/listers/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigLister helps list OIDCProviderConfigs.
+type OIDCProviderConfigLister interface {
+	// List lists all OIDCProviderConfigs in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
+	OIDCProviderConfigListerExpansion
+}
+
+// oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
+type oIDCProviderConfigLister struct {
+	indexer cache.Indexer
+}
+
+// NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
+func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
+	return &oIDCProviderConfigLister{indexer: indexer}
+}
+
+// List lists all OIDCProviderConfigs in the indexer.
+func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
+	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
+type OIDCProviderConfigNamespaceLister interface {
+	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
+	OIDCProviderConfigNamespaceListerExpansion
+}
+
+// oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
+// interface.
+type oIDCProviderConfigNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), nil
+}

generated/1.17/client/openapi/zz_generated.openapi.go

@@ -22,6 +22,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":           schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                   schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":               schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":               schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":             schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition":                               schema_117_apis_idp_v1alpha1_Condition(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.TLSSpec":                                 schema_117_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
@@ -286,6 +290,155 @@ func schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.R
 	}
 }
 
+func schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec", "go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).\n\nSee https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"issuer"},
+			},
+		},
+	}
+}
+
+func schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Message provides human-readable details about the Status.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"lastUpdateTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
 func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,86 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+          status:
+            description: Status of the OIDC provider.
+            properties:
+              lastUpdateTime:
+                description: LastUpdateTime holds the time at which the Status was
+                  last updated. It is a pointer to get around some undesirable behavior
+                  with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+                format: date-time
+                type: string
+              message:
+                description: Message provides human-readable details about the Status.
+                type: string
+              status:
+                description: Status holds an enum that describes the state of this
+                  OIDC Provider. Note that this Status can represent success or failure.
+                enum:
+                - Success
+                - Duplicate
+                - Invalid
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.18/README.adoc

@@ -95,6 +95,65 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfig"]
+==== OIDCProviderConfig 
+
+OIDCProviderConfig describes the configuration of an OIDC provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfigstatus[$$OIDCProviderConfigStatus$$]__ | Status of the OIDC provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfigspec"]
+==== OIDCProviderConfigSpec 
+
+OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
+ See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfigstatus"]
+==== OIDCProviderConfigStatus 
+
+OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`status`* __OIDCProviderStatus__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
+| *`message`* __string__ | Message provides human-readable details about the Status.
+| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+|===
+
+
 
 [id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
 === idp.pinniped.dev/v1alpha1

generated/1.18/apis/config/v1alpha1/register.go

@@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialIssuerConfig{},
 		&CredentialIssuerConfigList{},
+		&OIDCProviderConfig{},
+		&OIDCProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -0,0 +1,72 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:validation:Enum=Success;Duplicate;Invalid
+type OIDCProviderStatus string
+
+const (
+	SuccessOIDCProviderStatus = OIDCProviderStatus("Success")
+	DuplicateOIDCProviderStatus = OIDCProviderStatus("Duplicate")
+	InvalidOIDCProviderStatus = OIDCProviderStatus("Invalid")
+)
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+type OIDCProviderConfigStatus struct {
+	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
+	// represent success or failure.
+	// +optional
+	Status OIDCProviderStatus `json:"status,omitempty"`
+
+	// Message provides human-readable details about the Status.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+  // LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
+  // around some undesirable behavior with respect to the empty metav1.Time value (see
+  // https://github.com/kubernetes/kubernetes/issues/86811).
+  // +optional
+  LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"spec"`
+
+	// Status of the OIDC provider.
+	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

generated/1.18/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -131,3 +131,100 @@ func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStra
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus) {
+	*out = *in
+	if in.LastUpdateTime != nil {
+		in, out := &in.LastUpdateTime, &out.LastUpdateTime
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigStatus.
+func (in *OIDCProviderConfigStatus) DeepCopy() *OIDCProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -14,6 +14,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	CredentialIssuerConfigsGetter
+	OIDCProviderConfigsGetter
 }
 
 // ConfigV1alpha1Client is used to interact with features provided by the config.pinniped.dev group.
@@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) Credent
 	return newCredentialIssuerConfigs(c, namespace)
 }
 
+func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+	return newOIDCProviderConfigs(c, namespace)
+}
+
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
 func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
 	config := *c

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.
 	return &FakeCredentialIssuerConfigs{c, namespace}
 }
 
+func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+	return &FakeOIDCProviderConfigs{c, namespace}
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
+type FakeOIDCProviderConfigs struct {
+	Fake *FakeConfigV1alpha1
+	ns   string
+}
+
+var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
+
+var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *FakeOIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *FakeOIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *FakeOIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeOIDCProviderConfigs) UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(oidcproviderconfigsResource, "status", c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *FakeOIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *FakeOIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -6,3 +6,5 @@
 package v1alpha1
 
 type CredentialIssuerConfigExpansion interface{}
+
+type OIDCProviderConfigExpansion interface{}

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
+// A group's client should implement this interface.
+type OIDCProviderConfigsGetter interface {
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
+}
+
+// OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
+type OIDCProviderConfigInterface interface {
+	Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
+	OIDCProviderConfigExpansion
+}
+
+// oIDCProviderConfigs implements OIDCProviderConfigInterface
+type oIDCProviderConfigs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCProviderConfigs returns a OIDCProviderConfigs
+func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
+	return &oIDCProviderConfigs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *oIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *oIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OIDCProviderConfigList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *oIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *oIDCProviderConfigs) UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *oIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *oIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *oIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/informers/externalversions/config/v1alpha1/interface.go

@@ -13,6 +13,8 @@ import (
 type Interface interface {
 	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
 	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	OIDCProviderConfigs() OIDCProviderConfigInformer
 }
 
 type version struct {
@@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
 	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
+
+// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.18/client/informers/externalversions/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigInformer provides access to a shared informer and lister for
+// OIDCProviderConfigs.
+type OIDCProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OIDCProviderConfigLister
+}
+
+type oIDCProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&configv1alpha1.OIDCProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
+}
+
+func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
+	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
+}

generated/1.18/client/informers/externalversions/generic.go

@@ -44,6 +44,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	// Group=config.pinniped.dev, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):

generated/1.18/client/listers/config/v1alpha1/expansion_generated.go

@@ -12,3 +12,11 @@ type CredentialIssuerConfigListerExpansion interface{}
 // CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
 // CredentialIssuerConfigNamespaceLister.
 type CredentialIssuerConfigNamespaceListerExpansion interface{}
+
+// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderConfigLister.
+type OIDCProviderConfigListerExpansion interface{}
+
+// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderConfigNamespaceLister.
+type OIDCProviderConfigNamespaceListerExpansion interface{}

generated/1.18/client/listers/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigLister helps list OIDCProviderConfigs.
+type OIDCProviderConfigLister interface {
+	// List lists all OIDCProviderConfigs in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
+	OIDCProviderConfigListerExpansion
+}
+
+// oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
+type oIDCProviderConfigLister struct {
+	indexer cache.Indexer
+}
+
+// NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
+func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
+	return &oIDCProviderConfigLister{indexer: indexer}
+}
+
+// List lists all OIDCProviderConfigs in the indexer.
+func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
+	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
+type OIDCProviderConfigNamespaceLister interface {
+	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
+	OIDCProviderConfigNamespaceListerExpansion
+}
+
+// oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
+// interface.
+type oIDCProviderConfigNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), nil
+}

generated/1.18/client/openapi/zz_generated.openapi.go

@@ -22,6 +22,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":           schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                   schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":               schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":               schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":             schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition":                               schema_118_apis_idp_v1alpha1_Condition(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.TLSSpec":                                 schema_118_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
@@ -286,6 +290,155 @@ func schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.R
 	}
 }
 
+func schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec", "go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).\n\nSee https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"issuer"},
+			},
+		},
+	}
+}
+
+func schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Message provides human-readable details about the Status.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"lastUpdateTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
 func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,86 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+          status:
+            description: Status of the OIDC provider.
+            properties:
+              lastUpdateTime:
+                description: LastUpdateTime holds the time at which the Status was
+                  last updated. It is a pointer to get around some undesirable behavior
+                  with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+                format: date-time
+                type: string
+              message:
+                description: Message provides human-readable details about the Status.
+                type: string
+              status:
+                description: Status holds an enum that describes the state of this
+                  OIDC Provider. Note that this Status can represent success or failure.
+                enum:
+                - Success
+                - Duplicate
+                - Invalid
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.19/README.adoc

@@ -95,6 +95,65 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfig"]
+==== OIDCProviderConfig 
+
+OIDCProviderConfig describes the configuration of an OIDC provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfigstatus[$$OIDCProviderConfigStatus$$]__ | Status of the OIDC provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfigspec"]
+==== OIDCProviderConfigSpec 
+
+OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
+ See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfigstatus"]
+==== OIDCProviderConfigStatus 
+
+OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`status`* __OIDCProviderStatus__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
+| *`message`* __string__ | Message provides human-readable details about the Status.
+| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+|===
+
+
 
 [id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
 === idp.pinniped.dev/v1alpha1

generated/1.19/apis/config/v1alpha1/register.go

@@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialIssuerConfig{},
 		&CredentialIssuerConfigList{},
+		&OIDCProviderConfig{},
+		&OIDCProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -0,0 +1,72 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:validation:Enum=Success;Duplicate;Invalid
+type OIDCProviderStatus string
+
+const (
+	SuccessOIDCProviderStatus = OIDCProviderStatus("Success")
+	DuplicateOIDCProviderStatus = OIDCProviderStatus("Duplicate")
+	InvalidOIDCProviderStatus = OIDCProviderStatus("Invalid")
+)
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+type OIDCProviderConfigStatus struct {
+	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
+	// represent success or failure.
+	// +optional
+	Status OIDCProviderStatus `json:"status,omitempty"`
+
+	// Message provides human-readable details about the Status.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+  // LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
+  // around some undesirable behavior with respect to the empty metav1.Time value (see
+  // https://github.com/kubernetes/kubernetes/issues/86811).
+  // +optional
+  LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"spec"`
+
+	// Status of the OIDC provider.
+	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

generated/1.19/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -131,3 +131,100 @@ func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStra
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus) {
+	*out = *in
+	if in.LastUpdateTime != nil {
+		in, out := &in.LastUpdateTime, &out.LastUpdateTime
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigStatus.
+func (in *OIDCProviderConfigStatus) DeepCopy() *OIDCProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -14,6 +14,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	CredentialIssuerConfigsGetter
+	OIDCProviderConfigsGetter
 }
 
 // ConfigV1alpha1Client is used to interact with features provided by the config.pinniped.dev group.
@@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) Credent
 	return newCredentialIssuerConfigs(c, namespace)
 }
 
+func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+	return newOIDCProviderConfigs(c, namespace)
+}
+
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
 func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
 	config := *c

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.
 	return &FakeCredentialIssuerConfigs{c, namespace}
 }
 
+func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+	return &FakeOIDCProviderConfigs{c, namespace}
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
+type FakeOIDCProviderConfigs struct {
+	Fake *FakeConfigV1alpha1
+	ns   string
+}
+
+var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
+
+var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *FakeOIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *FakeOIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *FakeOIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeOIDCProviderConfigs) UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(oidcproviderconfigsResource, "status", c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *FakeOIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *FakeOIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -6,3 +6,5 @@
 package v1alpha1
 
 type CredentialIssuerConfigExpansion interface{}
+
+type OIDCProviderConfigExpansion interface{}

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
+// A group's client should implement this interface.
+type OIDCProviderConfigsGetter interface {
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
+}
+
+// OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
+type OIDCProviderConfigInterface interface {
+	Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
+	OIDCProviderConfigExpansion
+}
+
+// oIDCProviderConfigs implements OIDCProviderConfigInterface
+type oIDCProviderConfigs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCProviderConfigs returns a OIDCProviderConfigs
+func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
+	return &oIDCProviderConfigs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *oIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *oIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OIDCProviderConfigList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *oIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *oIDCProviderConfigs) UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *oIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *oIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *oIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.19/client/informers/externalversions/config/v1alpha1/interface.go

@@ -13,6 +13,8 @@ import (
 type Interface interface {
 	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
 	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	OIDCProviderConfigs() OIDCProviderConfigInformer
 }
 
 type version struct {
@@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
 	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
+
+// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.19/client/informers/externalversions/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigInformer provides access to a shared informer and lister for
+// OIDCProviderConfigs.
+type OIDCProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OIDCProviderConfigLister
+}
+
+type oIDCProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&configv1alpha1.OIDCProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
+}
+
+func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
+	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
+}

generated/1.19/client/informers/externalversions/generic.go

@@ -44,6 +44,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	// Group=config.pinniped.dev, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):

generated/1.19/client/listers/config/v1alpha1/expansion_generated.go

@@ -12,3 +12,11 @@ type CredentialIssuerConfigListerExpansion interface{}
 // CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
 // CredentialIssuerConfigNamespaceLister.
 type CredentialIssuerConfigNamespaceListerExpansion interface{}
+
+// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderConfigLister.
+type OIDCProviderConfigListerExpansion interface{}
+
+// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderConfigNamespaceLister.
+type OIDCProviderConfigNamespaceListerExpansion interface{}

generated/1.19/client/listers/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,86 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigLister helps list OIDCProviderConfigs.
+// All objects returned here must be treated as read-only.
+type OIDCProviderConfigLister interface {
+	// List lists all OIDCProviderConfigs in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
+	OIDCProviderConfigListerExpansion
+}
+
+// oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
+type oIDCProviderConfigLister struct {
+	indexer cache.Indexer
+}
+
+// NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
+func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
+	return &oIDCProviderConfigLister{indexer: indexer}
+}
+
+// List lists all OIDCProviderConfigs in the indexer.
+func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
+	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
+// All objects returned here must be treated as read-only.
+type OIDCProviderConfigNamespaceLister interface {
+	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
+	OIDCProviderConfigNamespaceListerExpansion
+}
+
+// oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
+// interface.
+type oIDCProviderConfigNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), nil
+}

generated/1.19/client/openapi/zz_generated.openapi.go

@@ -22,6 +22,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":           schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                   schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":               schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":               schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":             schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition":                               schema_119_apis_idp_v1alpha1_Condition(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.TLSSpec":                                 schema_119_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
@@ -287,6 +291,155 @@ func schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.R
 	}
 }
 
+func schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec", "go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).\n\nSee https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"issuer"},
+			},
+		},
+	}
+}
+
+func schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Message provides human-readable details about the Status.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"lastUpdateTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
 func schema_119_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,86 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+          status:
+            description: Status of the OIDC provider.
+            properties:
+              lastUpdateTime:
+                description: LastUpdateTime holds the time at which the Status was
+                  last updated. It is a pointer to get around some undesirable behavior
+                  with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
+                format: date-time
+                type: string
+              message:
+                description: Message provides human-readable details about the Status.
+                type: string
+              status:
+                description: Status holds an enum that describes the state of this
+                  OIDC Provider. Note that this Status can represent success or failure.
+                enum:
+                - Success
+                - Duplicate
+                - Invalid
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

hack/kind-down.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
+
+cd "${ROOT}"
+
+kind delete cluster --name pinniped

hack/kind-up.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
+
+cd "${ROOT}"
+
+# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.18.8`
+kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped

hack/lib/kind-config/multi-node.yaml

@@ -0,0 +1,7 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker
+  - role: worker
+    extraPortMappings: [{containerPort: 31234, hostPort: 12345, protocol: TCP}]

hack/lib/kind-config/single-node.yaml

@@ -0,0 +1,5 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    extraPortMappings: [{containerPort: 31234, hostPort: 12345, protocol: TCP}]

hack/lib/tilt/Tiltfile

@@ -8,13 +8,20 @@ os.putenv('GOARCH', 'amd64')
 os.putenv('CGO_ENABLED', '0')
 os.putenv('KUBE_GIT_VERSION', 'v0.0.0')
 
+#####################################################################################################
 # Compile all of our ./cmd/... binaries.
+#
+
 local_resource(
   'compile',
   'cd ../../../ && mkdir -p ./hack/lib/tilt/build && go build -v -ldflags "$(hack/get-ldflags.sh)" -o ./hack/lib/tilt/build ./cmd/...',
   deps=['../../../cmd', '../../../internal', '../../../pkg', '../../../generated'],
 )
 
+#####################################################################################################
+# Local-user-authenticator app
+#
+
 # Build a container image for local-user-authenticator, with live-update enabled.
 docker_build_with_restart('image/local-user-auth', '.',
     dockerfile='local-user-authenticator.Dockerfile',
@@ -26,16 +33,17 @@ docker_build_with_restart('image/local-user-auth', '.',
 # Render the local-user-authenticator installation manifest using ytt.
 k8s_yaml(local([
     'ytt',
-    '--file', '../../../deploy-local-user-authenticator',
+    '--file', '../../../deploy/local-user-authenticator',
     '--data-value', 'image_repo=image/local-user-auth',
     '--data-value', 'image_tag=tilt-dev',
 ]))
 
 # Collect all the deployed local-user-authenticator resources under a "local-user-auth" resource tab.
 k8s_resource(
-    workload='local-user-authenticator',
+    workload='local-user-authenticator', # this is the deployment name
-    new_name='local-user-auth',
+    new_name='local-user-auth', # this is the name that will appear in the tilt UI
     objects=[
+        # these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI
         'local-user-authenticator:namespace',
         'local-user-authenticator:serviceaccount',
         'local-user-authenticator:role',
@@ -43,55 +51,105 @@ k8s_resource(
     ],
 )
 
-# Build a container image for the Pinniped server, with live-update enabled.
+#####################################################################################################
-docker_build_with_restart('image/pinniped', '.',
+# Supervisor app
-    dockerfile='pinniped.Dockerfile',
+#
-    entrypoint=['/usr/local/bin/pinniped-server'],
+
-    live_update=[sync('./build/pinniped-server', '/usr/local/bin/pinniped-server')],
+# Build a container image for supervisor, with live-update enabled.
-    only=['./build/pinniped-server'],
+docker_build_with_restart('image/supervisor', '.',
+    dockerfile='supervisor.Dockerfile',
+    entrypoint=['/usr/local/bin/pinniped-supervisor'],
+    live_update=[sync('./build/pinniped-supervisor', '/usr/local/bin/pinniped-supervisor')],
+    only=['./build/pinniped-supervisor'],
 )
 
-# Render the Pinniped server installation manifest using ytt.
+# Render the supervisor installation manifest using ytt.
+k8s_yaml(local([
+    'ytt',
+    '--file', '../../../deploy/supervisor',
+    '--data-value', 'app_name=pinniped-supervisor',
+    '--data-value', 'namespace=supervisor',
+    '--data-value', 'image_repo=image/supervisor',
+    '--data-value', 'image_tag=tilt-dev',
+    '--data-value-yaml', 'replicas=1',
+    '--data-value-yaml', 'service_nodeport_port=31234',
+]))
+
+# Collect all the deployed supervisor resources under a "supervisor" resource tab.
+k8s_resource(
+    workload='pinniped-supervisor', # this is the deployment name
+    new_name='supervisor', # this is the name that will appear in the tilt UI
+    objects=[
+        # these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI
+        'oidcproviderconfigs.config.pinniped.dev:customresourcedefinition',
+        'pinniped-supervisor-static-config:configmap',
+        'supervisor:namespace',
+        'pinniped-supervisor:role',
+        'pinniped-supervisor:rolebinding',
+        'pinniped-supervisor:serviceaccount',
+    ],
+)
+
+# Build a container image for the Concierge server, with live-update enabled.
+docker_build_with_restart('image/concierge', '.',
+    dockerfile='concierge.Dockerfile',
+    entrypoint=['/usr/local/bin/pinniped-concierge'],
+    live_update=[sync('./build/pinniped-concierge', '/usr/local/bin/pinniped-concierge')],
+    only=['./build/pinniped-concierge'],
+)
+
+#####################################################################################################
+# Concierge app
+#
+
+# Render the Concierge server installation manifest using ytt.
 k8s_yaml(local([
     'sh', '-c',
-    'ytt --file ../../../deploy ' +
+    'ytt --file ../../../deploy/concierge ' +
-    '--data-value namespace=integration ' +
+    '--data-value app_name=pinniped-concierge ' +
-    '--data-value image_repo=image/pinniped ' +
+    '--data-value namespace=concierge ' +
+    '--data-value image_repo=image/concierge ' +
     '--data-value image_tag=tilt-dev ' +
     '--data-value kube_cert_agent_image=debian:10.5-slim ' +
     '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' +
-    '--data-value-yaml replicas=1'
+    '--data-value-yaml replicas=1',
 ]))
 
-# Collect all the deployed local-user-authenticator resources under a "deploy/pinniped" resource tab.
+# Collect all the deployed local-user-authenticator resources under a "concierge" resource tab.
 k8s_resource(
-    workload='pinniped',
+    workload='pinniped-concierge', # this is the deployment name
+    new_name='concierge', # this is the name that will appear in the tilt UI
     objects=[
-        'integration:namespace',
+        # these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI
+        'concierge:namespace',
+        'pinniped-concierge-aggregated-api-server:clusterrole',
+        'pinniped-concierge-aggregated-api-server:clusterrolebinding',
+        'pinniped-concierge-aggregated-api-server:role',
+        'pinniped-concierge-aggregated-api-server:rolebinding',
+        'pinniped-concierge-cluster-info-lister-watcher:role',
+        'pinniped-concierge-cluster-info-lister-watcher:rolebinding',
+        'pinniped-concierge-config:configmap',
+        'pinniped-concierge-create-token-credential-requests:clusterrole',
+        'pinniped-concierge-create-token-credential-requests:clusterrolebinding',
+        'pinniped-concierge-extension-apiserver-authentication-reader:rolebinding',
+        'pinniped-concierge-kube-system-pod-read:role',
+        'pinniped-concierge-kube-system-pod-read:rolebinding',
+        'pinniped-concierge:clusterrolebinding',
+        'pinniped-concierge:serviceaccount',
         'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
         'webhookidentityproviders.idp.pinniped.dev:customresourcedefinition',
-        'pinniped:serviceaccount',
-        'pinniped-aggregated-api-server:role',
-        'pinniped-kube-system-pod-read:role',
-        'pinniped-cluster-info-lister-watcher:role',
-        'pinniped-aggregated-api-server:clusterrole',
-        'pinniped-create-token-credential-requests:clusterrole',
-        'pinniped-aggregated-api-server:rolebinding',
-        'pinniped-kube-system-pod-read:rolebinding',
-        'pinniped-extension-apiserver-authentication-reader:rolebinding',
-        'pinniped-cluster-info-lister-watcher:rolebinding',
-        'pinniped-aggregated-api-server:clusterrolebinding',
-        'pinniped-create-token-credential-requests:clusterrolebinding',
-        'pinniped:clusterrolebinding',
-        'pinniped-config:configmap',
         'v1alpha1.login.pinniped.dev:apiservice',
     ],
 )
 
+#####################################################################################################
+# Finish setting up cluster and creating integration test env file
+#
+
 # Collect environment variables needed to run our integration test suite.
 local_resource(
   'test-env',
   'TILT_MODE=yes ../../prepare-for-integration-tests.sh',
-  resource_deps=['local-user-auth', 'pinniped'],
+  resource_deps=['local-user-auth', 'concierge', 'supervisor'],
   deps=['../../prepare-for-integration-tests.sh'],
 )

hack/lib/tilt/concierge.Dockerfile

@@ -5,10 +5,10 @@
 FROM debian:10.5-slim
 
 # Copy the binary which was built outside the container.
-COPY build/pinniped-server /usr/local/bin/pinniped-server
+COPY build/pinniped-concierge /usr/local/bin/pinniped-concierge
 
 # Document the port
 EXPOSE 443
 
 # Set the entrypoint
-ENTRYPOINT ["/usr/local/bin/pinniped-server"]
+ENTRYPOINT ["/usr/local/bin/pinniped-concierge"]

hack/lib/tilt/supervisor.Dockerfile

@@ -0,0 +1,14 @@
+# Copyright 2020 VMware, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+# Use a runtime image based on Debian slim
+FROM debian:10.5-slim
+
+# Copy the binary which was built outside the container.
+COPY build/pinniped-supervisor /usr/local/bin/pinniped-supervisor
+
+# Document the port
+EXPOSE 443
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/pinniped-supervisor"]

hack/prepare-for-integration-tests.sh

@@ -50,6 +50,7 @@ function check_dependency() {
 #
 help=no
 skip_build=no
+clean_kind=no
 
 while (("$#")); do
   case "$1" in
@@ -61,6 +62,10 @@ while (("$#")); do
     skip_build=yes
     shift
     ;;
+  -c | --clean)
+    clean_kind=yes
+    shift
+    ;;
   -*)
     log_error "Unsupported flag $1" >&2
     exit 1
@@ -98,18 +103,24 @@ check_dependency htpasswd "Please install htpasswd. Should be pre-installed on M
 
 # Require kubectl >= 1.18.x
 if [ "$(kubectl version --client=true --short | cut -d '.' -f 2)" -lt 18 ]; then
-  echo "kubectl >= 1.18.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)"
+  log_error "kubectl >= 1.18.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)"
   exit 1
 fi
 
 if ! tilt_mode; then
+  if [[ "$clean_kind" == "yes" ]]; then
+    log_note "Deleting running kind clusters to prepare from a clean slate..."
+    kind delete cluster --name pinniped
+  fi
+
   #
   # Setup kind and build the app
   #
   log_note "Checking for running kind clusters..."
-  if ! kind get clusters | grep -q -e '^kind$'; then
+  if ! kind get clusters | grep -q -e '^pinniped$'; then
     log_note "Creating a kind cluster..."
-    kind create cluster
+    # single-node.yaml exposes node port 31234 as 127.0.0.1:12345
+    kind create cluster --config "$pinniped_path/hack/lib/kind-config/single-node.yaml" --name pinniped
   else
     if ! kubectl cluster-info | grep master | grep -q 127.0.0.1; then
       log_error "Seems like your kubeconfig is not targeting a local cluster."
@@ -146,14 +157,14 @@ if ! tilt_mode; then
 
   # Load it into the cluster
   log_note "Loading the app's container image into the kind cluster..."
-  kind load docker-image "$registry_repo_tag"
+  kind load docker-image "$registry_repo_tag" --name pinniped
 
   manifest=/tmp/manifest.yaml
 
   #
   # Deploy local-user-authenticator
   #
-  pushd deploy-local-user-authenticator >/dev/null
+  pushd deploy/local-user-authenticator >/dev/null
 
   log_note "Deploying the local-user-authenticator app to the cluster..."
   ytt --file . \
@@ -167,7 +178,6 @@ if ! tilt_mode; then
 
 fi
 
-
 test_username="test-username"
 test_groups="test-group-0,test-group-1"
 set +o pipefail
@@ -186,27 +196,49 @@ kubectl create secret generic "$test_username" \
   --output yaml |
   kubectl apply -f -
 
-app_name="pinniped"
+#
-namespace="integration"
+# Deploy the Pinniped Supervisor
+#
+supervisor_app_name="pinniped-supervisor"
+supervisor_namespace="supervisor"
+
+if ! tilt_mode; then
+  pushd deploy/supervisor >/dev/null
+
+  log_note "Deploying the Pinniped Supervisor app to the cluster..."
+  ytt --file . \
+    --data-value "app_name=$supervisor_app_name" \
+    --data-value "namespace=$supervisor_namespace" \
+    --data-value "image_repo=$registry_repo" \
+    --data-value "image_tag=$tag" \
+    --data-value-yaml 'service_nodeport_port=31234' >"$manifest"
+
+  kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
+
+  popd >/dev/null
+fi
+
+#
+# Deploy Pinniped
+#
+concierge_app_name="pinniped-concierge"
+concierge_namespace="concierge"
 webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
 webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
 discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
 
 if ! tilt_mode; then
-  #
+  pushd deploy/concierge >/dev/null
-  # Deploy Pinniped
-  #
-  pushd deploy >/dev/null
 
   log_note "Deploying the Pinniped app to the cluster..."
   ytt --file . \
-    --data-value "app_name=$app_name" \
+    --data-value "app_name=$concierge_app_name" \
-    --data-value "namespace=$namespace" \
+    --data-value "namespace=$concierge_namespace" \
     --data-value "image_repo=$registry_repo" \
     --data-value "image_tag=$tag" \
     --data-value "discovery_url=$discovery_url" >"$manifest"
 
-  kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
+  kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
 
   popd >/dev/null
 fi
@@ -218,20 +250,23 @@ kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
 pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
 
 cat <<EOF >/tmp/integration-test-env
-# The following env vars should be set before running 'go test -v -count 1 ./test/...'
+# The following env vars should be set before running 'go test -v -count 1 ./test/integration'
-export PINNIPED_NAMESPACE=${namespace}
+export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
-export PINNIPED_APP_NAME=${app_name}
+export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name}
 export PINNIPED_TEST_USER_USERNAME=${test_username}
 export PINNIPED_TEST_USER_GROUPS=${test_groups}
 export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
 export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
 export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
+export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace}
+export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name}
+export PINNIPED_TEST_SUPERVISOR_ADDRESS="127.0.0.1:12345"
 
-read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
+read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true
 ${pinniped_cluster_capability_file_content}
-PINNIPED_CLUSTER_CAPABILITY_YAML_EOF
+PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
 
-export PINNIPED_CLUSTER_CAPABILITY_YAML
+export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
 EOF
 
 #
@@ -242,15 +277,16 @@ goland_vars=$(grep -v '^#' /tmp/integration-test-env | grep -E '^export .+=' | s
 log_note
 log_note "🚀 Ready to run integration tests! For example..."
 log_note "    cd $pinniped_path"
-log_note '    source /tmp/integration-test-env && go test -v -count 1 ./test/...'
+log_note '    source /tmp/integration-test-env && go test -v -count 1 ./test/integration'
 log_note
 log_note 'Want to run integration tests in GoLand? Copy/paste this "Environment" value for GoLand run configurations:'
-log_note "    ${goland_vars}PINNIPED_CLUSTER_CAPABILITY_FILE=${kind_capabilities_file}"
+log_note "    ${goland_vars}PINNIPED_TEST_CLUSTER_CAPABILITY_FILE=${kind_capabilities_file}"
 log_note
 
 if ! tilt_mode; then
   log_note "You can rerun this script to redeploy local production code changes while you are working."
   log_note
-  log_note "To delete the deployments, run 'kapp delete -a local-user-authenticator -y && kapp delete -a pinniped -y'."
+  log_note "To delete the deployments, run:"
-  log_note "When you're finished, use 'kind delete cluster' to tear down the cluster."
+  log_note "  kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y &&  kapp delete -a $supervisor_app_name -y"
+  log_note "When you're finished, use 'kind delete cluster --name pinniped' to tear down the cluster."
 fi

hack/tilt-up.sh

@@ -5,5 +5,7 @@
 
 set -euo pipefail
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
+
 cd "${ROOT}"
-exec tilt up -f ./hack/lib/tilt/Tiltfile --stream
+
+exec tilt up -f ./hack/lib/tilt/Tiltfile

hack/update.sh

@@ -7,6 +7,20 @@ set -euo pipefail
 
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 
+# Generate code.
 xargs "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-versions.txt"
-cp "$ROOT/generated/1.19/crds/"*.yaml "$ROOT/deploy/"
+
+# Copy each CRD yaml to the app which should cause it to be installed.
+cp "$ROOT"/generated/1.19/crds/*oidcproviderconfigs.yaml "$ROOT/deploy/supervisor"
+cp "$ROOT"/generated/1.19/crds/*credentialissuerconfigs.yaml "$ROOT/deploy/concierge"
+cp "$ROOT"/generated/1.19/crds/*webhookidentityproviders.yaml "$ROOT/deploy/concierge"
+
+# Make sure we didn't miss any new CRDs.
+crdCount=$(find "$ROOT"/generated/1.19/crds/ -maxdepth 1 -type f -name '*.yaml' | wc -l | tr -d ' ')
+if [[ "$crdCount" != "3" ]]; then
+  echo "Looks like you added a new CRD. Please update this update.sh script to decide where to copy it and then run it again."
+  exit 1
+fi
+
+# Tidy.
 "$ROOT/hack/module.sh" tidy

internal/concierge/apiserver/apiserver.go

@@ -87,7 +87,7 @@ func (c *Config) Complete() CompletedConfig {
 
 // New returns a new instance of AdmissionServer from the given config.
 func (c completedConfig) New() (*PinnipedServer, error) {
-	genericServer, err := c.GenericConfig.New("pinniped-server", genericapiserver.NewEmptyDelegate()) // completion is done in Complete, no need for a second time
+	genericServer, err := c.GenericConfig.New("pinniped-concierge", genericapiserver.NewEmptyDelegate()) // completion is done in Complete, no need for a second time
 	if err != nil {
 		return nil, fmt.Errorf("completion error: %w", err)
 	}

internal/concierge/server/server.go

@@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package server is the command line entry point for pinniped-server.
+// Package server is the command line entry point for pinniped-concierge.
 package server
 
 import (
@@ -15,8 +15,8 @@ import (
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
-	"go.pinniped.dev/internal/apiserver"
 	"go.pinniped.dev/internal/certauthority/dynamiccertauthority"
+	"go.pinniped.dev/internal/concierge/apiserver"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
 	"go.pinniped.dev/internal/controllermanager"
 	"go.pinniped.dev/internal/downward"
@@ -26,7 +26,7 @@ import (
 	"go.pinniped.dev/pkg/config"
 )
 
-// App is an object that represents the pinniped-server application.
+// App is an object that represents the pinniped-concierge application.
 type App struct {
 	cmd *cobra.Command
 
@@ -54,9 +54,9 @@ func (a *App) Run() error {
 // Create the server command and save it into the App.
 func (a *App) addServerCommand(ctx context.Context, args []string, stdout, stderr io.Writer) {
 	cmd := &cobra.Command{
-		Use: "pinniped-server",
+		Use: "pinniped-concierge",
 		Long: here.Doc(`
-			pinniped-server provides a generic API for mapping an external
+			pinniped-concierge provides a generic API for mapping an external
 			credential from somewhere to an internal credential to be used for
 			authenticating to the Kubernetes API.`),
 		RunE: func(cmd *cobra.Command, args []string) error { return a.runServer(ctx) },

internal/concierge/server/server_test.go

@@ -15,17 +15,17 @@ import (
 )
 
 const knownGoodUsage = `
-pinniped-server provides a generic API for mapping an external
+pinniped-concierge provides a generic API for mapping an external
 credential from somewhere to an internal credential to be used for
 authenticating to the Kubernetes API.
 
 Usage:
-  pinniped-server [flags]
+  pinniped-concierge [flags]
 
 Flags:
   -c, --config string                  path to configuration file (default "pinniped.yaml")
       --downward-api-path string       path to Downward API volume mount (default "/etc/podinfo")
-  -h, --help                           help for pinniped-server
+  -h, --help                           help for pinniped-concierge
       --log-flush-frequency duration   Maximum number of seconds between log flushes (default 5s)
 `
 
@@ -48,7 +48,7 @@ func TestCommand(t *testing.T) {
 		{
 			name:    "OneArgFails",
 			args:    []string{"tuna"},
-			wantErr: `unknown command "tuna" for "pinniped-server"`,
+			wantErr: `unknown command "tuna" for "pinniped-concierge"`,
 		},
 		{
 			name: "ShortConfigFlagSucceeds",
@@ -64,7 +64,7 @@ func TestCommand(t *testing.T) {
 				"--config", "some/path/to/config.yaml",
 				"tuna",
 			},
-			wantErr: `unknown command "tuna" for "pinniped-server"`,
+			wantErr: `unknown command "tuna" for "pinniped-concierge"`,
 		},
 	}
 	for _, test := range tests {

internal/controller/supervisorconfig/oidcproviderconfig_watcher.go

@@ -0,0 +1,161 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package supervisorconfig
+
+import (
+	"context"
+	"fmt"
+
+	"go.pinniped.dev/internal/multierror"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/client-go/util/retry"
+	"k8s.io/klog/v2"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	configinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/config/v1alpha1"
+	pinnipedcontroller "go.pinniped.dev/internal/controller"
+	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/oidc/provider"
+)
+
+// ProvidersSetter can be notified of all known valid providers with its SetIssuer function.
+// If there are no longer any valid issuers, then it can be called with no arguments.
+// Implementations of this type should be thread-safe to support calls from multiple goroutines.
+type ProvidersSetter interface {
+	SetProviders(oidcProviders ...*provider.OIDCProvider)
+}
+
+type oidcProviderConfigWatcherController struct {
+	providerSetter ProvidersSetter
+	clock          clock.Clock
+	client         pinnipedclientset.Interface
+	opcInformer    configinformers.OIDCProviderConfigInformer
+}
+
+// NewOIDCProviderConfigWatcherController creates a controllerlib.Controller that watches
+// OIDCProviderConfig objects and notifies a callback object of the collection of provider configs.
+func NewOIDCProviderConfigWatcherController(
+	providerSetter ProvidersSetter,
+	clock clock.Clock,
+	client pinnipedclientset.Interface,
+	opcInformer configinformers.OIDCProviderConfigInformer,
+	withInformer pinnipedcontroller.WithInformerOptionFunc,
+) controllerlib.Controller {
+	return controllerlib.New(
+		controllerlib.Config{
+			Name: "OIDCProviderConfigWatcherController",
+			Syncer: &oidcProviderConfigWatcherController{
+				providerSetter: providerSetter,
+				clock:          clock,
+				client:         client,
+				opcInformer:    opcInformer,
+			},
+		},
+		withInformer(
+			opcInformer,
+			pinnipedcontroller.NoOpFilter(),
+			controllerlib.InformerOption{},
+		),
+	)
+}
+
+// Sync implements controllerlib.Syncer.
+func (c *oidcProviderConfigWatcherController) Sync(ctx controllerlib.Context) error {
+	all, err := c.opcInformer.Lister().List(labels.Everything())
+	if err != nil {
+		return err
+	}
+
+	issuerCounts := make(map[string]int)
+	for _, opc := range all {
+		issuerCounts[opc.Spec.Issuer]++
+	}
+
+	errs := multierror.New()
+
+	oidcProviders := make([]*provider.OIDCProvider, 0)
+	for _, opc := range all {
+		if issuerCount := issuerCounts[opc.Spec.Issuer]; issuerCount > 1 {
+			if err := c.updateStatus(
+				ctx.Context,
+				opc.Namespace,
+				opc.Name,
+				configv1alpha1.DuplicateOIDCProviderStatus,
+				"Duplicate issuer: "+opc.Spec.Issuer,
+			); err != nil {
+				errs.Add(fmt.Errorf("could not update status: %w", err))
+			}
+			continue
+		}
+
+		oidcProvider, err := provider.NewOIDCProvider(opc.Spec.Issuer)
+		if err != nil {
+			if err := c.updateStatus(
+				ctx.Context,
+				opc.Namespace,
+				opc.Name,
+				configv1alpha1.InvalidOIDCProviderStatus,
+				"Invalid: "+err.Error(),
+			); err != nil {
+				errs.Add(fmt.Errorf("could not update status: %w", err))
+			}
+			continue
+		}
+
+		if err := c.updateStatus(
+			ctx.Context,
+			opc.Namespace,
+			opc.Name,
+			configv1alpha1.SuccessOIDCProviderStatus,
+			"Provider successfully created",
+		); err != nil {
+			errs.Add(fmt.Errorf("could not update status: %w", err))
+			continue
+		}
+		oidcProviders = append(oidcProviders, oidcProvider)
+	}
+
+	c.providerSetter.SetProviders(oidcProviders...)
+
+	return errs.ErrOrNil()
+}
+
+func (c *oidcProviderConfigWatcherController) updateStatus(
+	ctx context.Context,
+	namespace, name string,
+	status configv1alpha1.OIDCProviderStatus,
+	message string,
+) error {
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		opc, err := c.client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Get(ctx, name, metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("get failed: %w", err)
+		}
+
+		if opc.Status.Status == status && opc.Status.Message == message {
+			return nil
+		}
+
+		klog.InfoS(
+			"attempting status update",
+			"openidproviderconfig",
+			klog.KRef(namespace, name),
+			"status",
+			status,
+			"message",
+			message,
+		)
+		opc.Status.Status = status
+		opc.Status.Message = message
+		opc.Status.LastUpdateTime = timePtr(metav1.NewTime(c.clock.Now()))
+		_, err = c.client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Update(ctx, opc, metav1.UpdateOptions{})
+		return err
+	})
+}
+
+func timePtr(t metav1.Time) *metav1.Time { return &t }

internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go

@@ -0,0 +1,818 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package supervisorconfig
+
+import (
+	"context"
+	"errors"
+	"reflect"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+	"github.com/stretchr/testify/require"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/clock"
+	coretesting "k8s.io/client-go/testing"
+
+	"go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
+	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
+	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/here"
+	"go.pinniped.dev/internal/oidc/provider"
+	"go.pinniped.dev/internal/testutil"
+)
+
+func TestInformerFilters(t *testing.T) {
+	spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) {
+		var r *require.Assertions
+		var observableWithInformerOption *testutil.ObservableWithInformerOption
+		var configMapInformerFilter controllerlib.Filter
+
+		it.Before(func() {
+			r = require.New(t)
+			observableWithInformerOption = testutil.NewObservableWithInformerOption()
+			opcInformer := pinnipedinformers.NewSharedInformerFactoryWithOptions(nil, 0).Config().V1alpha1().OIDCProviderConfigs()
+			_ = NewOIDCProviderConfigWatcherController(
+				nil,
+				nil,
+				nil,
+				opcInformer,
+				observableWithInformerOption.WithInformer, // make it possible to observe the behavior of the Filters
+			)
+			configMapInformerFilter = observableWithInformerOption.GetFilterForInformer(opcInformer)
+		})
+
+		when("watching OIDCProviderConfig objects", func() {
+			var subject controllerlib.Filter
+			var target, otherNamespace, otherName *v1alpha1.OIDCProviderConfig
+
+			it.Before(func() {
+				subject = configMapInformerFilter
+				target = &v1alpha1.OIDCProviderConfig{ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"}}
+				otherNamespace = &v1alpha1.OIDCProviderConfig{ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "other-namespace"}}
+				otherName = &v1alpha1.OIDCProviderConfig{ObjectMeta: metav1.ObjectMeta{Name: "other-name", Namespace: "some-namespace"}}
+			})
+
+			when("any OIDCProviderConfig changes", func() {
+				it("returns true to trigger the sync method", func() {
+					r.True(subject.Add(target))
+					r.True(subject.Add(otherName))
+					r.True(subject.Add(otherNamespace))
+					r.True(subject.Update(target, otherName))
+					r.True(subject.Update(otherName, otherName))
+					r.True(subject.Update(otherNamespace, otherName))
+					r.True(subject.Update(otherName, target))
+					r.True(subject.Update(otherName, otherName))
+					r.True(subject.Update(otherName, otherNamespace))
+					r.True(subject.Delete(target))
+					r.True(subject.Delete(otherName))
+					r.True(subject.Delete(otherNamespace))
+				})
+			})
+		})
+	}, spec.Parallel(), spec.Report(report.Terminal{}))
+}
+
+type fakeProvidersSetter struct {
+	SetProvidersWasCalled bool
+	OIDCProvidersReceived []*provider.OIDCProvider
+}
+
+func (f *fakeProvidersSetter) SetProviders(oidcProviders ...*provider.OIDCProvider) {
+	f.SetProvidersWasCalled = true
+	f.OIDCProvidersReceived = oidcProviders
+}
+
+func TestSync(t *testing.T) {
+	spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
+		const namespace = "some-namespace"
+
+		var r *require.Assertions
+
+		var subject controllerlib.Controller
+		var opcInformerClient *pinnipedfake.Clientset
+		var opcInformers pinnipedinformers.SharedInformerFactory
+		var pinnipedAPIClient *pinnipedfake.Clientset
+		var timeoutContext context.Context
+		var timeoutContextCancel context.CancelFunc
+		var syncContext *controllerlib.Context
+		var frozenNow time.Time
+		var providersSetter *fakeProvidersSetter
+		var oidcProviderConfigGVR schema.GroupVersionResource
+
+		// Defer starting the informers until the last possible moment so that the
+		// nested Before's can keep adding things to the informer caches.
+		var startInformersAndController = func() {
+			// Set this at the last second to allow for injection of server override.
+			subject = NewOIDCProviderConfigWatcherController(
+				providersSetter,
+				clock.NewFakeClock(frozenNow),
+				pinnipedAPIClient,
+				opcInformers.Config().V1alpha1().OIDCProviderConfigs(),
+				controllerlib.WithInformer,
+			)
+
+			// Set this at the last second to support calling subject.Name().
+			syncContext = &controllerlib.Context{
+				Context: timeoutContext,
+				Name:    subject.Name(),
+				Key: controllerlib.Key{
+					Namespace: namespace,
+					Name:      "config-name",
+				},
+			}
+
+			// Must start informers before calling TestRunSynchronously()
+			opcInformers.Start(timeoutContext.Done())
+			controllerlib.TestRunSynchronously(t, subject)
+		}
+
+		it.Before(func() {
+			r = require.New(t)
+
+			providersSetter = &fakeProvidersSetter{}
+			frozenNow = time.Date(2020, time.September, 23, 7, 42, 0, 0, time.Local)
+
+			timeoutContext, timeoutContextCancel = context.WithTimeout(context.Background(), time.Second*3)
+
+			opcInformerClient = pinnipedfake.NewSimpleClientset()
+			opcInformers = pinnipedinformers.NewSharedInformerFactory(opcInformerClient, 0)
+			pinnipedAPIClient = pinnipedfake.NewSimpleClientset()
+
+			oidcProviderConfigGVR = schema.GroupVersionResource{
+				Group:    v1alpha1.SchemeGroupVersion.Group,
+				Version:  v1alpha1.SchemeGroupVersion.Version,
+				Resource: "oidcproviderconfigs",
+			}
+		})
+
+		it.After(func() {
+			timeoutContextCancel()
+		})
+
+		when("there are some valid OIDCProviderConfigs in the informer", func() {
+			var (
+				oidcProviderConfig1 *v1alpha1.OIDCProviderConfig
+				oidcProviderConfig2 *v1alpha1.OIDCProviderConfig
+			)
+
+			it.Before(func() {
+				oidcProviderConfig1 = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "config1", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://issuer1.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfig1))
+				r.NoError(opcInformerClient.Tracker().Add(oidcProviderConfig1))
+
+				oidcProviderConfig2 = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "config2", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://issuer2.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfig2))
+				r.NoError(opcInformerClient.Tracker().Add(oidcProviderConfig2))
+			})
+
+			it("calls the ProvidersSetter", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+
+				provider1, err := provider.NewOIDCProvider(oidcProviderConfig1.Spec.Issuer)
+				r.NoError(err)
+
+				provider2, err := provider.NewOIDCProvider(oidcProviderConfig2.Spec.Issuer)
+				r.NoError(err)
+
+				r.True(providersSetter.SetProvidersWasCalled)
+				r.ElementsMatch(
+					[]*provider.OIDCProvider{
+						provider1,
+						provider2,
+					},
+					providersSetter.OIDCProvidersReceived,
+				)
+			})
+
+			it("updates the status to success in the OIDCProviderConfigs", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+
+				oidcProviderConfig1.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+				oidcProviderConfig1.Status.Message = "Provider successfully created"
+				oidcProviderConfig1.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				oidcProviderConfig2.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+				oidcProviderConfig2.Status.Message = "Provider successfully created"
+				oidcProviderConfig2.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				expectedActions := []coretesting.Action{
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfig1.Namespace,
+						oidcProviderConfig1.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfig1.Namespace,
+						oidcProviderConfig1,
+					),
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfig2.Namespace,
+						oidcProviderConfig2.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfig2.Namespace,
+						oidcProviderConfig2,
+					),
+				}
+				r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+			})
+
+			when("one OIDCProviderConfig is already up to date", func() {
+				it.Before(func() {
+					oidcProviderConfig1.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig1.Status.Message = "Provider successfully created"
+					oidcProviderConfig1.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					r.NoError(pinnipedAPIClient.Tracker().Update(oidcProviderConfigGVR, oidcProviderConfig1, oidcProviderConfig1.Namespace))
+					r.NoError(opcInformerClient.Tracker().Update(oidcProviderConfigGVR, oidcProviderConfig1, oidcProviderConfig1.Namespace))
+				})
+
+				it("only updates the out-of-date OIDCProviderConfig", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.NoError(err)
+
+					oidcProviderConfig2.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig2.Status.Message = "Provider successfully created"
+					oidcProviderConfig2.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig1.Namespace,
+							oidcProviderConfig1.Name,
+						),
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig2.Namespace,
+							oidcProviderConfig2.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig2.Namespace,
+							oidcProviderConfig2,
+						),
+					}
+					r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+				})
+
+				it("calls the ProvidersSetter with both OIDCProviderConfig's", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.NoError(err)
+
+					provider1, err := provider.NewOIDCProvider(oidcProviderConfig1.Spec.Issuer)
+					r.NoError(err)
+
+					provider2, err := provider.NewOIDCProvider(oidcProviderConfig2.Spec.Issuer)
+					r.NoError(err)
+
+					r.True(providersSetter.SetProvidersWasCalled)
+					r.ElementsMatch(
+						[]*provider.OIDCProvider{
+							provider1,
+							provider2,
+						},
+						providersSetter.OIDCProvidersReceived,
+					)
+				})
+			})
+
+			when("updating only one OIDCProviderConfig fails for a reason other than conflict", func() {
+				it.Before(func() {
+					once := sync.Once{}
+					pinnipedAPIClient.PrependReactor(
+						"update",
+						"oidcproviderconfigs",
+						func(_ coretesting.Action) (bool, runtime.Object, error) {
+							var err error
+							once.Do(func() {
+								err = errors.New("some update error")
+							})
+							return true, nil, err
+						},
+					)
+				})
+
+				it("sets the provider that it could actually update in the API", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, "1 error(s):\n- could not update status: some update error")
+
+					provider1, err := provider.NewOIDCProvider(oidcProviderConfig1.Spec.Issuer)
+					r.NoError(err)
+
+					provider2, err := provider.NewOIDCProvider(oidcProviderConfig2.Spec.Issuer)
+					r.NoError(err)
+
+					r.True(providersSetter.SetProvidersWasCalled)
+					r.Len(providersSetter.OIDCProvidersReceived, 1)
+					r.True(
+						reflect.DeepEqual(providersSetter.OIDCProvidersReceived[0], provider1) ||
+							reflect.DeepEqual(providersSetter.OIDCProvidersReceived[0], provider2),
+					)
+				})
+
+				it("returns an error", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, "1 error(s):\n- could not update status: some update error")
+
+					oidcProviderConfig1.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig1.Status.Message = "Provider successfully created"
+					oidcProviderConfig1.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					oidcProviderConfig2.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig2.Status.Message = "Provider successfully created"
+					oidcProviderConfig2.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig1.Namespace,
+							oidcProviderConfig1.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig1.Namespace,
+							oidcProviderConfig1,
+						),
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig2.Namespace,
+							oidcProviderConfig2.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig2.Namespace,
+							oidcProviderConfig2,
+						),
+					}
+					r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+				})
+			})
+		})
+
+		when("there are errors updating the OIDCProviderConfigs", func() {
+			var (
+				oidcProviderConfig *v1alpha1.OIDCProviderConfig
+			)
+
+			it.Before(func() {
+				oidcProviderConfig = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "config", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://issuer.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfig))
+				r.NoError(opcInformerClient.Tracker().Add(oidcProviderConfig))
+			})
+
+			when("there is a conflict while updating an OIDCProviderConfig", func() {
+				it.Before(func() {
+					once := sync.Once{}
+					pinnipedAPIClient.PrependReactor(
+						"update",
+						"oidcproviderconfigs",
+						func(_ coretesting.Action) (bool, runtime.Object, error) {
+							var err error
+							once.Do(func() {
+								err = k8serrors.NewConflict(schema.GroupResource{}, "", nil)
+							})
+							return true, nil, err
+						},
+					)
+				})
+
+				it("retries updating the OIDCProviderConfig", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.NoError(err)
+
+					oidcProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig.Status.Message = "Provider successfully created"
+					oidcProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig,
+						),
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig,
+						),
+					}
+					r.Equal(expectedActions, pinnipedAPIClient.Actions())
+				})
+			})
+
+			when("updating the OIDCProviderConfig fails for a reason other than conflict", func() {
+				it.Before(func() {
+					pinnipedAPIClient.PrependReactor(
+						"update",
+						"oidcproviderconfigs",
+						func(_ coretesting.Action) (bool, runtime.Object, error) {
+							return true, nil, errors.New("some update error")
+						},
+					)
+				})
+
+				it("returns an error", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, "1 error(s):\n- could not update status: some update error")
+
+					oidcProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig.Status.Message = "Provider successfully created"
+					oidcProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig,
+						),
+					}
+					r.Equal(expectedActions, pinnipedAPIClient.Actions())
+				})
+			})
+
+			when("there is an error when getting the OIDCProviderConfig", func() {
+				it.Before(func() {
+					pinnipedAPIClient.PrependReactor(
+						"get",
+						"oidcproviderconfigs",
+						func(_ coretesting.Action) (bool, runtime.Object, error) {
+							return true, nil, errors.New("some get error")
+						},
+					)
+				})
+
+				it("returns the get error", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, "1 error(s):\n- could not update status: get failed: some get error")
+
+					oidcProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig.Status.Message = "Provider successfully created"
+					oidcProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig.Name,
+						),
+					}
+					r.Equal(expectedActions, pinnipedAPIClient.Actions())
+				})
+			})
+		})
+
+		when("there are both valid and invalid OIDCProviderConfigs in the informer", func() {
+			var (
+				validOIDCProviderConfig   *v1alpha1.OIDCProviderConfig
+				invalidOIDCProviderConfig *v1alpha1.OIDCProviderConfig
+			)
+
+			it.Before(func() {
+				validOIDCProviderConfig = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "valid-config", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://valid-issuer.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(validOIDCProviderConfig))
+				r.NoError(opcInformerClient.Tracker().Add(validOIDCProviderConfig))
+
+				invalidOIDCProviderConfig = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "invalid-config", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://invalid-issuer.com?some=query"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(invalidOIDCProviderConfig))
+				r.NoError(opcInformerClient.Tracker().Add(invalidOIDCProviderConfig))
+			})
+
+			it("calls the ProvidersSetter with the valid provider", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+
+				validProvider, err := provider.NewOIDCProvider(validOIDCProviderConfig.Spec.Issuer)
+				r.NoError(err)
+
+				r.True(providersSetter.SetProvidersWasCalled)
+				r.Equal(
+					[]*provider.OIDCProvider{
+						validProvider,
+					},
+					providersSetter.OIDCProvidersReceived,
+				)
+			})
+
+			it("updates the status to success/invalid in the OIDCProviderConfigs", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+
+				validOIDCProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+				validOIDCProviderConfig.Status.Message = "Provider successfully created"
+				validOIDCProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				invalidOIDCProviderConfig.Status.Status = v1alpha1.InvalidOIDCProviderStatus
+				invalidOIDCProviderConfig.Status.Message = "Invalid: issuer must not have query"
+				invalidOIDCProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				expectedActions := []coretesting.Action{
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						invalidOIDCProviderConfig.Namespace,
+						invalidOIDCProviderConfig.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						invalidOIDCProviderConfig.Namespace,
+						invalidOIDCProviderConfig,
+					),
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						validOIDCProviderConfig.Namespace,
+						validOIDCProviderConfig.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						validOIDCProviderConfig.Namespace,
+						validOIDCProviderConfig,
+					),
+				}
+				r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+			})
+
+			when("updating only the invalid OIDCProviderConfig fails for a reason other than conflict", func() {
+				it.Before(func() {
+					pinnipedAPIClient.PrependReactor(
+						"update",
+						"oidcproviderconfigs",
+						func(action coretesting.Action) (bool, runtime.Object, error) {
+							updateAction := action.(coretesting.UpdateActionImpl)
+							opc := updateAction.Object.(*v1alpha1.OIDCProviderConfig)
+							if opc.Name == validOIDCProviderConfig.Name {
+								return true, nil, nil
+							}
+
+							return true, nil, errors.New("some update error")
+						},
+					)
+				})
+
+				it("sets the provider that it could actually update in the API", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, "1 error(s):\n- could not update status: some update error")
+
+					validProvider, err := provider.NewOIDCProvider(validOIDCProviderConfig.Spec.Issuer)
+					r.NoError(err)
+
+					r.True(providersSetter.SetProvidersWasCalled)
+					r.Equal(
+						[]*provider.OIDCProvider{
+							validProvider,
+						},
+						providersSetter.OIDCProvidersReceived,
+					)
+				})
+
+				it("returns an error", func() {
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, "1 error(s):\n- could not update status: some update error")
+
+					validOIDCProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					validOIDCProviderConfig.Status.Message = "Provider successfully created"
+					validOIDCProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					invalidOIDCProviderConfig.Status.Status = v1alpha1.InvalidOIDCProviderStatus
+					invalidOIDCProviderConfig.Status.Message = "Invalid: issuer must not have query"
+					invalidOIDCProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							invalidOIDCProviderConfig.Namespace,
+							invalidOIDCProviderConfig.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							invalidOIDCProviderConfig.Namespace,
+							invalidOIDCProviderConfig,
+						),
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							validOIDCProviderConfig.Namespace,
+							validOIDCProviderConfig.Name,
+						),
+						coretesting.NewUpdateAction(
+							oidcProviderConfigGVR,
+							validOIDCProviderConfig.Namespace,
+							validOIDCProviderConfig,
+						),
+					}
+					r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+				})
+			})
+		})
+
+		when("there are OIDCProviderConfigs with duplicate issuer names in the informer", func() {
+			var (
+				oidcProviderConfigDuplicate1 *v1alpha1.OIDCProviderConfig
+				oidcProviderConfigDuplicate2 *v1alpha1.OIDCProviderConfig
+				oidcProviderConfig           *v1alpha1.OIDCProviderConfig
+			)
+
+			it.Before(func() {
+				oidcProviderConfigDuplicate1 = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "duplicate1", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://issuer-duplicate.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDuplicate1))
+				r.NoError(opcInformerClient.Tracker().Add(oidcProviderConfigDuplicate1))
+				oidcProviderConfigDuplicate2 = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "duplicate2", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://issuer-duplicate.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfigDuplicate2))
+				r.NoError(opcInformerClient.Tracker().Add(oidcProviderConfigDuplicate2))
+
+				oidcProviderConfig = &v1alpha1.OIDCProviderConfig{
+					ObjectMeta: metav1.ObjectMeta{Name: "not-duplicate", Namespace: namespace},
+					Spec:       v1alpha1.OIDCProviderConfigSpec{Issuer: "https://issuer-not-duplicate.com"},
+				}
+				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderConfig))
+				r.NoError(opcInformerClient.Tracker().Add(oidcProviderConfig))
+			})
+
+			it("calls the ProvidersSetter with the non-duplicate", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+
+				nonDuplicateProvider, err := provider.NewOIDCProvider(oidcProviderConfig.Spec.Issuer)
+				r.NoError(err)
+
+				r.True(providersSetter.SetProvidersWasCalled)
+				r.Equal(
+					[]*provider.OIDCProvider{
+						nonDuplicateProvider,
+					},
+					providersSetter.OIDCProvidersReceived,
+				)
+			})
+
+			it("updates the statuses", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+
+				oidcProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+				oidcProviderConfig.Status.Message = "Provider successfully created"
+				oidcProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				oidcProviderConfigDuplicate1.Status.Status = v1alpha1.DuplicateOIDCProviderStatus
+				oidcProviderConfigDuplicate1.Status.Message = "Duplicate issuer: https://issuer-duplicate.com"
+				oidcProviderConfigDuplicate1.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				oidcProviderConfigDuplicate2.Status.Status = v1alpha1.DuplicateOIDCProviderStatus
+				oidcProviderConfigDuplicate2.Status.Message = "Duplicate issuer: https://issuer-duplicate.com"
+				oidcProviderConfigDuplicate2.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+				expectedActions := []coretesting.Action{
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfigDuplicate1.Namespace,
+						oidcProviderConfigDuplicate1.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfigDuplicate1.Namespace,
+						oidcProviderConfigDuplicate1,
+					),
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfigDuplicate2.Namespace,
+						oidcProviderConfigDuplicate2.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfigDuplicate2.Namespace,
+						oidcProviderConfigDuplicate2,
+					),
+					coretesting.NewGetAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfig.Namespace,
+						oidcProviderConfig.Name,
+					),
+					coretesting.NewUpdateAction(
+						oidcProviderConfigGVR,
+						oidcProviderConfig.Namespace,
+						oidcProviderConfig,
+					),
+				}
+				r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+			})
+
+			when("we cannot talk to the API", func() {
+				it.Before(func() {
+					pinnipedAPIClient.PrependReactor(
+						"get",
+						"oidcproviderconfigs",
+						func(_ coretesting.Action) (bool, runtime.Object, error) {
+							return true, nil, errors.New("some get error")
+						},
+					)
+				})
+
+				it("returns the get errors", func() {
+					expectedError := here.Doc(`
+            3 error(s):
+            - could not update status: get failed: some get error
+            - could not update status: get failed: some get error
+            - could not update status: get failed: some get error`)
+					startInformersAndController()
+					err := controllerlib.TestSync(t, subject, *syncContext)
+					r.EqualError(err, expectedError)
+
+					oidcProviderConfig.Status.Status = v1alpha1.SuccessOIDCProviderStatus
+					oidcProviderConfig.Status.Message = "Provider successfully created"
+					oidcProviderConfig.Status.LastUpdateTime = timePtr(metav1.NewTime(frozenNow))
+
+					expectedActions := []coretesting.Action{
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfigDuplicate1.Namespace,
+							oidcProviderConfigDuplicate1.Name,
+						),
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfigDuplicate2.Namespace,
+							oidcProviderConfigDuplicate2.Name,
+						),
+						coretesting.NewGetAction(
+							oidcProviderConfigGVR,
+							oidcProviderConfig.Namespace,
+							oidcProviderConfig.Name,
+						),
+					}
+					r.ElementsMatch(expectedActions, pinnipedAPIClient.Actions())
+				})
+			})
+		})
+
+		when("there are no OIDCProviderConfigs in the informer", func() {
+			it("keeps waiting for one", func() {
+				startInformersAndController()
+				err := controllerlib.TestSync(t, subject, *syncContext)
+				r.NoError(err)
+				r.Empty(pinnipedAPIClient.Actions())
+				r.True(providersSetter.SetProvidersWasCalled)
+				r.Empty(providersSetter.OIDCProvidersReceived)
+			})
+		})
+	}, spec.Parallel(), spec.Report(report.Terminal{}))
+}

internal/multierror/multierror.go

@@ -0,0 +1,63 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package multierror provides a type that can translate multiple errors into a Go error interface.
+//
+// A common use of this package is as follows.
+//   errs := multierror.New()
+//   for i := range stuff {
+//     err := doThing(i)
+//     errs.Add(err)
+//   }
+//   return errs.ErrOrNil()
+package multierror
+
+import (
+	"fmt"
+	"strings"
+)
+
+// formatFunc is a function used to format the string representing of a MultiError. It is used in the
+// Error() function.
+//
+// It is marked out here to indicate how we could potentially extend MultiError in the future to
+// support more styles of converting from a list of error's to a string.
+//nolint: gochecknoglobals
+var formatFunc func(errs MultiError, sb *strings.Builder) = defaultFormat
+
+// MultiError holds a list of error's, that could potentially be empty.
+//
+// Use New() to create a MultiError.
+type MultiError []error
+
+// New returns an empty MultiError.
+func New() MultiError {
+	return make([]error, 0)
+}
+
+// Add adds an error to the MultiError. The provided err must not be nil.
+func (m *MultiError) Add(err error) {
+	*m = append(*m, err)
+}
+
+// Error implements the error.Error() interface method.
+func (m MultiError) Error() string {
+	sb := strings.Builder{}
+	formatFunc(m, &sb)
+	return sb.String()
+}
+
+// ErrOrNil returns either nil, if there are no errors in this MultiError, or an error, otherwise.
+func (m MultiError) ErrOrNil() error {
+	if len(m) > 0 {
+		return m
+	}
+	return nil
+}
+
+func defaultFormat(errs MultiError, sb *strings.Builder) {
+	_, _ = fmt.Fprintf(sb, "%d error(s):", len(errs))
+	for _, err := range errs {
+		_, _ = fmt.Fprintf(sb, "\n- %s", err.Error())
+	}
+}

internal/multierror/multierror_test.go

@@ -0,0 +1,24 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package multierror
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMultierror(t *testing.T) {
+	errs := New()
+
+	require.Nil(t, errs.ErrOrNil())
+
+	errs.Add(errors.New("some error 1"))
+	require.EqualError(t, errs.ErrOrNil(), "1 error(s):\n- some error 1")
+
+	errs.Add(errors.New("some error 2"))
+	errs.Add(errors.New("some error 3"))
+	require.EqualError(t, errs.ErrOrNil(), "3 error(s):\n- some error 1\n- some error 2\n- some error 3")
+}

internal/oidc/discovery/discovery.go

@@ -0,0 +1,69 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package discovery provides a handler for the OIDC discovery endpoint.
+package discovery
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"go.pinniped.dev/internal/oidc"
+)
+
+// Metadata holds all fields (that we care about) from the OpenID Provider Metadata section in the
+// OpenID Connect Discovery specification:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3.
+type Metadata struct {
+	// vvv Required vvv
+
+	Issuer string `json:"issuer"`
+
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+	JWKSURI               string `json:"jwks_uri"`
+
+	ResponseTypesSupported           []string `json:"response_types_supported"`
+	SubjectTypesSupported            []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
+
+	// ^^^ Required ^^^
+
+	// vvv Optional vvv
+
+	TokenEndpointAuthMethodsSupported           []string `json:"token_endpoint_auth_methods_supported"`
+	TokenEndpointAuthSigningAlgoValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
+	ScopesSupported                             []string `json:"scopes_supported"`
+	ClaimsSupported                             []string `json:"claims_supported"`
+
+	// ^^^ Optional ^^^
+}
+
+// New returns an http.Handler that serves an OIDC discovery endpoint.
+func New(issuerURL string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+
+		if r.Method != http.MethodGet {
+			http.Error(w, `{"error": "Method not allowed (try GET)"}`, http.StatusMethodNotAllowed)
+			return
+		}
+
+		oidcConfig := Metadata{
+			Issuer:                            issuerURL,
+			AuthorizationEndpoint:             issuerURL + oidc.AuthorizationEndpointPath,
+			TokenEndpoint:                     issuerURL + oidc.TokenEndpointPath,
+			JWKSURI:                           issuerURL + oidc.JWKSEndpointPath,
+			ResponseTypesSupported:            []string{"code"},
+			SubjectTypesSupported:             []string{"public"},
+			IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+			TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
+			TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
+			ScopesSupported: []string{"openid", "offline"},
+			ClaimsSupported: []string{"groups"},
+		}
+		if err := json.NewEncoder(w).Encode(&oidcConfig); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+	})
+}

internal/oidc/discovery/discovery_test.go

@@ -0,0 +1,82 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package discovery
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/oidc"
+)
+
+func TestDiscovery(t *testing.T) {
+	tests := []struct {
+		name string
+
+		issuer string
+		method string
+		path   string
+
+		wantStatus      int
+		wantContentType string
+		wantBody        interface{}
+	}{
+		{
+			name:            "happy path",
+			issuer:          "https://some-issuer.com/some/path",
+			method:          http.MethodGet,
+			path:            "/some/path" + oidc.WellKnownEndpointPath,
+			wantStatus:      http.StatusOK,
+			wantContentType: "application/json",
+			wantBody: &Metadata{
+				Issuer:                            "https://some-issuer.com/some/path",
+				AuthorizationEndpoint:             "https://some-issuer.com/some/path/oauth2/authorize",
+				TokenEndpoint:                     "https://some-issuer.com/some/path/oauth2/token",
+				JWKSURI:                           "https://some-issuer.com/some/path/jwks.json",
+				ResponseTypesSupported:            []string{"code"},
+				SubjectTypesSupported:             []string{"public"},
+				IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+				TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
+				TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
+				ScopesSupported: []string{"openid", "offline"},
+				ClaimsSupported: []string{"groups"},
+			},
+		},
+		{
+			name:       "bad method",
+			issuer:     "https://some-issuer.com",
+			method:     http.MethodPost,
+			path:       oidc.WellKnownEndpointPath,
+			wantStatus: http.StatusMethodNotAllowed,
+			wantBody: map[string]string{
+				"error": "Method not allowed (try GET)",
+			},
+		},
+	}
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			handler := New(test.issuer)
+			req := httptest.NewRequest(test.method, test.path, nil)
+			rsp := httptest.NewRecorder()
+			handler.ServeHTTP(rsp, req)
+
+			require.Equal(t, test.wantStatus, rsp.Code)
+
+			if test.wantContentType != "" {
+				require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))
+			}
+
+			if test.wantBody != nil {
+				wantJSON, err := json.Marshal(test.wantBody)
+				require.NoError(t, err)
+				require.JSONEq(t, string(wantJSON), rsp.Body.String())
+			}
+		})
+	}
+}

internal/oidc/oidc.go

@@ -0,0 +1,12 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package oidc contains common OIDC functionality needed by Pinniped.
+package oidc
+
+const (
+	WellKnownEndpointPath     = "/.well-known/openid-configuration"
+	AuthorizationEndpointPath = "/oauth2/authorize"
+	TokenEndpointPath         = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential
+	JWKSEndpointPath          = "/jwks.json"
+)

internal/oidc/provider/manager/manager.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package manager
+
+import (
+	"net/http"
+	"sync"
+
+	"k8s.io/klog/v2"
+
+	"go.pinniped.dev/internal/oidc"
+	"go.pinniped.dev/internal/oidc/discovery"
+	"go.pinniped.dev/internal/oidc/provider"
+)
+
+// Manager can manage multiple active OIDC providers. It acts as a request router for them.
+//
+// It is thread-safe.
+type Manager struct {
+	mu               sync.RWMutex
+	providers        []*provider.OIDCProvider
+	providerHandlers map[string]http.Handler // map of all routes for all providers
+	nextHandler      http.Handler            // the next handler in a chain, called when this manager didn't know how to handle a request
+}
+
+// NewManager returns an empty Manager.
+// nextHandler will be invoked for any requests that could not be handled by this manager's providers.
+func NewManager(nextHandler http.Handler) *Manager {
+	return &Manager{providerHandlers: make(map[string]http.Handler), nextHandler: nextHandler}
+}
+
+// SetProviders adds or updates all the given providerHandlers using each provider's issuer string
+// as the name of the provider to decide if it is an add or update operation.
+//
+// It also removes any providerHandlers that were previously added but were not passed in to
+// the current invocation.
+//
+// This method assumes that all of the OIDCProvider arguments have already been validated
+// by someone else before they are passed to this method.
+func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.providers = oidcProviders
+	m.providerHandlers = make(map[string]http.Handler)
+
+	for _, incomingProvider := range oidcProviders {
+		m.providerHandlers[incomingProvider.IssuerHost()+"/"+incomingProvider.IssuerPath()+oidc.WellKnownEndpointPath] = discovery.New(incomingProvider.Issuer())
+		klog.InfoS("oidc provider manager added or updated issuer", "issuer", incomingProvider.Issuer())
+	}
+}
+
+// ServeHTTP implements the http.Handler interface.
+func (m *Manager) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
+	requestHandler := m.findHandler(req)
+
+	klog.InfoS(
+		"oidc provider manager examining request",
+		"method", req.Method,
+		"host", req.Host,
+		"path", req.URL.Path,
+		"foundMatchingIssuer", requestHandler != nil,
+	)
+
+	if requestHandler == nil {
+		requestHandler = m.nextHandler // couldn't find an issuer to handle the request
+	}
+	requestHandler.ServeHTTP(resp, req)
+}
+
+func (m *Manager) findHandler(req *http.Request) http.Handler {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	return m.providerHandlers[req.Host+"/"+req.URL.Path]
+}

internal/oidc/provider/manager/manager_test.go

@@ -0,0 +1,123 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package manager
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/sclevine/spec"
+	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/oidc"
+	"go.pinniped.dev/internal/oidc/discovery"
+	"go.pinniped.dev/internal/oidc/provider"
+)
+
+func TestManager(t *testing.T) {
+	spec.Run(t, "ServeHTTP", func(t *testing.T, when spec.G, it spec.S) {
+		var r *require.Assertions
+		var subject *Manager
+		var nextHandler http.HandlerFunc
+		var fallbackHandlerWasCalled bool
+
+		newGetRequest := func(url string) *http.Request {
+			return httptest.NewRequest(http.MethodGet, url, nil)
+		}
+
+		requireDiscoveryRequestToBeHandled := func(issuer, requestURLSuffix string) {
+			recorder := httptest.NewRecorder()
+
+			subject.ServeHTTP(recorder, newGetRequest(issuer+oidc.WellKnownEndpointPath+requestURLSuffix))
+
+			r.Equal(http.StatusOK, recorder.Code)
+			responseBody, err := ioutil.ReadAll(recorder.Body)
+			r.NoError(err)
+			parsedDiscoveryResult := discovery.Metadata{}
+			err = json.Unmarshal(responseBody, &parsedDiscoveryResult)
+			r.NoError(err)
+
+			r.Equal(issuer, parsedDiscoveryResult.Issuer)
+		}
+
+		it.Before(func() {
+			r = require.New(t)
+			nextHandler = func(http.ResponseWriter, *http.Request) {
+				fallbackHandlerWasCalled = true
+			}
+			subject = NewManager(nextHandler)
+		})
+
+		when("given no providers", func() {
+			it("sends all requests to the nextHandler", func() {
+				r.False(fallbackHandlerWasCalled)
+				subject.ServeHTTP(httptest.NewRecorder(), newGetRequest("/anything"))
+				r.True(fallbackHandlerWasCalled)
+			})
+		})
+
+		when("given some valid providers", func() {
+			issuer1 := "https://example.com/some/path"
+			issuer2 := "https://example.com/some/path/more/deeply/nested/path" // note that this is a sub-path of the other issuer url
+
+			it.Before(func() {
+				p1, err := provider.NewOIDCProvider(issuer1)
+				r.NoError(err)
+				p2, err := provider.NewOIDCProvider(issuer2)
+				r.NoError(err)
+				subject.SetProviders(p1, p2)
+			})
+
+			it("sends all non-matching host requests to the nextHandler", func() {
+				r.False(fallbackHandlerWasCalled)
+				url := strings.ReplaceAll(issuer1+oidc.WellKnownEndpointPath, "example.com", "wrong-host.com")
+				subject.ServeHTTP(httptest.NewRecorder(), newGetRequest(url))
+				r.True(fallbackHandlerWasCalled)
+			})
+
+			it("sends all non-matching path requests to the nextHandler", func() {
+				r.False(fallbackHandlerWasCalled)
+				subject.ServeHTTP(httptest.NewRecorder(), newGetRequest("https://example.com/path-does-not-match-any-provider"))
+				r.True(fallbackHandlerWasCalled)
+			})
+
+			it("sends requests which match the issuer prefix but do not match any of that provider's known paths to the nextHandler", func() {
+				r.False(fallbackHandlerWasCalled)
+				subject.ServeHTTP(httptest.NewRecorder(), newGetRequest(issuer1+"/unhandled-sub-path"))
+				r.True(fallbackHandlerWasCalled)
+			})
+
+			it("routes matching requests to the appropriate provider", func() {
+				requireDiscoveryRequestToBeHandled(issuer1, "")
+				requireDiscoveryRequestToBeHandled(issuer2, "")
+				requireDiscoveryRequestToBeHandled(issuer2, "?some=query")
+				r.False(fallbackHandlerWasCalled)
+			})
+		})
+
+		when("given the same valid providers in reverse order", func() {
+			issuer1 := "https://example.com/some/path"
+			issuer2 := "https://example.com/some/path/more/deeply/nested/path"
+
+			it.Before(func() {
+				p1, err := provider.NewOIDCProvider(issuer1)
+				r.NoError(err)
+				p2, err := provider.NewOIDCProvider(issuer2)
+				r.NoError(err)
+				subject.SetProviders(p2, p1)
+			})
+
+			it("still routes matching requests to the appropriate provider", func() {
+				requireDiscoveryRequestToBeHandled(issuer1, "")
+				requireDiscoveryRequestToBeHandled(issuer2, "")
+				requireDiscoveryRequestToBeHandled(issuer2, "?some=query")
+				r.False(fallbackHandlerWasCalled)
+			})
+		})
+	})
+}