From 8f7175751e3338d7a774c2fe5f6f134b1912947a Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Tue, 27 Jan 2026 12:57:33 +0200
Subject: [PATCH 01/10] Add auto generated files for OIDC support in the
 operator

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 vendor/github.com/coreos/go-oidc/.gitignore   |    2 +
 vendor/github.com/coreos/go-oidc/.travis.yml  |   18 +
 .../github.com/coreos/go-oidc/CONTRIBUTING.md |   71 +
 vendor/github.com/coreos/go-oidc/DCO          |   36 +
 vendor/github.com/coreos/go-oidc/LICENSE      |  202 +
 vendor/github.com/coreos/go-oidc/MAINTAINERS  |    3 +
 vendor/github.com/coreos/go-oidc/NOTICE       |    5 +
 vendor/github.com/coreos/go-oidc/README.md    |   72 +
 .../coreos/go-oidc/code-of-conduct.md         |   61 +
 vendor/github.com/coreos/go-oidc/jose.go      |   20 +
 vendor/github.com/coreos/go-oidc/jwks.go      |  228 +
 vendor/github.com/coreos/go-oidc/oidc.go      |  457 ++
 vendor/github.com/coreos/go-oidc/test         |   16 +
 vendor/github.com/coreos/go-oidc/verify.go    |  336 +
 .../github.com/golang-jwt/jwt/v5/.gitignore   |    4 +
 vendor/github.com/golang-jwt/jwt/v5/LICENSE   |    9 +
 .../golang-jwt/jwt/v5/MIGRATION_GUIDE.md      |  195 +
 vendor/github.com/golang-jwt/jwt/v5/README.md |  167 +
 .../github.com/golang-jwt/jwt/v5/SECURITY.md  |   19 +
 .../golang-jwt/jwt/v5/VERSION_HISTORY.md      |  137 +
 vendor/github.com/golang-jwt/jwt/v5/claims.go |   16 +
 vendor/github.com/golang-jwt/jwt/v5/doc.go    |    4 +
 vendor/github.com/golang-jwt/jwt/v5/ecdsa.go  |  134 +
 .../golang-jwt/jwt/v5/ecdsa_utils.go          |   69 +
 .../github.com/golang-jwt/jwt/v5/ed25519.go   |   79 +
 .../golang-jwt/jwt/v5/ed25519_utils.go        |   64 +
 vendor/github.com/golang-jwt/jwt/v5/errors.go |   49 +
 .../golang-jwt/jwt/v5/errors_go1_20.go        |   47 +
 .../golang-jwt/jwt/v5/errors_go_other.go      |   78 +
 vendor/github.com/golang-jwt/jwt/v5/hmac.go   |  104 +
 .../golang-jwt/jwt/v5/map_claims.go           |  109 +
 vendor/github.com/golang-jwt/jwt/v5/none.go   |   50 +
 vendor/github.com/golang-jwt/jwt/v5/parser.go |  268 +
 .../golang-jwt/jwt/v5/parser_option.go        |  128 +
 .../golang-jwt/jwt/v5/registered_claims.go    |   63 +
 vendor/github.com/golang-jwt/jwt/v5/rsa.go    |   93 +
 .../github.com/golang-jwt/jwt/v5/rsa_pss.go   |  135 +
 .../github.com/golang-jwt/jwt/v5/rsa_utils.go |  107 +
 .../golang-jwt/jwt/v5/signing_method.go       |   49 +
 .../golang-jwt/jwt/v5/staticcheck.conf        |    1 +
 vendor/github.com/golang-jwt/jwt/v5/token.go  |  100 +
 .../golang-jwt/jwt/v5/token_option.go         |    5 +
 vendor/github.com/golang-jwt/jwt/v5/types.go  |  149 +
 .../github.com/golang-jwt/jwt/v5/validator.go |  316 +
 .../openshift/api/config/v1/Makefile          |    3 +
 .../github.com/openshift/api/config/v1/doc.go |    9 +
 .../openshift/api/config/v1/register.go       |   82 +
 .../openshift/api/config/v1/stringsource.go   |   31 +
 .../openshift/api/config/v1/types.go          |  431 ++
 .../api/config/v1/types_apiserver.go          |  251 +
 .../api/config/v1/types_authentication.go     |  765 ++
 .../openshift/api/config/v1/types_build.go    |  132 +
 .../config/v1/types_cluster_image_policy.go   |   87 +
 .../api/config/v1/types_cluster_operator.go   |  220 +
 .../api/config/v1/types_cluster_version.go    |  908 +++
 .../openshift/api/config/v1/types_console.go  |   81 +
 .../openshift/api/config/v1/types_dns.go      |  140 +
 .../openshift/api/config/v1/types_feature.go  |  153 +
 .../openshift/api/config/v1/types_image.go    |  191 +
 .../config/v1/types_image_content_policy.go   |   99 +
 .../v1/types_image_digest_mirror_set.go       |  141 +
 .../api/config/v1/types_image_policy.go       |  322 +
 .../config/v1/types_image_tag_mirror_set.go   |  128 +
 .../api/config/v1/types_infrastructure.go     | 2121 ++++++
 .../openshift/api/config/v1/types_ingress.go  |  332 +
 .../api/config/v1/types_kmsencryption.go      |   55 +
 .../openshift/api/config/v1/types_network.go  |  308 +
 .../openshift/api/config/v1/types_node.go     |  142 +
 .../openshift/api/config/v1/types_oauth.go    |  597 ++
 .../api/config/v1/types_operatorhub.go        |   97 +
 .../openshift/api/config/v1/types_project.go  |   70 +
 .../openshift/api/config/v1/types_proxy.go    |  110 +
 .../api/config/v1/types_scheduling.go         |  144 +
 .../api/config/v1/types_testreporting.go      |   45 +
 .../api/config/v1/types_tlssecurityprofile.go |  312 +
 .../api/config/v1/zz_generated.deepcopy.go    | 6653 +++++++++++++++++
 ..._generated.featuregated-crd-manifests.yaml |  565 ++
 .../v1/zz_generated.swagger_doc_generated.go  | 2897 +++++++
 .../pquerna/cachecontrol/.travis.yml          |    8 +
 .../github.com/pquerna/cachecontrol/LICENSE   |  202 +
 .../github.com/pquerna/cachecontrol/README.md |  107 +
 vendor/github.com/pquerna/cachecontrol/api.go |   48 +
 .../cachecontrol/cacheobject/directive.go     |  547 ++
 .../pquerna/cachecontrol/cacheobject/lex.go   |   93 +
 .../cachecontrol/cacheobject/object.go        |  398 +
 .../cachecontrol/cacheobject/reasons.go       |   95 +
 .../cachecontrol/cacheobject/warning.go       |  107 +
 vendor/github.com/pquerna/cachecontrol/doc.go |   25 +
 vendor/golang.org/x/crypto/ed25519/ed25519.go |   69 +
 .../go-jose/go-jose.v2/.gitcookies.sh.enc     |    1 +
 vendor/gopkg.in/go-jose/go-jose.v2/.gitignore |    8 +
 .../gopkg.in/go-jose/go-jose.v2/.travis.yml   |   45 +
 .../gopkg.in/go-jose/go-jose.v2/CHANGELOG.md  |   84 +
 .../go-jose/go-jose.v2/CONTRIBUTING.md        |   14 +
 vendor/gopkg.in/go-jose/go-jose.v2/LICENSE    |  202 +
 vendor/gopkg.in/go-jose/go-jose.v2/README.md  |    4 +
 .../gopkg.in/go-jose/go-jose.v2/asymmetric.go |  595 ++
 .../go-jose/go-jose.v2/cipher/cbc_hmac.go     |  196 +
 .../go-jose/go-jose.v2/cipher/concat_kdf.go   |   75 +
 .../go-jose/go-jose.v2/cipher/ecdh_es.go      |   86 +
 .../go-jose/go-jose.v2/cipher/key_wrap.go     |  109 +
 vendor/gopkg.in/go-jose/go-jose.v2/crypter.go |  548 ++
 vendor/gopkg.in/go-jose/go-jose.v2/doc.go     |   27 +
 .../gopkg.in/go-jose/go-jose.v2/encoding.go   |  198 +
 .../gopkg.in/go-jose/go-jose.v2/json/LICENSE  |   27 +
 .../go-jose/go-jose.v2/json/README.md         |   13 +
 .../go-jose/go-jose.v2/json/decode.go         | 1217 +++
 .../go-jose/go-jose.v2/json/encode.go         | 1197 +++
 .../go-jose/go-jose.v2/json/indent.go         |  141 +
 .../go-jose/go-jose.v2/json/scanner.go        |  623 ++
 .../go-jose/go-jose.v2/json/stream.go         |  485 ++
 .../gopkg.in/go-jose/go-jose.v2/json/tags.go  |   44 +
 vendor/gopkg.in/go-jose/go-jose.v2/jwe.go     |  294 +
 vendor/gopkg.in/go-jose/go-jose.v2/jwk.go     |  760 ++
 vendor/gopkg.in/go-jose/go-jose.v2/jws.go     |  366 +
 vendor/gopkg.in/go-jose/go-jose.v2/opaque.go  |  144 +
 vendor/gopkg.in/go-jose/go-jose.v2/shared.go  |  520 ++
 vendor/gopkg.in/go-jose/go-jose.v2/signing.go |  441 ++
 .../gopkg.in/go-jose/go-jose.v2/symmetric.go  |  487 ++
 .../pkg/authentication/token/jwt/jwt.go       |   26 +
 .../pkg/authentication/token/union/union.go   |   71 +
 .../pkg/authenticator/token/oidc/metrics.go   |  110 +
 .../pkg/authenticator/token/oidc/oidc.go      | 1162 +++
 123 files changed, 34916 insertions(+)
 create mode 100644 vendor/github.com/coreos/go-oidc/.gitignore
 create mode 100644 vendor/github.com/coreos/go-oidc/.travis.yml
 create mode 100644 vendor/github.com/coreos/go-oidc/CONTRIBUTING.md
 create mode 100644 vendor/github.com/coreos/go-oidc/DCO
 create mode 100644 vendor/github.com/coreos/go-oidc/LICENSE
 create mode 100644 vendor/github.com/coreos/go-oidc/MAINTAINERS
 create mode 100644 vendor/github.com/coreos/go-oidc/NOTICE
 create mode 100644 vendor/github.com/coreos/go-oidc/README.md
 create mode 100644 vendor/github.com/coreos/go-oidc/code-of-conduct.md
 create mode 100644 vendor/github.com/coreos/go-oidc/jose.go
 create mode 100644 vendor/github.com/coreos/go-oidc/jwks.go
 create mode 100644 vendor/github.com/coreos/go-oidc/oidc.go
 create mode 100644 vendor/github.com/coreos/go-oidc/test
 create mode 100644 vendor/github.com/coreos/go-oidc/verify.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/.gitignore
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/LICENSE
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/README.md
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/claims.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/doc.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/ed25519.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/errors.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/hmac.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/map_claims.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/none.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/parser.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/parser_option.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/registered_claims.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/rsa.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/signing_method.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/token.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/token_option.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/types.go
 create mode 100644 vendor/github.com/golang-jwt/jwt/v5/validator.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/Makefile
 create mode 100644 vendor/github.com/openshift/api/config/v1/doc.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/register.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/stringsource.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_apiserver.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_authentication.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_build.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_cluster_operator.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_cluster_version.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_console.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_dns.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_feature.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_image.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_image_content_policy.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_image_digest_mirror_set.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_image_policy.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_image_tag_mirror_set.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_infrastructure.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_ingress.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_kmsencryption.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_network.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_node.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_oauth.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_operatorhub.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_project.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_proxy.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_scheduling.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_testreporting.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
 create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
 create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/.travis.yml
 create mode 100644 vendor/github.com/pquerna/cachecontrol/LICENSE
 create mode 100644 vendor/github.com/pquerna/cachecontrol/README.md
 create mode 100644 vendor/github.com/pquerna/cachecontrol/api.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/cacheobject/directive.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/cacheobject/lex.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/cacheobject/object.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/cacheobject/reasons.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/cacheobject/warning.go
 create mode 100644 vendor/github.com/pquerna/cachecontrol/doc.go
 create mode 100644 vendor/golang.org/x/crypto/ed25519/ed25519.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/LICENSE
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/README.md
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/doc.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/README.md
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/jwk.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/jws.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/opaque.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/shared.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/signing.go
 create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
 create mode 100644 vendor/k8s.io/apiserver/pkg/authentication/token/jwt/jwt.go
 create mode 100644 vendor/k8s.io/apiserver/pkg/authentication/token/union/union.go
 create mode 100644 vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go
 create mode 100644 vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go

diff --git a/vendor/github.com/coreos/go-oidc/.gitignore b/vendor/github.com/coreos/go-oidc/.gitignore
new file mode 100644
index 00000000..c96f2f47
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/.gitignore
@@ -0,0 +1,2 @@
+/bin
+/gopath
diff --git a/vendor/github.com/coreos/go-oidc/.travis.yml b/vendor/github.com/coreos/go-oidc/.travis.yml
new file mode 100644
index 00000000..9f0b0601
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/.travis.yml
@@ -0,0 +1,18 @@
+language: go
+
+go:
+  - "1.14"
+  - "1.15"
+arch:
+  - AMD64
+  - ppc64le
+install:
+ - go get -v -t github.com/coreos/go-oidc/...
+ - go get golang.org/x/tools/cmd/cover
+ - go get golang.org/x/lint/golint
+
+script:
+ - ./test
+
+notifications:
+  email: false
diff --git a/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md b/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md
new file mode 100644
index 00000000..6662073a
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md
@@ -0,0 +1,71 @@
+# How to Contribute
+
+CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
+GitHub pull requests.  This document outlines some of the conventions on
+development workflow, commit message formatting, contact points and other
+resources to make it easier to get your contribution accepted.
+
+# Certificate of Origin
+
+By contributing to this project you agree to the Developer Certificate of
+Origin (DCO). This document was created by the Linux Kernel community and is a
+simple statement that you, as a contributor, have the legal right to make the
+contribution. See the [DCO](DCO) file for details.
+
+# Email and Chat
+
+The project currently uses the general CoreOS email list and IRC channel:
+- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
+- IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
+
+Please avoid emailing maintainers found in the MAINTAINERS file directly. They
+are very busy and read the mailing lists.
+
+## Getting Started
+
+- Fork the repository on GitHub
+- Read the [README](README.md) for build and test instructions
+- Play with the project, submit bugs, submit patches!
+
+## Contribution Flow
+
+This is a rough outline of what a contributor's workflow looks like:
+
+- Create a topic branch from where you want to base your work (usually master).
+- Make commits of logical units.
+- Make sure your commit messages are in the proper format (see below).
+- Push your changes to a topic branch in your fork of the repository.
+- Make sure the tests pass, and add any new tests as appropriate.
+- Submit a pull request to the original repository.
+
+Thanks for your contributions!
+
+### Format of the Commit Message
+
+We follow a rough convention for commit messages that is designed to answer two
+questions: what changed and why. The subject line should feature the what and
+the body of the commit should describe the why.
+
+```
+scripts: add the test-cluster command
+
+this uses tmux to setup a test cluster that you can easily kill and
+start for debugging.
+
+Fixes #38
+```
+
+The format can be described more formally as follows:
+
+```
+<subsystem>: <what changed>
+<BLANK LINE>
+<why this change was made>
+<BLANK LINE>
+<footer>
+```
+
+The first line is the subject and should be no longer than 70 characters, the
+second line is always blank, and other lines should be wrapped at 80 characters.
+This allows the message to be easier to read on GitHub as well as in various
+git tools.
diff --git a/vendor/github.com/coreos/go-oidc/DCO b/vendor/github.com/coreos/go-oidc/DCO
new file mode 100644
index 00000000..716561d5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/DCO
@@ -0,0 +1,36 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
diff --git a/vendor/github.com/coreos/go-oidc/LICENSE b/vendor/github.com/coreos/go-oidc/LICENSE
new file mode 100644
index 00000000..e06d2081
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/LICENSE
@@ -0,0 +1,202 @@
+Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
diff --git a/vendor/github.com/coreos/go-oidc/MAINTAINERS b/vendor/github.com/coreos/go-oidc/MAINTAINERS
new file mode 100644
index 00000000..99bcaa3f
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/MAINTAINERS
@@ -0,0 +1,3 @@
+Eric Chiang <ericchiang@google.com> (@ericchiang)
+Mike Danese <mikedanese@google.com> (@mikedanese)
+Rithu Leena John <rjohn@redhat.com> (@rithujohn191)
diff --git a/vendor/github.com/coreos/go-oidc/NOTICE b/vendor/github.com/coreos/go-oidc/NOTICE
new file mode 100644
index 00000000..b39ddfa5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/NOTICE
@@ -0,0 +1,5 @@
+CoreOS Project
+Copyright 2014 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
diff --git a/vendor/github.com/coreos/go-oidc/README.md b/vendor/github.com/coreos/go-oidc/README.md
new file mode 100644
index 00000000..520d7c87
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/README.md
@@ -0,0 +1,72 @@
+# go-oidc
+
+[![GoDoc](https://godoc.org/github.com/coreos/go-oidc?status.svg)](https://godoc.org/github.com/coreos/go-oidc)
+[![Build Status](https://travis-ci.org/coreos/go-oidc.png?branch=master)](https://travis-ci.org/coreos/go-oidc)
+
+## OpenID Connect support for Go
+
+This package enables OpenID Connect support for the [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2) package.
+
+```go
+provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
+if err != nil {
+    // handle error
+}
+
+// Configure an OpenID Connect aware OAuth2 client.
+oauth2Config := oauth2.Config{
+    ClientID:     clientID,
+    ClientSecret: clientSecret,
+    RedirectURL:  redirectURL,
+
+    // Discovery returns the OAuth2 endpoints.
+    Endpoint: provider.Endpoint(),
+
+    // "openid" is a required scope for OpenID Connect flows.
+    Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+}
+```
+
+OAuth2 redirects are unchanged.
+
+```go
+func handleRedirect(w http.ResponseWriter, r *http.Request) {
+    http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
+}
+```
+
+The on responses, the provider can be used to verify ID Tokens.
+
+```go
+var verifier = provider.Verifier(&oidc.Config{ClientID: clientID})
+
+func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
+    // Verify state and errors.
+
+    oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
+    if err != nil {
+        // handle error
+    }
+
+    // Extract the ID Token from OAuth2 token.
+    rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+    if !ok {
+        // handle missing token
+    }
+
+    // Parse and verify ID Token payload.
+    idToken, err := verifier.Verify(ctx, rawIDToken)
+    if err != nil {
+        // handle error
+    }
+
+    // Extract custom claims
+    var claims struct {
+        Email    string `json:"email"`
+        Verified bool   `json:"email_verified"`
+    }
+    if err := idToken.Claims(&claims); err != nil {
+        // handle error
+    }
+}
+```
diff --git a/vendor/github.com/coreos/go-oidc/code-of-conduct.md b/vendor/github.com/coreos/go-oidc/code-of-conduct.md
new file mode 100644
index 00000000..a234f360
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/code-of-conduct.md
@@ -0,0 +1,61 @@
+## CoreOS Community Code of Conduct
+
+### Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing others' private information, such as physical or electronic addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently applying these
+principles to every aspect of managing this project. Project maintainers who do
+not follow or enforce the Code of Conduct may be permanently removed from the
+project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer, Brandon Philips
+<brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
+
+This Code of Conduct is adapted from the Contributor Covenant
+(http://contributor-covenant.org), version 1.2.0, available at
+http://contributor-covenant.org/version/1/2/0/
+
+### CoreOS Events Code of Conduct
+
+CoreOS events are working conferences intended for professional networking and
+collaboration in the CoreOS community. Attendees are expected to behave
+according to professional standards and in accordance with their employer’s
+policies on appropriate workplace behavior.
+
+While at CoreOS events or related social networking opportunities, attendees
+should not engage in discriminatory or offensive speech or actions including
+but not limited to gender, sexuality, race, age, disability, or religion.
+Speakers should be especially aware of these concerns.
+
+CoreOS does not condone any statements by speakers contrary to these standards.
+CoreOS reserves the right to deny entrance and/or eject from an event (without
+refund) any individual found to be engaging in discriminatory or offensive
+speech or actions.
+
+Please bring any concerns to the immediate attention of designated on-site
+staff, Brandon Philips <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
diff --git a/vendor/github.com/coreos/go-oidc/jose.go b/vendor/github.com/coreos/go-oidc/jose.go
new file mode 100644
index 00000000..f2e6bf43
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose.go
@@ -0,0 +1,20 @@
+// +build !golint
+
+// Don't lint this file. We don't want to have to add a comment to each constant.
+
+package oidc
+
+const (
+	// JOSE asymmetric signing algorithm values as defined by RFC 7518
+	//
+	// see: https://tools.ietf.org/html/rfc7518#section-3.1
+	RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
+	RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
+	RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
+	ES256 = "ES256" // ECDSA using P-256 and SHA-256
+	ES384 = "ES384" // ECDSA using P-384 and SHA-384
+	ES512 = "ES512" // ECDSA using P-521 and SHA-512
+	PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
+	PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
+	PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
+)
diff --git a/vendor/github.com/coreos/go-oidc/jwks.go b/vendor/github.com/coreos/go-oidc/jwks.go
new file mode 100644
index 00000000..e262f7bd
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jwks.go
@@ -0,0 +1,228 @@
+package oidc
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/pquerna/cachecontrol"
+	jose "gopkg.in/go-jose/go-jose.v2"
+)
+
+// keysExpiryDelta is the allowed clock skew between a client and the OpenID Connect
+// server.
+//
+// When keys expire, they are valid for this amount of time after.
+//
+// If the keys have not expired, and an ID Token claims it was signed by a key not in
+// the cache, if and only if the keys expire in this amount of time, the keys will be
+// updated.
+const keysExpiryDelta = 30 * time.Second
+
+// NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTP
+// GETs to fetch JSON web token sets hosted at a remote URL. This is automatically
+// used by NewProvider using the URLs returned by OpenID Connect discovery, but is
+// exposed for providers that don't support discovery or to prevent round trips to the
+// discovery URL.
+//
+// The returned KeySet is a long lived verifier that caches keys based on cache-control
+// headers. Reuse a common remote key set instead of creating new ones as needed.
+//
+// The behavior of the returned KeySet is undefined once the context is canceled.
+func NewRemoteKeySet(ctx context.Context, jwksURL string) KeySet {
+	return newRemoteKeySet(ctx, jwksURL, time.Now)
+}
+
+func newRemoteKeySet(ctx context.Context, jwksURL string, now func() time.Time) *remoteKeySet {
+	if now == nil {
+		now = time.Now
+	}
+	return &remoteKeySet{jwksURL: jwksURL, ctx: ctx, now: now}
+}
+
+type remoteKeySet struct {
+	jwksURL string
+	ctx     context.Context
+	now     func() time.Time
+
+	// guard all other fields
+	mu sync.Mutex
+
+	// inflight suppresses parallel execution of updateKeys and allows
+	// multiple goroutines to wait for its result.
+	inflight *inflight
+
+	// A set of cached keys and their expiry.
+	cachedKeys []jose.JSONWebKey
+	expiry     time.Time
+}
+
+// inflight is used to wait on some in-flight request from multiple goroutines.
+type inflight struct {
+	doneCh chan struct{}
+
+	keys []jose.JSONWebKey
+	err  error
+}
+
+func newInflight() *inflight {
+	return &inflight{doneCh: make(chan struct{})}
+}
+
+// wait returns a channel that multiple goroutines can receive on. Once it returns
+// a value, the inflight request is done and result() can be inspected.
+func (i *inflight) wait() <-chan struct{} {
+	return i.doneCh
+}
+
+// done can only be called by a single goroutine. It records the result of the
+// inflight request and signals other goroutines that the result is safe to
+// inspect.
+func (i *inflight) done(keys []jose.JSONWebKey, err error) {
+	i.keys = keys
+	i.err = err
+	close(i.doneCh)
+}
+
+// result cannot be called until the wait() channel has returned a value.
+func (i *inflight) result() ([]jose.JSONWebKey, error) {
+	return i.keys, i.err
+}
+
+func (r *remoteKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
+	jws, err := jose.ParseSigned(jwt)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+	}
+	return r.verify(ctx, jws)
+}
+
+func (r *remoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
+	// We don't support JWTs signed with multiple signatures.
+	keyID := ""
+	for _, sig := range jws.Signatures {
+		keyID = sig.Header.KeyID
+		break
+	}
+
+	keys, expiry := r.keysFromCache()
+
+	// Don't check expiry yet. This optimizes for when the provider is unavailable.
+	for _, key := range keys {
+		if keyID == "" || key.KeyID == keyID {
+			if payload, err := jws.Verify(&key); err == nil {
+				return payload, nil
+			}
+		}
+	}
+
+	if !r.now().Add(keysExpiryDelta).After(expiry) {
+		// Keys haven't expired, don't refresh.
+		return nil, errors.New("failed to verify id token signature")
+	}
+
+	keys, err := r.keysFromRemote(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("fetching keys %v", err)
+	}
+
+	for _, key := range keys {
+		if keyID == "" || key.KeyID == keyID {
+			if payload, err := jws.Verify(&key); err == nil {
+				return payload, nil
+			}
+		}
+	}
+	return nil, errors.New("failed to verify id token signature")
+}
+
+func (r *remoteKeySet) keysFromCache() (keys []jose.JSONWebKey, expiry time.Time) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	return r.cachedKeys, r.expiry
+}
+
+// keysFromRemote syncs the key set from the remote set, records the values in the
+// cache, and returns the key set.
+func (r *remoteKeySet) keysFromRemote(ctx context.Context) ([]jose.JSONWebKey, error) {
+	// Need to lock to inspect the inflight request field.
+	r.mu.Lock()
+	// If there's not a current inflight request, create one.
+	if r.inflight == nil {
+		r.inflight = newInflight()
+
+		// This goroutine has exclusive ownership over the current inflight
+		// request. It releases the resource by nil'ing the inflight field
+		// once the goroutine is done.
+		go func() {
+			// Sync keys and finish inflight when that's done.
+			keys, expiry, err := r.updateKeys()
+
+			r.inflight.done(keys, err)
+
+			// Lock to update the keys and indicate that there is no longer an
+			// inflight request.
+			r.mu.Lock()
+			defer r.mu.Unlock()
+
+			if err == nil {
+				r.cachedKeys = keys
+				r.expiry = expiry
+			}
+
+			// Free inflight so a different request can run.
+			r.inflight = nil
+		}()
+	}
+	inflight := r.inflight
+	r.mu.Unlock()
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case <-inflight.wait():
+		return inflight.result()
+	}
+}
+
+func (r *remoteKeySet) updateKeys() ([]jose.JSONWebKey, time.Time, error) {
+	req, err := http.NewRequest("GET", r.jwksURL, nil)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("oidc: can't create request: %v", err)
+	}
+
+	resp, err := doRequest(r.ctx, req)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("oidc: get keys failed %v", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("unable to read response body: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, time.Time{}, fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body)
+	}
+
+	var keySet jose.JSONWebKeySet
+	err = unmarshalResp(resp, body, &keySet)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)
+	}
+
+	// If the server doesn't provide cache control headers, assume the
+	// keys expire immediately.
+	expiry := r.now()
+
+	_, e, err := cachecontrol.CachableResponse(req, resp, cachecontrol.Options{})
+	if err == nil && e.After(expiry) {
+		expiry = e
+	}
+	return keySet.Keys, expiry, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc.go b/vendor/github.com/coreos/go-oidc/oidc.go
new file mode 100644
index 00000000..bf35ee9e
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc.go
@@ -0,0 +1,457 @@
+// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
+package oidc
+
+import (
+	"context"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"hash"
+	"io/ioutil"
+	"mime"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+	jose "gopkg.in/go-jose/go-jose.v2"
+)
+
+const (
+	// ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests.
+	ScopeOpenID = "openid"
+
+	// ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting
+	// OAuth2 refresh tokens.
+	//
+	// Support for this scope differs between OpenID Connect providers. For instance
+	// Google rejects it, favoring appending "access_type=offline" as part of the
+	// authorization request instead.
+	//
+	// See: https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+	ScopeOfflineAccess = "offline_access"
+)
+
+var (
+	errNoAtHash      = errors.New("id token did not have an access token hash")
+	errInvalidAtHash = errors.New("access token hash does not match value in ID token")
+)
+
+// ClientContext returns a new Context that carries the provided HTTP client.
+//
+// This method sets the same context key used by the golang.org/x/oauth2 package,
+// so the returned context works for that package too.
+//
+//    myClient := &http.Client{}
+//    ctx := oidc.ClientContext(parentContext, myClient)
+//
+//    // This will use the custom client
+//    provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")
+//
+func ClientContext(ctx context.Context, client *http.Client) context.Context {
+	return context.WithValue(ctx, oauth2.HTTPClient, client)
+}
+
+func doRequest(ctx context.Context, req *http.Request) (*http.Response, error) {
+	client := http.DefaultClient
+	if c, ok := ctx.Value(oauth2.HTTPClient).(*http.Client); ok {
+		client = c
+	}
+	return client.Do(req.WithContext(ctx))
+}
+
+// Provider represents an OpenID Connect server's configuration.
+type Provider struct {
+	issuer      string
+	authURL     string
+	tokenURL    string
+	userInfoURL string
+	algorithms  []string
+
+	// Raw claims returned by the server.
+	rawClaims []byte
+
+	remoteKeySet KeySet
+}
+
+type cachedKeys struct {
+	keys   []jose.JSONWebKey
+	expiry time.Time
+}
+
+type providerJSON struct {
+	Issuer      string   `json:"issuer"`
+	AuthURL     string   `json:"authorization_endpoint"`
+	TokenURL    string   `json:"token_endpoint"`
+	JWKSURL     string   `json:"jwks_uri"`
+	UserInfoURL string   `json:"userinfo_endpoint"`
+	Algorithms  []string `json:"id_token_signing_alg_values_supported"`
+}
+
+// supportedAlgorithms is a list of algorithms explicitly supported by this
+// package. If a provider supports other algorithms, such as HS256 or none,
+// those values won't be passed to the IDTokenVerifier.
+var supportedAlgorithms = map[string]bool{
+	RS256: true,
+	RS384: true,
+	RS512: true,
+	ES256: true,
+	ES384: true,
+	ES512: true,
+	PS256: true,
+	PS384: true,
+	PS512: true,
+}
+
+// NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
+//
+// The issuer is the URL identifier for the service. For example: "https://accounts.google.com"
+// or "https://login.salesforce.com".
+func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
+	wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
+	req, err := http.NewRequest("GET", wellKnown, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := doRequest(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read response body: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	var p providerJSON
+	err = unmarshalResp(resp, body, &p)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err)
+	}
+
+	if p.Issuer != issuer {
+		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
+	}
+	var algs []string
+	for _, a := range p.Algorithms {
+		if supportedAlgorithms[a] {
+			algs = append(algs, a)
+		}
+	}
+	return &Provider{
+		issuer:       p.Issuer,
+		authURL:      p.AuthURL,
+		tokenURL:     p.TokenURL,
+		userInfoURL:  p.UserInfoURL,
+		algorithms:   algs,
+		rawClaims:    body,
+		remoteKeySet: NewRemoteKeySet(ctx, p.JWKSURL),
+	}, nil
+}
+
+// Claims unmarshals raw fields returned by the server during discovery.
+//
+//    var claims struct {
+//        ScopesSupported []string `json:"scopes_supported"`
+//        ClaimsSupported []string `json:"claims_supported"`
+//    }
+//
+//    if err := provider.Claims(&claims); err != nil {
+//        // handle unmarshaling error
+//    }
+//
+// For a list of fields defined by the OpenID Connect spec see:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+func (p *Provider) Claims(v interface{}) error {
+	if p.rawClaims == nil {
+		return errors.New("oidc: claims not set")
+	}
+	return json.Unmarshal(p.rawClaims, v)
+}
+
+// Endpoint returns the OAuth2 auth and token endpoints for the given provider.
+func (p *Provider) Endpoint() oauth2.Endpoint {
+	return oauth2.Endpoint{AuthURL: p.authURL, TokenURL: p.tokenURL}
+}
+
+// UserInfo represents the OpenID Connect userinfo claims.
+type UserInfo struct {
+	Subject       string `json:"sub"`
+	Profile       string `json:"profile"`
+	Email         string `json:"email"`
+	EmailVerified bool   `json:"email_verified"`
+
+	claims []byte
+}
+
+type userInfoRaw struct {
+	Subject string `json:"sub"`
+	Profile string `json:"profile"`
+	Email   string `json:"email"`
+	// Handle providers that return email_verified as a string
+	// https://forums.aws.amazon.com/thread.jspa?messageID=949441&#949441 and
+	// https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11
+	EmailVerified stringAsBool `json:"email_verified"`
+}
+
+// Claims unmarshals the raw JSON object claims into the provided object.
+func (u *UserInfo) Claims(v interface{}) error {
+	if u.claims == nil {
+		return errors.New("oidc: claims not set")
+	}
+	return json.Unmarshal(u.claims, v)
+}
+
+// UserInfo uses the token source to query the provider's user info endpoint.
+func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) (*UserInfo, error) {
+	if p.userInfoURL == "" {
+		return nil, errors.New("oidc: user info endpoint is not supported by this provider")
+	}
+
+	req, err := http.NewRequest("GET", p.userInfoURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: create GET request: %v", err)
+	}
+
+	token, err := tokenSource.Token()
+	if err != nil {
+		return nil, fmt.Errorf("oidc: get access token: %v", err)
+	}
+	token.SetAuthHeader(req)
+
+	resp, err := doRequest(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	ct := resp.Header.Get("Content-Type")
+	mediaType, _, parseErr := mime.ParseMediaType(ct)
+	if parseErr == nil && mediaType == "application/jwt" {
+		payload, err := p.remoteKeySet.VerifySignature(ctx, string(body))
+		if err != nil {
+			return nil, fmt.Errorf("oidc: invalid userinfo jwt signature %v", err)
+		}
+		body = payload
+	}
+
+	var userInfo userInfoRaw
+	if err := json.Unmarshal(body, &userInfo); err != nil {
+		return nil, fmt.Errorf("oidc: failed to decode userinfo: %v", err)
+	}
+	return &UserInfo{
+		Subject:       userInfo.Subject,
+		Profile:       userInfo.Profile,
+		Email:         userInfo.Email,
+		EmailVerified: bool(userInfo.EmailVerified),
+		claims:        body,
+	}, nil
+}
+
+// IDToken is an OpenID Connect extension that provides a predictable representation
+// of an authorization event.
+//
+// The ID Token only holds fields OpenID Connect requires. To access additional
+// claims returned by the server, use the Claims method.
+type IDToken struct {
+	// The URL of the server which issued this token. OpenID Connect
+	// requires this value always be identical to the URL used for
+	// initial discovery.
+	//
+	// Note: Because of a known issue with Google Accounts' implementation
+	// this value may differ when using Google.
+	//
+	// See: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
+	Issuer string
+
+	// The client ID, or set of client IDs, that this token is issued for. For
+	// common uses, this is the client that initialized the auth flow.
+	//
+	// This package ensures the audience contains an expected value.
+	Audience []string
+
+	// A unique string which identifies the end user.
+	Subject string
+
+	// Expiry of the token. Ths package will not process tokens that have
+	// expired unless that validation is explicitly turned off.
+	Expiry time.Time
+	// When the token was issued by the provider.
+	IssuedAt time.Time
+
+	// Initial nonce provided during the authentication redirect.
+	//
+	// This package does NOT provided verification on the value of this field
+	// and it's the user's responsibility to ensure it contains a valid value.
+	Nonce string
+
+	// at_hash claim, if set in the ID token. Callers can verify an access token
+	// that corresponds to the ID token using the VerifyAccessToken method.
+	AccessTokenHash string
+
+	// signature algorithm used for ID token, needed to compute a verification hash of an
+	// access token
+	sigAlgorithm string
+
+	// Raw payload of the id_token.
+	claims []byte
+
+	// Map of distributed claim names to claim sources
+	distributedClaims map[string]claimSource
+}
+
+// Claims unmarshals the raw JSON payload of the ID Token into a provided struct.
+//
+//		idToken, err := idTokenVerifier.Verify(rawIDToken)
+//		if err != nil {
+//			// handle error
+//		}
+//		var claims struct {
+//			Email         string `json:"email"`
+//			EmailVerified bool   `json:"email_verified"`
+//		}
+//		if err := idToken.Claims(&claims); err != nil {
+//			// handle error
+//		}
+//
+func (i *IDToken) Claims(v interface{}) error {
+	if i.claims == nil {
+		return errors.New("oidc: claims not set")
+	}
+	return json.Unmarshal(i.claims, v)
+}
+
+// VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token
+// matches the hash in the id token. It returns an error if the hashes  don't match.
+// It is the caller's responsibility to ensure that the optional access token hash is present for the ID token
+// before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
+func (i *IDToken) VerifyAccessToken(accessToken string) error {
+	if i.AccessTokenHash == "" {
+		return errNoAtHash
+	}
+	var h hash.Hash
+	switch i.sigAlgorithm {
+	case RS256, ES256, PS256:
+		h = sha256.New()
+	case RS384, ES384, PS384:
+		h = sha512.New384()
+	case RS512, ES512, PS512:
+		h = sha512.New()
+	default:
+		return fmt.Errorf("oidc: unsupported signing algorithm %q", i.sigAlgorithm)
+	}
+	h.Write([]byte(accessToken)) // hash documents that Write will never return an error
+	sum := h.Sum(nil)[:h.Size()/2]
+	actual := base64.RawURLEncoding.EncodeToString(sum)
+	if actual != i.AccessTokenHash {
+		return errInvalidAtHash
+	}
+	return nil
+}
+
+type idToken struct {
+	Issuer       string                 `json:"iss"`
+	Subject      string                 `json:"sub"`
+	Audience     audience               `json:"aud"`
+	Expiry       jsonTime               `json:"exp"`
+	IssuedAt     jsonTime               `json:"iat"`
+	NotBefore    *jsonTime              `json:"nbf"`
+	Nonce        string                 `json:"nonce"`
+	AtHash       string                 `json:"at_hash"`
+	ClaimNames   map[string]string      `json:"_claim_names"`
+	ClaimSources map[string]claimSource `json:"_claim_sources"`
+}
+
+type claimSource struct {
+	Endpoint    string `json:"endpoint"`
+	AccessToken string `json:"access_token"`
+}
+
+type stringAsBool bool
+
+func (sb *stringAsBool) UnmarshalJSON(b []byte) error {
+	var result bool
+	err := json.Unmarshal(b, &result)
+	if err == nil {
+		*sb = stringAsBool(result)
+		return nil
+	}
+	var s string
+	err = json.Unmarshal(b, &s)
+	if err != nil {
+		return err
+	}
+	result, err = strconv.ParseBool(s)
+	if err != nil {
+		return err
+	}
+	*sb = stringAsBool(result)
+	return nil
+}
+
+type audience []string
+
+func (a *audience) UnmarshalJSON(b []byte) error {
+	var s string
+	if json.Unmarshal(b, &s) == nil {
+		*a = audience{s}
+		return nil
+	}
+	var auds []string
+	if err := json.Unmarshal(b, &auds); err != nil {
+		return err
+	}
+	*a = audience(auds)
+	return nil
+}
+
+type jsonTime time.Time
+
+func (j *jsonTime) UnmarshalJSON(b []byte) error {
+	var n json.Number
+	if err := json.Unmarshal(b, &n); err != nil {
+		return err
+	}
+	var unix int64
+
+	if t, err := n.Int64(); err == nil {
+		unix = t
+	} else {
+		f, err := n.Float64()
+		if err != nil {
+			return err
+		}
+		unix = int64(f)
+	}
+	*j = jsonTime(time.Unix(unix, 0))
+	return nil
+}
+
+func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
+	err := json.Unmarshal(body, &v)
+	if err == nil {
+		return nil
+	}
+	ct := r.Header.Get("Content-Type")
+	mediaType, _, parseErr := mime.ParseMediaType(ct)
+	if parseErr == nil && mediaType == "application/json" {
+		return fmt.Errorf("got Content-Type = application/json, but could not unmarshal as JSON: %v", err)
+	}
+	return fmt.Errorf("expected Content-Type = application/json, got %q: %v", ct, err)
+}
diff --git a/vendor/github.com/coreos/go-oidc/test b/vendor/github.com/coreos/go-oidc/test
new file mode 100644
index 00000000..b262d0e7
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/test
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+# Filter out any files with a !golint build tag.
+LINTABLE=$( go list -tags=golint -f '
+  {{- range $i, $file := .GoFiles -}}
+    {{ $file }} {{ end }}
+  {{ range $i, $file := .TestGoFiles -}}
+    {{ $file }} {{ end }}' github.com/coreos/go-oidc )
+
+go test -v -i -race github.com/coreos/go-oidc/...
+go test -v -race github.com/coreos/go-oidc/...
+golint -set_exit_status $LINTABLE
+go vet github.com/coreos/go-oidc/...
+go build -v ./example/...
diff --git a/vendor/github.com/coreos/go-oidc/verify.go b/vendor/github.com/coreos/go-oidc/verify.go
new file mode 100644
index 00000000..3e7999c9
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/verify.go
@@ -0,0 +1,336 @@
+package oidc
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+	jose "gopkg.in/go-jose/go-jose.v2"
+)
+
+const (
+	issuerGoogleAccounts         = "https://accounts.google.com"
+	issuerGoogleAccountsNoScheme = "accounts.google.com"
+)
+
+// KeySet is a set of publc JSON Web Keys that can be used to validate the signature
+// of JSON web tokens. This is expected to be backed by a remote key set through
+// provider metadata discovery or an in-memory set of keys delivered out-of-band.
+type KeySet interface {
+	// VerifySignature parses the JSON web token, verifies the signature, and returns
+	// the raw payload. Header and claim fields are validated by other parts of the
+	// package. For example, the KeySet does not need to check values such as signature
+	// algorithm, issuer, and audience since the IDTokenVerifier validates these values
+	// independently.
+	//
+	// If VerifySignature makes HTTP requests to verify the token, it's expected to
+	// use any HTTP client associated with the context through ClientContext.
+	VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
+}
+
+// IDTokenVerifier provides verification for ID Tokens.
+type IDTokenVerifier struct {
+	keySet KeySet
+	config *Config
+	issuer string
+}
+
+// NewVerifier returns a verifier manually constructed from a key set and issuer URL.
+//
+// It's easier to use provider discovery to construct an IDTokenVerifier than creating
+// one directly. This method is intended to be used with provider that don't support
+// metadata discovery, or avoiding round trips when the key set URL is already known.
+//
+// This constructor can be used to create a verifier directly using the issuer URL and
+// JSON Web Key Set URL without using discovery:
+//
+//		keySet := oidc.NewRemoteKeySet(ctx, "https://www.googleapis.com/oauth2/v3/certs")
+//		verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)
+//
+// Since KeySet is an interface, this constructor can also be used to supply custom
+// public key sources. For example, if a user wanted to supply public keys out-of-band
+// and hold them statically in-memory:
+//
+//		// Custom KeySet implementation.
+//		keySet := newStatisKeySet(publicKeys...)
+//
+//		// Verifier uses the custom KeySet implementation.
+//		verifier := oidc.NewVerifier("https://auth.example.com", keySet, config)
+//
+func NewVerifier(issuerURL string, keySet KeySet, config *Config) *IDTokenVerifier {
+	return &IDTokenVerifier{keySet: keySet, config: config, issuer: issuerURL}
+}
+
+// Config is the configuration for an IDTokenVerifier.
+type Config struct {
+	// Expected audience of the token. For a majority of the cases this is expected to be
+	// the ID of the client that initialized the login flow. It may occasionally differ if
+	// the provider supports the authorizing party (azp) claim.
+	//
+	// If not provided, users must explicitly set SkipClientIDCheck.
+	ClientID string
+	// If specified, only this set of algorithms may be used to sign the JWT.
+	//
+	// If the IDTokenVerifier is created from a provider with (*Provider).Verifier, this
+	// defaults to the set of algorithms the provider supports. Otherwise this values
+	// defaults to RS256.
+	SupportedSigningAlgs []string
+
+	// If true, no ClientID check performed. Must be true if ClientID field is empty.
+	SkipClientIDCheck bool
+	// If true, token expiry is not checked.
+	SkipExpiryCheck bool
+
+	// SkipIssuerCheck is intended for specialized cases where the the caller wishes to
+	// defer issuer validation. When enabled, callers MUST independently verify the Token's
+	// Issuer is a known good value.
+	//
+	// Mismatched issuers often indicate client mis-configuration. If mismatches are
+	// unexpected, evaluate if the provided issuer URL is incorrect instead of enabling
+	// this option.
+	SkipIssuerCheck bool
+
+	// Time function to check Token expiry. Defaults to time.Now
+	Now func() time.Time
+}
+
+// Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
+//
+// The returned IDTokenVerifier is tied to the Provider's context and its behavior is
+// undefined once the Provider's context is canceled.
+func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
+	if len(config.SupportedSigningAlgs) == 0 && len(p.algorithms) > 0 {
+		// Make a copy so we don't modify the config values.
+		cp := &Config{}
+		*cp = *config
+		cp.SupportedSigningAlgs = p.algorithms
+		config = cp
+	}
+	return NewVerifier(p.issuer, p.remoteKeySet, config)
+}
+
+func parseJWT(p string) ([]byte, error) {
+	parts := strings.Split(p, ".")
+	if len(parts) < 2 {
+		return nil, fmt.Errorf("oidc: malformed jwt, expected 3 parts got %d", len(parts))
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, fmt.Errorf("oidc: malformed jwt payload: %v", err)
+	}
+	return payload, nil
+}
+
+func contains(sli []string, ele string) bool {
+	for _, s := range sli {
+		if s == ele {
+			return true
+		}
+	}
+	return false
+}
+
+// Returns the Claims from the distributed JWT token
+func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src claimSource) ([]byte, error) {
+	req, err := http.NewRequest("GET", src.Endpoint, nil)
+	if err != nil {
+		return nil, fmt.Errorf("malformed request: %v", err)
+	}
+	if src.AccessToken != "" {
+		req.Header.Set("Authorization", "Bearer "+src.AccessToken)
+	}
+
+	resp, err := doRequest(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: Request to endpoint failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read response body: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("oidc: request failed: %v", resp.StatusCode)
+	}
+
+	token, err := verifier.Verify(ctx, string(body))
+	if err != nil {
+		return nil, fmt.Errorf("malformed response body: %v", err)
+	}
+
+	return token.claims, nil
+}
+
+func parseClaim(raw []byte, name string, v interface{}) error {
+	var parsed map[string]json.RawMessage
+	if err := json.Unmarshal(raw, &parsed); err != nil {
+		return err
+	}
+
+	val, ok := parsed[name]
+	if !ok {
+		return fmt.Errorf("claim doesn't exist: %s", name)
+	}
+
+	return json.Unmarshal([]byte(val), v)
+}
+
+// Verify parses a raw ID Token, verifies it's been signed by the provider, performs
+// any additional checks depending on the Config, and returns the payload.
+//
+// Verify does NOT do nonce validation, which is the callers responsibility.
+//
+// See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+//
+//    oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
+//    if err != nil {
+//        // handle error
+//    }
+//
+//    // Extract the ID Token from oauth2 token.
+//    rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+//    if !ok {
+//        // handle error
+//    }
+//
+//    token, err := verifier.Verify(ctx, rawIDToken)
+//
+func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) {
+	jws, err := jose.ParseSigned(rawIDToken)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+	}
+
+	// Throw out tokens with invalid claims before trying to verify the token. This lets
+	// us do cheap checks before possibly re-syncing keys.
+	payload, err := parseJWT(rawIDToken)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+	}
+	var token idToken
+	if err := json.Unmarshal(payload, &token); err != nil {
+		return nil, fmt.Errorf("oidc: failed to unmarshal claims: %v", err)
+	}
+
+	distributedClaims := make(map[string]claimSource)
+
+	//step through the token to map claim names to claim sources"
+	for cn, src := range token.ClaimNames {
+		if src == "" {
+			return nil, fmt.Errorf("oidc: failed to obtain source from claim name")
+		}
+		s, ok := token.ClaimSources[src]
+		if !ok {
+			return nil, fmt.Errorf("oidc: source does not exist")
+		}
+		distributedClaims[cn] = s
+	}
+
+	t := &IDToken{
+		Issuer:            token.Issuer,
+		Subject:           token.Subject,
+		Audience:          []string(token.Audience),
+		Expiry:            time.Time(token.Expiry),
+		IssuedAt:          time.Time(token.IssuedAt),
+		Nonce:             token.Nonce,
+		AccessTokenHash:   token.AtHash,
+		claims:            payload,
+		distributedClaims: distributedClaims,
+	}
+
+	// Check issuer.
+	if !v.config.SkipIssuerCheck && t.Issuer != v.issuer {
+		// Google sometimes returns "accounts.google.com" as the issuer claim instead of
+		// the required "https://accounts.google.com". Detect this case and allow it only
+		// for Google.
+		//
+		// We will not add hooks to let other providers go off spec like this.
+		if !(v.issuer == issuerGoogleAccounts && t.Issuer == issuerGoogleAccountsNoScheme) {
+			return nil, fmt.Errorf("oidc: id token issued by a different provider, expected %q got %q", v.issuer, t.Issuer)
+		}
+	}
+
+	// If a client ID has been provided, make sure it's part of the audience. SkipClientIDCheck must be true if ClientID is empty.
+	//
+	// This check DOES NOT ensure that the ClientID is the party to which the ID Token was issued (i.e. Authorized party).
+	if !v.config.SkipClientIDCheck {
+		if v.config.ClientID != "" {
+			if !contains(t.Audience, v.config.ClientID) {
+				return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.ClientID, t.Audience)
+			}
+		} else {
+			return nil, fmt.Errorf("oidc: invalid configuration, clientID must be provided or SkipClientIDCheck must be set")
+		}
+	}
+
+	// If a SkipExpiryCheck is false, make sure token is not expired.
+	if !v.config.SkipExpiryCheck {
+		now := time.Now
+		if v.config.Now != nil {
+			now = v.config.Now
+		}
+		nowTime := now()
+
+		if t.Expiry.Before(nowTime) {
+			return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry)
+		}
+
+		// If nbf claim is provided in token, ensure that it is indeed in the past.
+		if token.NotBefore != nil {
+			nbfTime := time.Time(*token.NotBefore)
+			leeway := 1 * time.Minute
+
+			if nowTime.Add(leeway).Before(nbfTime) {
+				return nil, fmt.Errorf("oidc: current time %v before the nbf (not before) time: %v", nowTime, nbfTime)
+			}
+		}
+	}
+
+	switch len(jws.Signatures) {
+	case 0:
+		return nil, fmt.Errorf("oidc: id token not signed")
+	case 1:
+	default:
+		return nil, fmt.Errorf("oidc: multiple signatures on id token not supported")
+	}
+
+	sig := jws.Signatures[0]
+	supportedSigAlgs := v.config.SupportedSigningAlgs
+	if len(supportedSigAlgs) == 0 {
+		supportedSigAlgs = []string{RS256}
+	}
+
+	if !contains(supportedSigAlgs, sig.Header.Algorithm) {
+		return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", supportedSigAlgs, sig.Header.Algorithm)
+	}
+
+	t.sigAlgorithm = sig.Header.Algorithm
+
+	gotPayload, err := v.keySet.VerifySignature(ctx, rawIDToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify signature: %v", err)
+	}
+
+	// Ensure that the payload returned by the square actually matches the payload parsed earlier.
+	if !bytes.Equal(gotPayload, payload) {
+		return nil, errors.New("oidc: internal error, payload parsed did not match previous payload")
+	}
+
+	return t, nil
+}
+
+// Nonce returns an auth code option which requires the ID Token created by the
+// OpenID Connect provider to contain the specified nonce.
+func Nonce(nonce string) oauth2.AuthCodeOption {
+	return oauth2.SetAuthURLParam("nonce", nonce)
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/.gitignore b/vendor/github.com/golang-jwt/jwt/v5/.gitignore
new file mode 100644
index 00000000..09573e01
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/.gitignore
@@ -0,0 +1,4 @@
+.DS_Store
+bin
+.idea/
+
diff --git a/vendor/github.com/golang-jwt/jwt/v5/LICENSE b/vendor/github.com/golang-jwt/jwt/v5/LICENSE
new file mode 100644
index 00000000..35dbc252
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/LICENSE
@@ -0,0 +1,9 @@
+Copyright (c) 2012 Dave Grijalva
+Copyright (c) 2021 golang-jwt maintainers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
diff --git a/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md b/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md
new file mode 100644
index 00000000..ff9c57e1
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md
@@ -0,0 +1,195 @@
+# Migration Guide (v5.0.0)
+
+Version `v5` contains a major rework of core functionalities in the `jwt-go`
+library. This includes support for several validation options as well as a
+re-design of the `Claims` interface. Lastly, we reworked how errors work under
+the hood, which should provide a better overall developer experience.
+
+Starting from [v5.0.0](https://github.com/golang-jwt/jwt/releases/tag/v5.0.0),
+the import path will be:
+
+    "github.com/golang-jwt/jwt/v5"
+
+For most users, changing the import path *should* suffice. However, since we
+intentionally changed and cleaned some of the public API, existing programs
+might need to be updated. The following sections describe significant changes
+and corresponding updates for existing programs.
+
+## Parsing and Validation Options
+
+Under the hood, a new `Validator` struct takes care of validating the claims. A
+long awaited feature has been the option to fine-tune the validation of tokens.
+This is now possible with several `ParserOption` functions that can be appended
+to most `Parse` functions, such as `ParseWithClaims`. The most important options
+and changes are:
+  * Added `WithLeeway` to support specifying the leeway that is allowed when
+    validating time-based claims, such as `exp` or `nbf`.
+  * Changed default behavior to not check the `iat` claim. Usage of this claim
+    is OPTIONAL according to the JWT RFC. The claim itself is also purely
+    informational according to the RFC, so a strict validation failure is not
+    recommended. If you want to check for sensible values in these claims,
+    please use the `WithIssuedAt` parser option.
+  * Added `WithAudience`, `WithSubject` and `WithIssuer` to support checking for
+    expected `aud`, `sub` and `iss`.
+  * Added `WithStrictDecoding` and `WithPaddingAllowed` options to allow
+    previously global settings to enable base64 strict encoding and the parsing
+    of base64 strings with padding. The latter is strictly speaking against the
+    standard, but unfortunately some of the major identity providers issue some
+    of these incorrect tokens. Both options are disabled by default.
+
+## Changes to the `Claims` interface
+
+### Complete Restructuring
+
+Previously, the claims interface was satisfied with an implementation of a
+`Valid() error` function. This had several issues:
+  * The different claim types (struct claims, map claims, etc.) then contained
+    similar (but not 100 % identical) code of how this validation was done. This
+    lead to a lot of (almost) duplicate code and was hard to maintain
+  * It was not really semantically close to what a "claim" (or a set of claims)
+    really is; which is a list of defined key/value pairs with a certain
+    semantic meaning.
+
+Since all the validation functionality is now extracted into the validator, all
+`VerifyXXX` and `Valid` functions have been removed from the `Claims` interface.
+Instead, the interface now represents a list of getters to retrieve values with
+a specific meaning. This allows us to completely decouple the validation logic
+with the underlying storage representation of the claim, which could be a
+struct, a map or even something stored in a database.
+
+```go
+type Claims interface {
+	GetExpirationTime() (*NumericDate, error)
+	GetIssuedAt() (*NumericDate, error)
+	GetNotBefore() (*NumericDate, error)
+	GetIssuer() (string, error)
+	GetSubject() (string, error)
+	GetAudience() (ClaimStrings, error)
+}
+```
+
+Users that previously directly called the `Valid` function on their claims,
+e.g., to perform validation independently of parsing/verifying a token, can now
+use the `jwt.NewValidator` function to create a `Validator` independently of the
+`Parser`.
+
+```go
+var v = jwt.NewValidator(jwt.WithLeeway(5*time.Second))
+v.Validate(myClaims)
+```
+
+### Supported Claim Types and Removal of `StandardClaims`
+
+The two standard claim types supported by this library, `MapClaims` and
+`RegisteredClaims` both implement the necessary functions of this interface. The
+old `StandardClaims` struct, which has already been deprecated in `v4` is now
+removed.
+
+Users using custom claims, in most cases, will not experience any changes in the
+behavior as long as they embedded `RegisteredClaims`. If they created a new
+claim type from scratch, they now need to implemented the proper getter
+functions.
+
+### Migrating Application Specific Logic of the old `Valid`
+
+Previously, users could override the `Valid` method in a custom claim, for
+example to extend the validation with application-specific claims. However, this
+was always very dangerous, since once could easily disable the standard
+validation and signature checking.
+
+In order to avoid that, while still supporting the use-case, a new
+`ClaimsValidator` interface has been introduced. This interface consists of the
+`Validate() error` function. If the validator sees, that a `Claims` struct
+implements this interface, the errors returned to the `Validate` function will
+be *appended* to the regular standard validation. It is not possible to disable
+the standard validation anymore (even only by accident).
+
+Usage examples can be found in [example_test.go](./example_test.go), to build
+claims structs like the following.
+
+```go
+// MyCustomClaims includes all registered claims, plus Foo.
+type MyCustomClaims struct {
+	Foo string `json:"foo"`
+	jwt.RegisteredClaims
+}
+
+// Validate can be used to execute additional application-specific claims
+// validation.
+func (m MyCustomClaims) Validate() error {
+	if m.Foo != "bar" {
+		return errors.New("must be foobar")
+	}
+
+	return nil
+}
+```
+
+## Changes to the `Token` and `Parser` struct
+
+The previously global functions `DecodeSegment` and `EncodeSegment` were moved
+to the `Parser` and `Token` struct respectively. This will allow us in the
+future to configure the behavior of these two based on options supplied on the
+parser or the token (creation). This also removes two previously global
+variables and moves them to parser options `WithStrictDecoding` and
+`WithPaddingAllowed`.
+
+In order to do that, we had to adjust the way signing methods work. Previously
+they were given a base64 encoded signature in `Verify` and were expected to
+return a base64 encoded version of the signature in `Sign`, both as a `string`.
+However, this made it necessary to have `DecodeSegment` and `EncodeSegment`
+global and was a less than perfect design because we were repeating
+encoding/decoding steps for all signing methods. Now, `Sign` and `Verify`
+operate on a decoded signature as a `[]byte`, which feels more natural for a
+cryptographic operation anyway. Lastly, `Parse` and `SignedString` take care of
+the final encoding/decoding part.
+
+In addition to that, we also changed the `Signature` field on `Token` from a
+`string` to `[]byte` and this is also now populated with the decoded form. This
+is also more consistent, because the other parts of the JWT, mainly `Header` and
+`Claims` were already stored in decoded form in `Token`. Only the signature was
+stored in base64 encoded form, which was redundant with the information in the
+`Raw` field, which contains the complete token as base64.
+
+```go
+type Token struct {
+	Raw       string                 // Raw contains the raw token
+	Method    SigningMethod          // Method is the signing method used or to be used
+	Header    map[string]interface{} // Header is the first segment of the token in decoded form
+	Claims    Claims                 // Claims is the second segment of the token in decoded form
+	Signature []byte                 // Signature is the third segment of the token in decoded form
+	Valid     bool                   // Valid specifies if the token is valid
+}
+```
+
+Most (if not all) of these changes should not impact the normal usage of this
+library. Only users directly accessing the `Signature` field as well as
+developers of custom signing methods should be affected.
+
+# Migration Guide (v4.0.0)
+
+Starting from [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0),
+the import path will be:
+
+    "github.com/golang-jwt/jwt/v4"
+
+The `/v4` version will be backwards compatible with existing `v3.x.y` tags in
+this repo, as well as `github.com/dgrijalva/jwt-go`. For most users this should
+be a drop-in replacement, if you're having troubles migrating, please open an
+issue.
+
+You can replace all occurrences of `github.com/dgrijalva/jwt-go` or
+`github.com/golang-jwt/jwt` with `github.com/golang-jwt/jwt/v4`, either manually
+or by using tools such as `sed` or `gofmt`.
+
+And then you'd typically run:
+
+```
+go get github.com/golang-jwt/jwt/v4
+go mod tidy
+```
+
+# Older releases (before v3.2.0)
+
+The original migration guide for older releases can be found at
+https://github.com/dgrijalva/jwt-go/blob/master/MIGRATION_GUIDE.md.
diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md
new file mode 100644
index 00000000..0bb636f2
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/README.md
@@ -0,0 +1,167 @@
+# jwt-go
+
+[![build](https://github.com/golang-jwt/jwt/actions/workflows/build.yml/badge.svg)](https://github.com/golang-jwt/jwt/actions/workflows/build.yml)
+[![Go
+Reference](https://pkg.go.dev/badge/github.com/golang-jwt/jwt/v5.svg)](https://pkg.go.dev/github.com/golang-jwt/jwt/v5)
+[![Coverage Status](https://coveralls.io/repos/github/golang-jwt/jwt/badge.svg?branch=main)](https://coveralls.io/github/golang-jwt/jwt?branch=main)
+
+A [go](http://www.golang.org) (or 'golang' for search engine friendliness)
+implementation of [JSON Web
+Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
+
+Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0)
+this project adds Go module support, but maintains backward compatibility with
+older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the
+[`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version
+v5.0.0 introduces major improvements to the validation of tokens, but is not
+entirely backward compatible. 
+
+> After the original author of the library suggested migrating the maintenance
+> of `jwt-go`, a dedicated team of open source maintainers decided to clone the
+> existing library into this repository. See
+> [dgrijalva/jwt-go#462](https://github.com/dgrijalva/jwt-go/issues/462) for a
+> detailed discussion on this topic.
+
+
+**SECURITY NOTICE:** Some older versions of Go have a security issue in the
+crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue
+[dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more
+detail.
+
+**SECURITY NOTICE:** It's important that you [validate the `alg` presented is
+what you
+expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
+This library attempts to make it easy to do the right thing by requiring key
+types to match the expected alg, but you should take the extra step to verify it in
+your usage.  See the examples provided.
+
+### Supported Go versions
+
+Our support of Go versions is aligned with Go's [version release
+policy](https://golang.org/doc/devel/release#policy). So we will support a major
+version of Go until there are two newer major releases. We no longer support
+building jwt-go with unsupported Go versions, as these contain security
+vulnerabilities that will not be fixed.
+
+## What the heck is a JWT?
+
+JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web
+Tokens.
+
+In short, it's a signed JSON object that does something useful (for example,
+authentication).  It's commonly used for `Bearer` tokens in Oauth 2.  A token is
+made of three parts, separated by `.`'s.  The first two parts are JSON objects,
+that have been [base64url](https://datatracker.ietf.org/doc/html/rfc4648)
+encoded.  The last part is the signature, encoded the same way.
+
+The first part is called the header.  It contains the necessary information for
+verifying the last part, the signature.  For example, which encryption method
+was used for signing and what key was used.
+
+The part in the middle is the interesting bit.  It's called the Claims and
+contains the actual stuff you care about.  Refer to [RFC
+7519](https://datatracker.ietf.org/doc/html/rfc7519) for information about
+reserved keys and the proper way to add your own.
+
+## What's in the box?
+
+This library supports the parsing and verification as well as the generation and
+signing of JWTs.  Current supported signing algorithms are HMAC SHA, RSA,
+RSA-PSS, and ECDSA, though hooks are present for adding your own.
+
+## Installation Guidelines
+
+1. To install the jwt package, you first need to have
+   [Go](https://go.dev/doc/install) installed, then you can use the command
+   below to add `jwt-go` as a dependency in your Go program.
+
+```sh
+go get -u github.com/golang-jwt/jwt/v5
+```
+
+2. Import it in your code:
+
+```go
+import "github.com/golang-jwt/jwt/v5"
+```
+
+## Usage
+
+A detailed usage guide, including how to sign and verify tokens can be found on
+our [documentation website](https://golang-jwt.github.io/jwt/usage/create/).
+
+## Examples
+
+See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v5)
+for examples of usage:
+
+* [Simple example of parsing and validating a
+  token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-Parse-Hmac)
+* [Simple example of building and signing a
+  token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-New-Hmac)
+* [Directory of
+  Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#pkg-examples)
+
+## Compliance
+
+This library was last reviewed to comply with [RFC
+7519](https://datatracker.ietf.org/doc/html/rfc7519) dated May 2015 with a few
+notable differences:
+
+* In order to protect against accidental use of [Unsecured
+  JWTs](https://datatracker.ietf.org/doc/html/rfc7519#section-6), tokens using
+  `alg=none` will only be accepted if the constant
+  `jwt.UnsafeAllowNoneSignatureType` is provided as the key.
+
+## Project Status & Versioning
+
+This library is considered production ready.  Feedback and feature requests are
+appreciated.  The API should be considered stable.  There should be very few
+backward-incompatible changes outside of major version updates (and only with
+good reason).
+
+This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull
+requests will land on `main`.  Periodically, versions will be tagged from
+`main`.  You can find all the releases on [the project releases
+page](https://github.com/golang-jwt/jwt/releases).
+
+**BREAKING CHANGES:** A full list of breaking changes is available in
+`VERSION_HISTORY.md`.  See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating
+your code.
+
+## Extensions
+
+This library publishes all the necessary components for adding your own signing
+methods or key functions.  Simply implement the `SigningMethod` interface and
+register a factory method using `RegisterSigningMethod` or provide a
+`jwt.Keyfunc`.
+
+A common use case would be integrating with different 3rd party signature
+providers, like key management services from various cloud providers or Hardware
+Security Modules (HSMs) or to implement additional standards.
+
+| Extension | Purpose                                                                                                  | Repo                                       |
+| --------- | -------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| GCP       | Integrates with multiple Google Cloud Platform signing tools (AppEngine, IAM API, Cloud KMS)             | https://github.com/someone1/gcp-jwt-go     |
+| AWS       | Integrates with AWS Key Management Service, KMS                                                          | https://github.com/matelang/jwt-go-aws-kms |
+| JWKS      | Provides support for JWKS ([RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517)) as a `jwt.Keyfunc` | https://github.com/MicahParks/keyfunc      |
+
+*Disclaimer*: Unless otherwise specified, these integrations are maintained by
+third parties and should not be considered as a primary offer by any of the
+mentioned cloud providers
+
+## More
+
+Go package documentation can be found [on
+pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v5). Additional
+documentation can be found on [our project
+page](https://golang-jwt.github.io/jwt/).
+
+The command line utility included in this project (cmd/jwt) provides a
+straightforward example of token creation and parsing as well as a useful tool
+for debugging your own integration. You'll also find several implementation
+examples in the documentation.
+
+[golang-jwt](https://github.com/orgs/golang-jwt) incorporates a modified version
+of the JWT logo, which is distributed under the terms of the [MIT
+License](https://github.com/jsonwebtoken/jsonwebtoken.github.io/blob/master/LICENSE.txt).
diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
new file mode 100644
index 00000000..2740597f
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`.
+
+## Reporting a Vulnerability
+
+If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s).
+
+You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem.
+
+## Public Discussions
+
+Please avoid publicly discussing a potential security vulnerability.
+
+Let's take this offline and find a solution first, this limits the potential impact as much as possible.
+
+We appreciate your help!
diff --git a/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md b/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
new file mode 100644
index 00000000..b5039e49
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
@@ -0,0 +1,137 @@
+# `jwt-go` Version History
+
+The following version history is kept for historic purposes. To retrieve the current changes of each version, please refer to the change-log of the specific release versions on https://github.com/golang-jwt/jwt/releases.
+
+## 4.0.0
+
+* Introduces support for Go modules. The `v4` version will be backwards compatible with `v3.x.y`.
+
+## 3.2.2
+
+* Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 ([#28](https://github.com/golang-jwt/jwt/pull/28)).
+* Fixed a potential issue that could occur when the verification of `exp`, `iat` or `nbf` was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork ([#40](https://github.com/golang-jwt/jwt/pull/40)).
+* Added support for EdDSA / ED25519 ([#36](https://github.com/golang-jwt/jwt/pull/36)).
+* Optimized allocations ([#33](https://github.com/golang-jwt/jwt/pull/33)).
+
+## 3.2.1
+
+* **Import Path Change**: See MIGRATION_GUIDE.md for tips on updating your code
+	* Changed the import path from `github.com/dgrijalva/jwt-go` to `github.com/golang-jwt/jwt`
+* Fixed type confusing issue between `string` and `[]string` in `VerifyAudience` ([#12](https://github.com/golang-jwt/jwt/pull/12)). This fixes CVE-2020-26160 
+
+#### 3.2.0
+
+* Added method `ParseUnverified` to allow users to split up the tasks of parsing and validation
+* HMAC signing method returns `ErrInvalidKeyType` instead of `ErrInvalidKey` where appropriate
+* Added options to `request.ParseFromRequest`, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include `WithClaims` and `WithParser`. Existing usage of this function will continue to work as before.
+* Deprecated `ParseFromRequestWithClaims` to simplify API in the future.
+
+#### 3.1.0
+
+* Improvements to `jwt` command line tool
+* Added `SkipClaimsValidation` option to `Parser`
+* Documentation updates
+
+#### 3.0.0
+
+* **Compatibility Breaking Changes**: See MIGRATION_GUIDE.md for tips on updating your code
+	* Dropped support for `[]byte` keys when using RSA signing methods.  This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
+	* `ParseFromRequest` has been moved to `request` subpackage and usage has changed
+	* The `Claims` property on `Token` is now type `Claims` instead of `map[string]interface{}`.  The default value is type `MapClaims`, which is an alias to `map[string]interface{}`.  This makes it possible to use a custom type when decoding claims.
+* Other Additions and Changes
+	* Added `Claims` interface type to allow users to decode the claims into a custom type
+	* Added `ParseWithClaims`, which takes a third argument of type `Claims`.  Use this function instead of `Parse` if you have a custom type you'd like to decode into.
+	* Dramatically improved the functionality and flexibility of `ParseFromRequest`, which is now in the `request` subpackage
+	* Added `ParseFromRequestWithClaims` which is the `FromRequest` equivalent of `ParseWithClaims`
+	* Added new interface type `Extractor`, which is used for extracting JWT strings from http requests.  Used with `ParseFromRequest` and `ParseFromRequestWithClaims`.
+	* Added several new, more specific, validation errors to error type bitmask
+	* Moved examples from README to executable example files
+	* Signing method registry is now thread safe
+	* Added new property to `ValidationError`, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)
+
+#### 2.7.0
+
+This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.
+
+* Added new option `-show` to the `jwt` command that will just output the decoded token without verifying
+* Error text for expired tokens includes how long it's been expired
+* Fixed incorrect error returned from `ParseRSAPublicKeyFromPEM`
+* Documentation updates
+
+#### 2.6.0
+
+* Exposed inner error within ValidationError
+* Fixed validation errors when using UseJSONNumber flag
+* Added several unit tests
+
+#### 2.5.0
+
+* Added support for signing method none.  You shouldn't use this.  The API tries to make this clear.
+* Updated/fixed some documentation
+* Added more helpful error message when trying to parse tokens that begin with `BEARER `
+
+#### 2.4.0
+
+* Added new type, Parser, to allow for configuration of various parsing parameters
+	* You can now specify a list of valid signing methods.  Anything outside this set will be rejected.
+	* You can now opt to use the `json.Number` type instead of `float64` when parsing token JSON
+* Added support for [Travis CI](https://travis-ci.org/dgrijalva/jwt-go)
+* Fixed some bugs with ECDSA parsing
+
+#### 2.3.0
+
+* Added support for ECDSA signing methods
+* Added support for RSA PSS signing methods (requires go v1.4)
+
+#### 2.2.0
+
+* Gracefully handle a `nil` `Keyfunc` being passed to `Parse`.  Result will now be the parsed token and an error, instead of a panic.
+
+#### 2.1.0
+
+Backwards compatible API change that was missed in 2.0.0.
+
+* The `SignedString` method on `Token` now takes `interface{}` instead of `[]byte`
+
+#### 2.0.0
+
+There were two major reasons for breaking backwards compatibility with this update.  The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations.  There will likely be no required code changes to support this change.
+
+The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods.  Not all keys used for all signing methods have a single standard on-disk representation.  Requiring `[]byte` as the type for all keys proved too limiting.  Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys.  Backwards compatibilty has been maintained for passing `[]byte` to the RSA signing methods, but they will also accept `*rsa.PublicKey` and `*rsa.PrivateKey`.
+
+It is likely the only integration change required here will be to change `func(t *jwt.Token) ([]byte, error)` to `func(t *jwt.Token) (interface{}, error)` when calling `Parse`.
+
+* **Compatibility Breaking Changes**
+	* `SigningMethodHS256` is now `*SigningMethodHMAC` instead of `type struct`
+	* `SigningMethodRS256` is now `*SigningMethodRSA` instead of `type struct`
+	* `KeyFunc` now returns `interface{}` instead of `[]byte`
+	* `SigningMethod.Sign` now takes `interface{}` instead of `[]byte` for the key
+	* `SigningMethod.Verify` now takes `interface{}` instead of `[]byte` for the key
+* Renamed type `SigningMethodHS256` to `SigningMethodHMAC`.  Specific sizes are now just instances of this type.
+    * Added public package global `SigningMethodHS256`
+    * Added public package global `SigningMethodHS384`
+    * Added public package global `SigningMethodHS512`
+* Renamed type `SigningMethodRS256` to `SigningMethodRSA`.  Specific sizes are now just instances of this type.
+    * Added public package global `SigningMethodRS256`
+    * Added public package global `SigningMethodRS384`
+    * Added public package global `SigningMethodRS512`
+* Moved sample private key for HMAC tests from an inline value to a file on disk.  Value is unchanged.
+* Refactored the RSA implementation to be easier to read
+* Exposed helper methods `ParseRSAPrivateKeyFromPEM` and `ParseRSAPublicKeyFromPEM`
+
+## 1.0.2
+
+* Fixed bug in parsing public keys from certificates
+* Added more tests around the parsing of keys for RS256
+* Code refactoring in RS256 implementation.  No functional changes
+
+## 1.0.1
+
+* Fixed panic if RS256 signing method was passed an invalid key
+
+## 1.0.0
+
+* First versioned release
+* API stabilized
+* Supports creating, signing, parsing, and validating JWT tokens
+* Supports RS256 and HS256 signing methods
diff --git a/vendor/github.com/golang-jwt/jwt/v5/claims.go b/vendor/github.com/golang-jwt/jwt/v5/claims.go
new file mode 100644
index 00000000..d50ff3da
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/claims.go
@@ -0,0 +1,16 @@
+package jwt
+
+// Claims represent any form of a JWT Claims Set according to
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4. In order to have a
+// common basis for validation, it is required that an implementation is able to
+// supply at least the claim names provided in
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 namely `exp`,
+// `iat`, `nbf`, `iss`, `sub` and `aud`.
+type Claims interface {
+	GetExpirationTime() (*NumericDate, error)
+	GetIssuedAt() (*NumericDate, error)
+	GetNotBefore() (*NumericDate, error)
+	GetIssuer() (string, error)
+	GetSubject() (string, error)
+	GetAudience() (ClaimStrings, error)
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/doc.go b/vendor/github.com/golang-jwt/jwt/v5/doc.go
new file mode 100644
index 00000000..a86dc1a3
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/doc.go
@@ -0,0 +1,4 @@
+// Package jwt is a Go implementation of JSON Web Tokens: http://self-issued.info/docs/draft-jones-json-web-token.html
+//
+// See README.md for more info.
+package jwt
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
new file mode 100644
index 00000000..c929e4a0
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
@@ -0,0 +1,134 @@
+package jwt
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"errors"
+	"math/big"
+)
+
+var (
+	// Sadly this is missing from crypto/ecdsa compared to crypto/rsa
+	ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")
+)
+
+// SigningMethodECDSA implements the ECDSA family of signing methods.
+// Expects *ecdsa.PrivateKey for signing and *ecdsa.PublicKey for verification
+type SigningMethodECDSA struct {
+	Name      string
+	Hash      crypto.Hash
+	KeySize   int
+	CurveBits int
+}
+
+// Specific instances for EC256 and company
+var (
+	SigningMethodES256 *SigningMethodECDSA
+	SigningMethodES384 *SigningMethodECDSA
+	SigningMethodES512 *SigningMethodECDSA
+)
+
+func init() {
+	// ES256
+	SigningMethodES256 = &SigningMethodECDSA{"ES256", crypto.SHA256, 32, 256}
+	RegisterSigningMethod(SigningMethodES256.Alg(), func() SigningMethod {
+		return SigningMethodES256
+	})
+
+	// ES384
+	SigningMethodES384 = &SigningMethodECDSA{"ES384", crypto.SHA384, 48, 384}
+	RegisterSigningMethod(SigningMethodES384.Alg(), func() SigningMethod {
+		return SigningMethodES384
+	})
+
+	// ES512
+	SigningMethodES512 = &SigningMethodECDSA{"ES512", crypto.SHA512, 66, 521}
+	RegisterSigningMethod(SigningMethodES512.Alg(), func() SigningMethod {
+		return SigningMethodES512
+	})
+}
+
+func (m *SigningMethodECDSA) Alg() string {
+	return m.Name
+}
+
+// Verify implements token verification for the SigningMethod.
+// For this verify method, key must be an ecdsa.PublicKey struct
+func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interface{}) error {
+	// Get the key
+	var ecdsaKey *ecdsa.PublicKey
+	switch k := key.(type) {
+	case *ecdsa.PublicKey:
+		ecdsaKey = k
+	default:
+		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
+	}
+
+	if len(sig) != 2*m.KeySize {
+		return ErrECDSAVerification
+	}
+
+	r := big.NewInt(0).SetBytes(sig[:m.KeySize])
+	s := big.NewInt(0).SetBytes(sig[m.KeySize:])
+
+	// Create hasher
+	if !m.Hash.Available() {
+		return ErrHashUnavailable
+	}
+	hasher := m.Hash.New()
+	hasher.Write([]byte(signingString))
+
+	// Verify the signature
+	if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus {
+		return nil
+	}
+
+	return ErrECDSAVerification
+}
+
+// Sign implements token signing for the SigningMethod.
+// For this signing method, key must be an ecdsa.PrivateKey struct
+func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte, error) {
+	// Get the key
+	var ecdsaKey *ecdsa.PrivateKey
+	switch k := key.(type) {
+	case *ecdsa.PrivateKey:
+		ecdsaKey = k
+	default:
+		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
+	}
+
+	// Create the hasher
+	if !m.Hash.Available() {
+		return nil, ErrHashUnavailable
+	}
+
+	hasher := m.Hash.New()
+	hasher.Write([]byte(signingString))
+
+	// Sign the string and return r, s
+	if r, s, err := ecdsa.Sign(rand.Reader, ecdsaKey, hasher.Sum(nil)); err == nil {
+		curveBits := ecdsaKey.Curve.Params().BitSize
+
+		if m.CurveBits != curveBits {
+			return nil, ErrInvalidKey
+		}
+
+		keyBytes := curveBits / 8
+		if curveBits%8 > 0 {
+			keyBytes += 1
+		}
+
+		// We serialize the outputs (r and s) into big-endian byte arrays
+		// padded with zeros on the left to make sure the sizes work out.
+		// Output must be 2*keyBytes long.
+		out := make([]byte, 2*keyBytes)
+		r.FillBytes(out[0:keyBytes]) // r is assigned to the first half of output.
+		s.FillBytes(out[keyBytes:])  // s is assigned to the second half of output.
+
+		return out, nil
+	} else {
+		return nil, err
+	}
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
new file mode 100644
index 00000000..5700636d
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
@@ -0,0 +1,69 @@
+package jwt
+
+import (
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+)
+
+var (
+	ErrNotECPublicKey  = errors.New("key is not a valid ECDSA public key")
+	ErrNotECPrivateKey = errors.New("key is not a valid ECDSA private key")
+)
+
+// ParseECPrivateKeyFromPEM parses a PEM encoded Elliptic Curve Private Key Structure
+func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
+		if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
+			return nil, err
+		}
+	}
+
+	var pkey *ecdsa.PrivateKey
+	var ok bool
+	if pkey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
+		return nil, ErrNotECPrivateKey
+	}
+
+	return pkey, nil
+}
+
+// ParseECPublicKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 public key
+func ParseECPublicKeyFromPEM(key []byte) (*ecdsa.PublicKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
+		if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
+			parsedKey = cert.PublicKey
+		} else {
+			return nil, err
+		}
+	}
+
+	var pkey *ecdsa.PublicKey
+	var ok bool
+	if pkey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
+		return nil, ErrNotECPublicKey
+	}
+
+	return pkey, nil
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ed25519.go b/vendor/github.com/golang-jwt/jwt/v5/ed25519.go
new file mode 100644
index 00000000..c2138119
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ed25519.go
@@ -0,0 +1,79 @@
+package jwt
+
+import (
+	"crypto"
+	"crypto/ed25519"
+	"crypto/rand"
+	"errors"
+)
+
+var (
+	ErrEd25519Verification = errors.New("ed25519: verification error")
+)
+
+// SigningMethodEd25519 implements the EdDSA family.
+// Expects ed25519.PrivateKey for signing and ed25519.PublicKey for verification
+type SigningMethodEd25519 struct{}
+
+// Specific instance for EdDSA
+var (
+	SigningMethodEdDSA *SigningMethodEd25519
+)
+
+func init() {
+	SigningMethodEdDSA = &SigningMethodEd25519{}
+	RegisterSigningMethod(SigningMethodEdDSA.Alg(), func() SigningMethod {
+		return SigningMethodEdDSA
+	})
+}
+
+func (m *SigningMethodEd25519) Alg() string {
+	return "EdDSA"
+}
+
+// Verify implements token verification for the SigningMethod.
+// For this verify method, key must be an ed25519.PublicKey
+func (m *SigningMethodEd25519) Verify(signingString string, sig []byte, key interface{}) error {
+	var ed25519Key ed25519.PublicKey
+	var ok bool
+
+	if ed25519Key, ok = key.(ed25519.PublicKey); !ok {
+		return newError("Ed25519 verify expects ed25519.PublicKey", ErrInvalidKeyType)
+	}
+
+	if len(ed25519Key) != ed25519.PublicKeySize {
+		return ErrInvalidKey
+	}
+
+	// Verify the signature
+	if !ed25519.Verify(ed25519Key, []byte(signingString), sig) {
+		return ErrEd25519Verification
+	}
+
+	return nil
+}
+
+// Sign implements token signing for the SigningMethod.
+// For this signing method, key must be an ed25519.PrivateKey
+func (m *SigningMethodEd25519) Sign(signingString string, key interface{}) ([]byte, error) {
+	var ed25519Key crypto.Signer
+	var ok bool
+
+	if ed25519Key, ok = key.(crypto.Signer); !ok {
+		return nil, newError("Ed25519 sign expects crypto.Signer", ErrInvalidKeyType)
+	}
+
+	if _, ok := ed25519Key.Public().(ed25519.PublicKey); !ok {
+		return nil, ErrInvalidKey
+	}
+
+	// Sign the string and return the result. ed25519 performs a two-pass hash
+	// as part of its algorithm. Therefore, we need to pass a non-prehashed
+	// message into the Sign function, as indicated by crypto.Hash(0)
+	sig, err := ed25519Key.Sign(rand.Reader, []byte(signingString), crypto.Hash(0))
+	if err != nil {
+		return nil, err
+	}
+
+	return sig, nil
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go b/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
new file mode 100644
index 00000000..cdb5e68e
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
@@ -0,0 +1,64 @@
+package jwt
+
+import (
+	"crypto"
+	"crypto/ed25519"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+)
+
+var (
+	ErrNotEdPrivateKey = errors.New("key is not a valid Ed25519 private key")
+	ErrNotEdPublicKey  = errors.New("key is not a valid Ed25519 public key")
+)
+
+// ParseEdPrivateKeyFromPEM parses a PEM-encoded Edwards curve private key
+func ParseEdPrivateKeyFromPEM(key []byte) (crypto.PrivateKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
+		return nil, err
+	}
+
+	var pkey ed25519.PrivateKey
+	var ok bool
+	if pkey, ok = parsedKey.(ed25519.PrivateKey); !ok {
+		return nil, ErrNotEdPrivateKey
+	}
+
+	return pkey, nil
+}
+
+// ParseEdPublicKeyFromPEM parses a PEM-encoded Edwards curve public key
+func ParseEdPublicKeyFromPEM(key []byte) (crypto.PublicKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
+		return nil, err
+	}
+
+	var pkey ed25519.PublicKey
+	var ok bool
+	if pkey, ok = parsedKey.(ed25519.PublicKey); !ok {
+		return nil, ErrNotEdPublicKey
+	}
+
+	return pkey, nil
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/errors.go b/vendor/github.com/golang-jwt/jwt/v5/errors.go
new file mode 100644
index 00000000..23bb616d
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/errors.go
@@ -0,0 +1,49 @@
+package jwt
+
+import (
+	"errors"
+	"strings"
+)
+
+var (
+	ErrInvalidKey                = errors.New("key is invalid")
+	ErrInvalidKeyType            = errors.New("key is of invalid type")
+	ErrHashUnavailable           = errors.New("the requested hash function is unavailable")
+	ErrTokenMalformed            = errors.New("token is malformed")
+	ErrTokenUnverifiable         = errors.New("token is unverifiable")
+	ErrTokenSignatureInvalid     = errors.New("token signature is invalid")
+	ErrTokenRequiredClaimMissing = errors.New("token is missing required claim")
+	ErrTokenInvalidAudience      = errors.New("token has invalid audience")
+	ErrTokenExpired              = errors.New("token is expired")
+	ErrTokenUsedBeforeIssued     = errors.New("token used before issued")
+	ErrTokenInvalidIssuer        = errors.New("token has invalid issuer")
+	ErrTokenInvalidSubject       = errors.New("token has invalid subject")
+	ErrTokenNotValidYet          = errors.New("token is not valid yet")
+	ErrTokenInvalidId            = errors.New("token has invalid id")
+	ErrTokenInvalidClaims        = errors.New("token has invalid claims")
+	ErrInvalidType               = errors.New("invalid type for claim")
+)
+
+// joinedError is an error type that works similar to what [errors.Join]
+// produces, with the exception that it has a nice error string; mainly its
+// error messages are concatenated using a comma, rather than a newline.
+type joinedError struct {
+	errs []error
+}
+
+func (je joinedError) Error() string {
+	msg := []string{}
+	for _, err := range je.errs {
+		msg = append(msg, err.Error())
+	}
+
+	return strings.Join(msg, ", ")
+}
+
+// joinErrors joins together multiple errors. Useful for scenarios where
+// multiple errors next to each other occur, e.g., in claims validation.
+func joinErrors(errs ...error) error {
+	return &joinedError{
+		errs: errs,
+	}
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go b/vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go
new file mode 100644
index 00000000..a893d355
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go
@@ -0,0 +1,47 @@
+//go:build go1.20
+// +build go1.20
+
+package jwt
+
+import (
+	"fmt"
+)
+
+// Unwrap implements the multiple error unwrapping for this error type, which is
+// possible in Go 1.20.
+func (je joinedError) Unwrap() []error {
+	return je.errs
+}
+
+// newError creates a new error message with a detailed error message. The
+// message will be prefixed with the contents of the supplied error type.
+// Additionally, more errors, that provide more context can be supplied which
+// will be appended to the message. This makes use of Go 1.20's possibility to
+// include more than one %w formatting directive in [fmt.Errorf].
+//
+// For example,
+//
+//	newError("no keyfunc was provided", ErrTokenUnverifiable)
+//
+// will produce the error string
+//
+//	"token is unverifiable: no keyfunc was provided"
+func newError(message string, err error, more ...error) error {
+	var format string
+	var args []any
+	if message != "" {
+		format = "%w: %s"
+		args = []any{err, message}
+	} else {
+		format = "%w"
+		args = []any{err}
+	}
+
+	for _, e := range more {
+		format += ": %w"
+		args = append(args, e)
+	}
+
+	err = fmt.Errorf(format, args...)
+	return err
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go b/vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go
new file mode 100644
index 00000000..2ad542f0
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go
@@ -0,0 +1,78 @@
+//go:build !go1.20
+// +build !go1.20
+
+package jwt
+
+import (
+	"errors"
+	"fmt"
+)
+
+// Is implements checking for multiple errors using [errors.Is], since multiple
+// error unwrapping is not possible in versions less than Go 1.20.
+func (je joinedError) Is(err error) bool {
+	for _, e := range je.errs {
+		if errors.Is(e, err) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// wrappedErrors is a workaround for wrapping multiple errors in environments
+// where Go 1.20 is not available. It basically uses the already implemented
+// functionality of joinedError to handle multiple errors with supplies a
+// custom error message that is identical to the one we produce in Go 1.20 using
+// multiple %w directives.
+type wrappedErrors struct {
+	msg string
+	joinedError
+}
+
+// Error returns the stored error string
+func (we wrappedErrors) Error() string {
+	return we.msg
+}
+
+// newError creates a new error message with a detailed error message. The
+// message will be prefixed with the contents of the supplied error type.
+// Additionally, more errors, that provide more context can be supplied which
+// will be appended to the message. Since we cannot use of Go 1.20's possibility
+// to include more than one %w formatting directive in [fmt.Errorf], we have to
+// emulate that.
+//
+// For example,
+//
+//	newError("no keyfunc was provided", ErrTokenUnverifiable)
+//
+// will produce the error string
+//
+//	"token is unverifiable: no keyfunc was provided"
+func newError(message string, err error, more ...error) error {
+	// We cannot wrap multiple errors here with %w, so we have to be a little
+	// bit creative. Basically, we are using %s instead of %w to produce the
+	// same error message and then throw the result into a custom error struct.
+	var format string
+	var args []any
+	if message != "" {
+		format = "%s: %s"
+		args = []any{err, message}
+	} else {
+		format = "%s"
+		args = []any{err}
+	}
+	errs := []error{err}
+
+	for _, e := range more {
+		format += ": %s"
+		args = append(args, e)
+		errs = append(errs, e)
+	}
+
+	err = &wrappedErrors{
+		msg:         fmt.Sprintf(format, args...),
+		joinedError: joinedError{errs: errs},
+	}
+	return err
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
new file mode 100644
index 00000000..aca600ce
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
@@ -0,0 +1,104 @@
+package jwt
+
+import (
+	"crypto"
+	"crypto/hmac"
+	"errors"
+)
+
+// SigningMethodHMAC implements the HMAC-SHA family of signing methods.
+// Expects key type of []byte for both signing and validation
+type SigningMethodHMAC struct {
+	Name string
+	Hash crypto.Hash
+}
+
+// Specific instances for HS256 and company
+var (
+	SigningMethodHS256  *SigningMethodHMAC
+	SigningMethodHS384  *SigningMethodHMAC
+	SigningMethodHS512  *SigningMethodHMAC
+	ErrSignatureInvalid = errors.New("signature is invalid")
+)
+
+func init() {
+	// HS256
+	SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
+	RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
+		return SigningMethodHS256
+	})
+
+	// HS384
+	SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
+	RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
+		return SigningMethodHS384
+	})
+
+	// HS512
+	SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
+	RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
+		return SigningMethodHS512
+	})
+}
+
+func (m *SigningMethodHMAC) Alg() string {
+	return m.Name
+}
+
+// Verify implements token verification for the SigningMethod. Returns nil if
+// the signature is valid. Key must be []byte.
+//
+// Note it is not advised to provide a []byte which was converted from a 'human
+// readable' string using a subset of ASCII characters. To maximize entropy, you
+// should ideally be providing a []byte key which was produced from a
+// cryptographically random source, e.g. crypto/rand. Additional information
+// about this, and why we intentionally are not supporting string as a key can
+// be found on our usage guide
+// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types.
+func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interface{}) error {
+	// Verify the key is the right type
+	keyBytes, ok := key.([]byte)
+	if !ok {
+		return newError("HMAC verify expects []byte", ErrInvalidKeyType)
+	}
+
+	// Can we use the specified hashing method?
+	if !m.Hash.Available() {
+		return ErrHashUnavailable
+	}
+
+	// This signing method is symmetric, so we validate the signature
+	// by reproducing the signature from the signing string and key, then
+	// comparing that against the provided signature.
+	hasher := hmac.New(m.Hash.New, keyBytes)
+	hasher.Write([]byte(signingString))
+	if !hmac.Equal(sig, hasher.Sum(nil)) {
+		return ErrSignatureInvalid
+	}
+
+	// No validation errors.  Signature is good.
+	return nil
+}
+
+// Sign implements token signing for the SigningMethod. Key must be []byte.
+//
+// Note it is not advised to provide a []byte which was converted from a 'human
+// readable' string using a subset of ASCII characters. To maximize entropy, you
+// should ideally be providing a []byte key which was produced from a
+// cryptographically random source, e.g. crypto/rand. Additional information
+// about this, and why we intentionally are not supporting string as a key can
+// be found on our usage guide https://golang-jwt.github.io/jwt/usage/signing_methods/.
+func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
+	if keyBytes, ok := key.([]byte); ok {
+		if !m.Hash.Available() {
+			return nil, ErrHashUnavailable
+		}
+
+		hasher := hmac.New(m.Hash.New, keyBytes)
+		hasher.Write([]byte(signingString))
+
+		return hasher.Sum(nil), nil
+	}
+
+	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/map_claims.go b/vendor/github.com/golang-jwt/jwt/v5/map_claims.go
new file mode 100644
index 00000000..b2b51a1f
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/map_claims.go
@@ -0,0 +1,109 @@
+package jwt
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// MapClaims is a claims type that uses the map[string]interface{} for JSON
+// decoding. This is the default claims type if you don't supply one
+type MapClaims map[string]interface{}
+
+// GetExpirationTime implements the Claims interface.
+func (m MapClaims) GetExpirationTime() (*NumericDate, error) {
+	return m.parseNumericDate("exp")
+}
+
+// GetNotBefore implements the Claims interface.
+func (m MapClaims) GetNotBefore() (*NumericDate, error) {
+	return m.parseNumericDate("nbf")
+}
+
+// GetIssuedAt implements the Claims interface.
+func (m MapClaims) GetIssuedAt() (*NumericDate, error) {
+	return m.parseNumericDate("iat")
+}
+
+// GetAudience implements the Claims interface.
+func (m MapClaims) GetAudience() (ClaimStrings, error) {
+	return m.parseClaimsString("aud")
+}
+
+// GetIssuer implements the Claims interface.
+func (m MapClaims) GetIssuer() (string, error) {
+	return m.parseString("iss")
+}
+
+// GetSubject implements the Claims interface.
+func (m MapClaims) GetSubject() (string, error) {
+	return m.parseString("sub")
+}
+
+// parseNumericDate tries to parse a key in the map claims type as a number
+// date. This will succeed, if the underlying type is either a [float64] or a
+// [json.Number]. Otherwise, nil will be returned.
+func (m MapClaims) parseNumericDate(key string) (*NumericDate, error) {
+	v, ok := m[key]
+	if !ok {
+		return nil, nil
+	}
+
+	switch exp := v.(type) {
+	case float64:
+		if exp == 0 {
+			return nil, nil
+		}
+
+		return newNumericDateFromSeconds(exp), nil
+	case json.Number:
+		v, _ := exp.Float64()
+
+		return newNumericDateFromSeconds(v), nil
+	}
+
+	return nil, newError(fmt.Sprintf("%s is invalid", key), ErrInvalidType)
+}
+
+// parseClaimsString tries to parse a key in the map claims type as a
+// [ClaimsStrings] type, which can either be a string or an array of string.
+func (m MapClaims) parseClaimsString(key string) (ClaimStrings, error) {
+	var cs []string
+	switch v := m[key].(type) {
+	case string:
+		cs = append(cs, v)
+	case []string:
+		cs = v
+	case []interface{}:
+		for _, a := range v {
+			vs, ok := a.(string)
+			if !ok {
+				return nil, newError(fmt.Sprintf("%s is invalid", key), ErrInvalidType)
+			}
+			cs = append(cs, vs)
+		}
+	}
+
+	return cs, nil
+}
+
+// parseString tries to parse a key in the map claims type as a [string] type.
+// If the key does not exist, an empty string is returned. If the key has the
+// wrong type, an error is returned.
+func (m MapClaims) parseString(key string) (string, error) {
+	var (
+		ok  bool
+		raw interface{}
+		iss string
+	)
+	raw, ok = m[key]
+	if !ok {
+		return "", nil
+	}
+
+	iss, ok = raw.(string)
+	if !ok {
+		return "", newError(fmt.Sprintf("%s is invalid", key), ErrInvalidType)
+	}
+
+	return iss, nil
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/none.go b/vendor/github.com/golang-jwt/jwt/v5/none.go
new file mode 100644
index 00000000..685c2ea3
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/none.go
@@ -0,0 +1,50 @@
+package jwt
+
+// SigningMethodNone implements the none signing method.  This is required by the spec
+// but you probably should never use it.
+var SigningMethodNone *signingMethodNone
+
+const UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"
+
+var NoneSignatureTypeDisallowedError error
+
+type signingMethodNone struct{}
+type unsafeNoneMagicConstant string
+
+func init() {
+	SigningMethodNone = &signingMethodNone{}
+	NoneSignatureTypeDisallowedError = newError("'none' signature type is not allowed", ErrTokenUnverifiable)
+
+	RegisterSigningMethod(SigningMethodNone.Alg(), func() SigningMethod {
+		return SigningMethodNone
+	})
+}
+
+func (m *signingMethodNone) Alg() string {
+	return "none"
+}
+
+// Only allow 'none' alg type if UnsafeAllowNoneSignatureType is specified as the key
+func (m *signingMethodNone) Verify(signingString string, sig []byte, key interface{}) (err error) {
+	// Key must be UnsafeAllowNoneSignatureType to prevent accidentally
+	// accepting 'none' signing method
+	if _, ok := key.(unsafeNoneMagicConstant); !ok {
+		return NoneSignatureTypeDisallowedError
+	}
+	// If signing method is none, signature must be an empty string
+	if len(sig) != 0 {
+		return newError("'none' signing method with non-empty signature", ErrTokenUnverifiable)
+	}
+
+	// Accept 'none' signing method.
+	return nil
+}
+
+// Only allow 'none' signing if UnsafeAllowNoneSignatureType is specified as the key
+func (m *signingMethodNone) Sign(signingString string, key interface{}) ([]byte, error) {
+	if _, ok := key.(unsafeNoneMagicConstant); ok {
+		return []byte{}, nil
+	}
+
+	return nil, NoneSignatureTypeDisallowedError
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
new file mode 100644
index 00000000..054c7eb6
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
@@ -0,0 +1,268 @@
+package jwt
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+)
+
+const tokenDelimiter = "."
+
+type Parser struct {
+	// If populated, only these methods will be considered valid.
+	validMethods []string
+
+	// Use JSON Number format in JSON decoder.
+	useJSONNumber bool
+
+	// Skip claims validation during token parsing.
+	skipClaimsValidation bool
+
+	validator *Validator
+
+	decodeStrict bool
+
+	decodePaddingAllowed bool
+}
+
+// NewParser creates a new Parser with the specified options
+func NewParser(options ...ParserOption) *Parser {
+	p := &Parser{
+		validator: &Validator{},
+	}
+
+	// Loop through our parsing options and apply them
+	for _, option := range options {
+		option(p)
+	}
+
+	return p
+}
+
+// Parse parses, validates, verifies the signature and returns the parsed token.
+// keyFunc will receive the parsed token and should return the key for validating.
+func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
+	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
+}
+
+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
+// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
+// than the default MapClaims implementation of Claims.
+//
+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
+// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
+// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
+func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
+	token, parts, err := p.ParseUnverified(tokenString, claims)
+	if err != nil {
+		return token, err
+	}
+
+	// Verify signing method is in the required set
+	if p.validMethods != nil {
+		var signingMethodValid = false
+		var alg = token.Method.Alg()
+		for _, m := range p.validMethods {
+			if m == alg {
+				signingMethodValid = true
+				break
+			}
+		}
+		if !signingMethodValid {
+			// signing method is not in the listed set
+			return token, newError(fmt.Sprintf("signing method %v is invalid", alg), ErrTokenSignatureInvalid)
+		}
+	}
+
+	// Decode signature
+	token.Signature, err = p.DecodeSegment(parts[2])
+	if err != nil {
+		return token, newError("could not base64 decode signature", ErrTokenMalformed, err)
+	}
+	text := strings.Join(parts[0:2], ".")
+
+	// Lookup key(s)
+	if keyFunc == nil {
+		// keyFunc was not provided.  short circuiting validation
+		return token, newError("no keyfunc was provided", ErrTokenUnverifiable)
+	}
+
+	got, err := keyFunc(token)
+	if err != nil {
+		return token, newError("error while executing keyfunc", ErrTokenUnverifiable, err)
+	}
+
+	switch have := got.(type) {
+	case VerificationKeySet:
+		if len(have.Keys) == 0 {
+			return token, newError("keyfunc returned empty verification key set", ErrTokenUnverifiable)
+		}
+		// Iterate through keys and verify signature, skipping the rest when a match is found.
+		// Return the last error if no match is found.
+		for _, key := range have.Keys {
+			if err = token.Method.Verify(text, token.Signature, key); err == nil {
+				break
+			}
+		}
+	default:
+		err = token.Method.Verify(text, token.Signature, have)
+	}
+	if err != nil {
+		return token, newError("", ErrTokenSignatureInvalid, err)
+	}
+
+	// Validate Claims
+	if !p.skipClaimsValidation {
+		// Make sure we have at least a default validator
+		if p.validator == nil {
+			p.validator = NewValidator()
+		}
+
+		if err := p.validator.Validate(claims); err != nil {
+			return token, newError("", ErrTokenInvalidClaims, err)
+		}
+	}
+
+	// No errors so far, token is valid.
+	token.Valid = true
+
+	return token, nil
+}
+
+// ParseUnverified parses the token but doesn't validate the signature.
+//
+// WARNING: Don't use this method unless you know what you're doing.
+//
+// It's only ever useful in cases where you know the signature is valid (since it has already
+// been or will be checked elsewhere in the stack) and you want to extract values from it.
+func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+	var ok bool
+	parts, ok = splitToken(tokenString)
+	if !ok {
+		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
+	}
+
+	token = &Token{Raw: tokenString}
+
+	// parse Header
+	var headerBytes []byte
+	if headerBytes, err = p.DecodeSegment(parts[0]); err != nil {
+		return token, parts, newError("could not base64 decode header", ErrTokenMalformed, err)
+	}
+	if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
+		return token, parts, newError("could not JSON decode header", ErrTokenMalformed, err)
+	}
+
+	// parse Claims
+	token.Claims = claims
+
+	claimBytes, err := p.DecodeSegment(parts[1])
+	if err != nil {
+		return token, parts, newError("could not base64 decode claim", ErrTokenMalformed, err)
+	}
+
+	// If `useJSONNumber` is enabled then we must use *json.Decoder to decode
+	// the claims. However, this comes with a performance penalty so only use
+	// it if we must and, otherwise, simple use json.Unmarshal.
+	if !p.useJSONNumber {
+		// JSON Unmarshal. Special case for map type to avoid weird pointer behavior.
+		if c, ok := token.Claims.(MapClaims); ok {
+			err = json.Unmarshal(claimBytes, &c)
+		} else {
+			err = json.Unmarshal(claimBytes, &claims)
+		}
+	} else {
+		dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
+		dec.UseNumber()
+		// JSON Decode. Special case for map type to avoid weird pointer behavior.
+		if c, ok := token.Claims.(MapClaims); ok {
+			err = dec.Decode(&c)
+		} else {
+			err = dec.Decode(&claims)
+		}
+	}
+	if err != nil {
+		return token, parts, newError("could not JSON decode claim", ErrTokenMalformed, err)
+	}
+
+	// Lookup signature method
+	if method, ok := token.Header["alg"].(string); ok {
+		if token.Method = GetSigningMethod(method); token.Method == nil {
+			return token, parts, newError("signing method (alg) is unavailable", ErrTokenUnverifiable)
+		}
+	} else {
+		return token, parts, newError("signing method (alg) is unspecified", ErrTokenUnverifiable)
+	}
+
+	return token, parts, nil
+}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+	parts := make([]string, 3)
+	header, remain, ok := strings.Cut(token, tokenDelimiter)
+	if !ok {
+		return nil, false
+	}
+	parts[0] = header
+	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+	if !ok {
+		return nil, false
+	}
+	parts[1] = claims
+	// One more cut to ensure the signature is the last part of the token and there are no more
+	// delimiters. This avoids an issue where malicious input could contain additional delimiters
+	// causing unecessary overhead parsing tokens.
+	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+	if unexpected {
+		return nil, false
+	}
+	parts[2] = signature
+
+	return parts, true
+}
+
+// DecodeSegment decodes a JWT specific base64url encoding. This function will
+// take into account whether the [Parser] is configured with additional options,
+// such as [WithStrictDecoding] or [WithPaddingAllowed].
+func (p *Parser) DecodeSegment(seg string) ([]byte, error) {
+	encoding := base64.RawURLEncoding
+
+	if p.decodePaddingAllowed {
+		if l := len(seg) % 4; l > 0 {
+			seg += strings.Repeat("=", 4-l)
+		}
+		encoding = base64.URLEncoding
+	}
+
+	if p.decodeStrict {
+		encoding = encoding.Strict()
+	}
+	return encoding.DecodeString(seg)
+}
+
+// Parse parses, validates, verifies the signature and returns the parsed token.
+// keyFunc will receive the parsed token and should return the cryptographic key
+// for verifying the signature. The caller is strongly encouraged to set the
+// WithValidMethods option to validate the 'alg' claim in the token matches the
+// expected algorithm. For more details about the importance of validating the
+// 'alg' claim, see
+// https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
+func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
+	return NewParser(options...).Parse(tokenString, keyFunc)
+}
+
+// ParseWithClaims is a shortcut for NewParser().ParseWithClaims().
+//
+// Note: If you provide a custom claim implementation that embeds one of the
+// standard claims (such as RegisteredClaims), make sure that a) you either
+// embed a non-pointer version of the claims or b) if you are using a pointer,
+// allocate the proper memory for it before passing in the overall claims,
+// otherwise you might run into a panic.
+func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
+	return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc)
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser_option.go b/vendor/github.com/golang-jwt/jwt/v5/parser_option.go
new file mode 100644
index 00000000..88a780fb
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser_option.go
@@ -0,0 +1,128 @@
+package jwt
+
+import "time"
+
+// ParserOption is used to implement functional-style options that modify the
+// behavior of the parser. To add new options, just create a function (ideally
+// beginning with With or Without) that returns an anonymous function that takes
+// a *Parser type as input and manipulates its configuration accordingly.
+type ParserOption func(*Parser)
+
+// WithValidMethods is an option to supply algorithm methods that the parser
+// will check. Only those methods will be considered valid. It is heavily
+// encouraged to use this option in order to prevent attacks such as
+// https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/.
+func WithValidMethods(methods []string) ParserOption {
+	return func(p *Parser) {
+		p.validMethods = methods
+	}
+}
+
+// WithJSONNumber is an option to configure the underlying JSON parser with
+// UseNumber.
+func WithJSONNumber() ParserOption {
+	return func(p *Parser) {
+		p.useJSONNumber = true
+	}
+}
+
+// WithoutClaimsValidation is an option to disable claims validation. This
+// option should only be used if you exactly know what you are doing.
+func WithoutClaimsValidation() ParserOption {
+	return func(p *Parser) {
+		p.skipClaimsValidation = true
+	}
+}
+
+// WithLeeway returns the ParserOption for specifying the leeway window.
+func WithLeeway(leeway time.Duration) ParserOption {
+	return func(p *Parser) {
+		p.validator.leeway = leeway
+	}
+}
+
+// WithTimeFunc returns the ParserOption for specifying the time func. The
+// primary use-case for this is testing. If you are looking for a way to account
+// for clock-skew, WithLeeway should be used instead.
+func WithTimeFunc(f func() time.Time) ParserOption {
+	return func(p *Parser) {
+		p.validator.timeFunc = f
+	}
+}
+
+// WithIssuedAt returns the ParserOption to enable verification
+// of issued-at.
+func WithIssuedAt() ParserOption {
+	return func(p *Parser) {
+		p.validator.verifyIat = true
+	}
+}
+
+// WithExpirationRequired returns the ParserOption to make exp claim required.
+// By default exp claim is optional.
+func WithExpirationRequired() ParserOption {
+	return func(p *Parser) {
+		p.validator.requireExp = true
+	}
+}
+
+// WithAudience configures the validator to require the specified audience in
+// the `aud` claim. Validation will fail if the audience is not listed in the
+// token or the `aud` claim is missing.
+//
+// NOTE: While the `aud` claim is OPTIONAL in a JWT, the handling of it is
+// application-specific. Since this validation API is helping developers in
+// writing secure application, we decided to REQUIRE the existence of the claim,
+// if an audience is expected.
+func WithAudience(aud string) ParserOption {
+	return func(p *Parser) {
+		p.validator.expectedAud = aud
+	}
+}
+
+// WithIssuer configures the validator to require the specified issuer in the
+// `iss` claim. Validation will fail if a different issuer is specified in the
+// token or the `iss` claim is missing.
+//
+// NOTE: While the `iss` claim is OPTIONAL in a JWT, the handling of it is
+// application-specific. Since this validation API is helping developers in
+// writing secure application, we decided to REQUIRE the existence of the claim,
+// if an issuer is expected.
+func WithIssuer(iss string) ParserOption {
+	return func(p *Parser) {
+		p.validator.expectedIss = iss
+	}
+}
+
+// WithSubject configures the validator to require the specified subject in the
+// `sub` claim. Validation will fail if a different subject is specified in the
+// token or the `sub` claim is missing.
+//
+// NOTE: While the `sub` claim is OPTIONAL in a JWT, the handling of it is
+// application-specific. Since this validation API is helping developers in
+// writing secure application, we decided to REQUIRE the existence of the claim,
+// if a subject is expected.
+func WithSubject(sub string) ParserOption {
+	return func(p *Parser) {
+		p.validator.expectedSub = sub
+	}
+}
+
+// WithPaddingAllowed will enable the codec used for decoding JWTs to allow
+// padding. Note that the JWS RFC7515 states that the tokens will utilize a
+// Base64url encoding with no padding. Unfortunately, some implementations of
+// JWT are producing non-standard tokens, and thus require support for decoding.
+func WithPaddingAllowed() ParserOption {
+	return func(p *Parser) {
+		p.decodePaddingAllowed = true
+	}
+}
+
+// WithStrictDecoding will switch the codec used for decoding JWTs into strict
+// mode. In this mode, the decoder requires that trailing padding bits are zero,
+// as described in RFC 4648 section 3.5.
+func WithStrictDecoding() ParserOption {
+	return func(p *Parser) {
+		p.decodeStrict = true
+	}
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/registered_claims.go b/vendor/github.com/golang-jwt/jwt/v5/registered_claims.go
new file mode 100644
index 00000000..77951a53
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/registered_claims.go
@@ -0,0 +1,63 @@
+package jwt
+
+// RegisteredClaims are a structured version of the JWT Claims Set,
+// restricted to Registered Claim Names, as referenced at
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
+//
+// This type can be used on its own, but then additional private and
+// public claims embedded in the JWT will not be parsed. The typical use-case
+// therefore is to embedded this in a user-defined claim type.
+//
+// See examples for how to use this with your own claim types.
+type RegisteredClaims struct {
+	// the `iss` (Issuer) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
+	Issuer string `json:"iss,omitempty"`
+
+	// the `sub` (Subject) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
+	Subject string `json:"sub,omitempty"`
+
+	// the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
+	Audience ClaimStrings `json:"aud,omitempty"`
+
+	// the `exp` (Expiration Time) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
+	ExpiresAt *NumericDate `json:"exp,omitempty"`
+
+	// the `nbf` (Not Before) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
+	NotBefore *NumericDate `json:"nbf,omitempty"`
+
+	// the `iat` (Issued At) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
+	IssuedAt *NumericDate `json:"iat,omitempty"`
+
+	// the `jti` (JWT ID) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7
+	ID string `json:"jti,omitempty"`
+}
+
+// GetExpirationTime implements the Claims interface.
+func (c RegisteredClaims) GetExpirationTime() (*NumericDate, error) {
+	return c.ExpiresAt, nil
+}
+
+// GetNotBefore implements the Claims interface.
+func (c RegisteredClaims) GetNotBefore() (*NumericDate, error) {
+	return c.NotBefore, nil
+}
+
+// GetIssuedAt implements the Claims interface.
+func (c RegisteredClaims) GetIssuedAt() (*NumericDate, error) {
+	return c.IssuedAt, nil
+}
+
+// GetAudience implements the Claims interface.
+func (c RegisteredClaims) GetAudience() (ClaimStrings, error) {
+	return c.Audience, nil
+}
+
+// GetIssuer implements the Claims interface.
+func (c RegisteredClaims) GetIssuer() (string, error) {
+	return c.Issuer, nil
+}
+
+// GetSubject implements the Claims interface.
+func (c RegisteredClaims) GetSubject() (string, error) {
+	return c.Subject, nil
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/rsa.go b/vendor/github.com/golang-jwt/jwt/v5/rsa.go
new file mode 100644
index 00000000..83cbee6a
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa.go
@@ -0,0 +1,93 @@
+package jwt
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+)
+
+// SigningMethodRSA implements the RSA family of signing methods.
+// Expects *rsa.PrivateKey for signing and *rsa.PublicKey for validation
+type SigningMethodRSA struct {
+	Name string
+	Hash crypto.Hash
+}
+
+// Specific instances for RS256 and company
+var (
+	SigningMethodRS256 *SigningMethodRSA
+	SigningMethodRS384 *SigningMethodRSA
+	SigningMethodRS512 *SigningMethodRSA
+)
+
+func init() {
+	// RS256
+	SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}
+	RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {
+		return SigningMethodRS256
+	})
+
+	// RS384
+	SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}
+	RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {
+		return SigningMethodRS384
+	})
+
+	// RS512
+	SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}
+	RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {
+		return SigningMethodRS512
+	})
+}
+
+func (m *SigningMethodRSA) Alg() string {
+	return m.Name
+}
+
+// Verify implements token verification for the SigningMethod
+// For this signing method, must be an *rsa.PublicKey structure.
+func (m *SigningMethodRSA) Verify(signingString string, sig []byte, key interface{}) error {
+	var rsaKey *rsa.PublicKey
+	var ok bool
+
+	if rsaKey, ok = key.(*rsa.PublicKey); !ok {
+		return newError("RSA verify expects *rsa.PublicKey", ErrInvalidKeyType)
+	}
+
+	// Create hasher
+	if !m.Hash.Available() {
+		return ErrHashUnavailable
+	}
+	hasher := m.Hash.New()
+	hasher.Write([]byte(signingString))
+
+	// Verify the signature
+	return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
+}
+
+// Sign implements token signing for the SigningMethod
+// For this signing method, must be an *rsa.PrivateKey structure.
+func (m *SigningMethodRSA) Sign(signingString string, key interface{}) ([]byte, error) {
+	var rsaKey *rsa.PrivateKey
+	var ok bool
+
+	// Validate type of key
+	if rsaKey, ok = key.(*rsa.PrivateKey); !ok {
+		return nil, newError("RSA sign expects *rsa.PrivateKey", ErrInvalidKeyType)
+	}
+
+	// Create the hasher
+	if !m.Hash.Available() {
+		return nil, ErrHashUnavailable
+	}
+
+	hasher := m.Hash.New()
+	hasher.Write([]byte(signingString))
+
+	// Sign the string and return the encoded bytes
+	if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
+		return sigBytes, nil
+	} else {
+		return nil, err
+	}
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go b/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
new file mode 100644
index 00000000..28c386ec
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
@@ -0,0 +1,135 @@
+//go:build go1.4
+// +build go1.4
+
+package jwt
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+)
+
+// SigningMethodRSAPSS implements the RSAPSS family of signing methods signing methods
+type SigningMethodRSAPSS struct {
+	*SigningMethodRSA
+	Options *rsa.PSSOptions
+	// VerifyOptions is optional. If set overrides Options for rsa.VerifyPPS.
+	// Used to accept tokens signed with rsa.PSSSaltLengthAuto, what doesn't follow
+	// https://tools.ietf.org/html/rfc7518#section-3.5 but was used previously.
+	// See https://github.com/dgrijalva/jwt-go/issues/285#issuecomment-437451244 for details.
+	VerifyOptions *rsa.PSSOptions
+}
+
+// Specific instances for RS/PS and company.
+var (
+	SigningMethodPS256 *SigningMethodRSAPSS
+	SigningMethodPS384 *SigningMethodRSAPSS
+	SigningMethodPS512 *SigningMethodRSAPSS
+)
+
+func init() {
+	// PS256
+	SigningMethodPS256 = &SigningMethodRSAPSS{
+		SigningMethodRSA: &SigningMethodRSA{
+			Name: "PS256",
+			Hash: crypto.SHA256,
+		},
+		Options: &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthEqualsHash,
+		},
+		VerifyOptions: &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthAuto,
+		},
+	}
+	RegisterSigningMethod(SigningMethodPS256.Alg(), func() SigningMethod {
+		return SigningMethodPS256
+	})
+
+	// PS384
+	SigningMethodPS384 = &SigningMethodRSAPSS{
+		SigningMethodRSA: &SigningMethodRSA{
+			Name: "PS384",
+			Hash: crypto.SHA384,
+		},
+		Options: &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthEqualsHash,
+		},
+		VerifyOptions: &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthAuto,
+		},
+	}
+	RegisterSigningMethod(SigningMethodPS384.Alg(), func() SigningMethod {
+		return SigningMethodPS384
+	})
+
+	// PS512
+	SigningMethodPS512 = &SigningMethodRSAPSS{
+		SigningMethodRSA: &SigningMethodRSA{
+			Name: "PS512",
+			Hash: crypto.SHA512,
+		},
+		Options: &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthEqualsHash,
+		},
+		VerifyOptions: &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthAuto,
+		},
+	}
+	RegisterSigningMethod(SigningMethodPS512.Alg(), func() SigningMethod {
+		return SigningMethodPS512
+	})
+}
+
+// Verify implements token verification for the SigningMethod.
+// For this verify method, key must be an rsa.PublicKey struct
+func (m *SigningMethodRSAPSS) Verify(signingString string, sig []byte, key interface{}) error {
+	var rsaKey *rsa.PublicKey
+	switch k := key.(type) {
+	case *rsa.PublicKey:
+		rsaKey = k
+	default:
+		return newError("RSA-PSS verify expects *rsa.PublicKey", ErrInvalidKeyType)
+	}
+
+	// Create hasher
+	if !m.Hash.Available() {
+		return ErrHashUnavailable
+	}
+	hasher := m.Hash.New()
+	hasher.Write([]byte(signingString))
+
+	opts := m.Options
+	if m.VerifyOptions != nil {
+		opts = m.VerifyOptions
+	}
+
+	return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, opts)
+}
+
+// Sign implements token signing for the SigningMethod.
+// For this signing method, key must be an rsa.PrivateKey struct
+func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) ([]byte, error) {
+	var rsaKey *rsa.PrivateKey
+
+	switch k := key.(type) {
+	case *rsa.PrivateKey:
+		rsaKey = k
+	default:
+		return nil, newError("RSA-PSS sign expects *rsa.PrivateKey", ErrInvalidKeyType)
+	}
+
+	// Create the hasher
+	if !m.Hash.Available() {
+		return nil, ErrHashUnavailable
+	}
+
+	hasher := m.Hash.New()
+	hasher.Write([]byte(signingString))
+
+	// Sign the string and return the encoded bytes
+	if sigBytes, err := rsa.SignPSS(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil), m.Options); err == nil {
+		return sigBytes, nil
+	} else {
+		return nil, err
+	}
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go b/vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go
new file mode 100644
index 00000000..b3aeebbe
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go
@@ -0,0 +1,107 @@
+package jwt
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+)
+
+var (
+	ErrKeyMustBePEMEncoded = errors.New("invalid key: Key must be a PEM encoded PKCS1 or PKCS8 key")
+	ErrNotRSAPrivateKey    = errors.New("key is not a valid RSA private key")
+	ErrNotRSAPublicKey     = errors.New("key is not a valid RSA public key")
+)
+
+// ParseRSAPrivateKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 private key
+func ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
+		if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
+			return nil, err
+		}
+	}
+
+	var pkey *rsa.PrivateKey
+	var ok bool
+	if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
+		return nil, ErrNotRSAPrivateKey
+	}
+
+	return pkey, nil
+}
+
+// ParseRSAPrivateKeyFromPEMWithPassword parses a PEM encoded PKCS1 or PKCS8 private key protected with password
+//
+// Deprecated: This function is deprecated and should not be used anymore. It uses the deprecated x509.DecryptPEMBlock
+// function, which was deprecated since RFC 1423 is regarded insecure by design. Unfortunately, there is no alternative
+// in the Go standard library for now. See https://github.com/golang/go/issues/8860.
+func ParseRSAPrivateKeyFromPEMWithPassword(key []byte, password string) (*rsa.PrivateKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	var parsedKey interface{}
+
+	var blockDecrypted []byte
+	if blockDecrypted, err = x509.DecryptPEMBlock(block, []byte(password)); err != nil {
+		return nil, err
+	}
+
+	if parsedKey, err = x509.ParsePKCS1PrivateKey(blockDecrypted); err != nil {
+		if parsedKey, err = x509.ParsePKCS8PrivateKey(blockDecrypted); err != nil {
+			return nil, err
+		}
+	}
+
+	var pkey *rsa.PrivateKey
+	var ok bool
+	if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
+		return nil, ErrNotRSAPrivateKey
+	}
+
+	return pkey, nil
+}
+
+// ParseRSAPublicKeyFromPEM parses a certificate or a PEM encoded PKCS1 or PKIX public key
+func ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error) {
+	var err error
+
+	// Parse PEM block
+	var block *pem.Block
+	if block, _ = pem.Decode(key); block == nil {
+		return nil, ErrKeyMustBePEMEncoded
+	}
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
+		if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
+			parsedKey = cert.PublicKey
+		} else {
+			if parsedKey, err = x509.ParsePKCS1PublicKey(block.Bytes); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	var pkey *rsa.PublicKey
+	var ok bool
+	if pkey, ok = parsedKey.(*rsa.PublicKey); !ok {
+		return nil, ErrNotRSAPublicKey
+	}
+
+	return pkey, nil
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/signing_method.go b/vendor/github.com/golang-jwt/jwt/v5/signing_method.go
new file mode 100644
index 00000000..0d73631c
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/signing_method.go
@@ -0,0 +1,49 @@
+package jwt
+
+import (
+	"sync"
+)
+
+var signingMethods = map[string]func() SigningMethod{}
+var signingMethodLock = new(sync.RWMutex)
+
+// SigningMethod can be used add new methods for signing or verifying tokens. It
+// takes a decoded signature as an input in the Verify function and produces a
+// signature in Sign. The signature is then usually base64 encoded as part of a
+// JWT.
+type SigningMethod interface {
+	Verify(signingString string, sig []byte, key interface{}) error // Returns nil if signature is valid
+	Sign(signingString string, key interface{}) ([]byte, error)     // Returns signature or error
+	Alg() string                                                    // returns the alg identifier for this method (example: 'HS256')
+}
+
+// RegisterSigningMethod registers the "alg" name and a factory function for signing method.
+// This is typically done during init() in the method's implementation
+func RegisterSigningMethod(alg string, f func() SigningMethod) {
+	signingMethodLock.Lock()
+	defer signingMethodLock.Unlock()
+
+	signingMethods[alg] = f
+}
+
+// GetSigningMethod retrieves a signing method from an "alg" string
+func GetSigningMethod(alg string) (method SigningMethod) {
+	signingMethodLock.RLock()
+	defer signingMethodLock.RUnlock()
+
+	if methodF, ok := signingMethods[alg]; ok {
+		method = methodF()
+	}
+	return
+}
+
+// GetAlgorithms returns a list of registered "alg" names
+func GetAlgorithms() (algs []string) {
+	signingMethodLock.RLock()
+	defer signingMethodLock.RUnlock()
+
+	for alg := range signingMethods {
+		algs = append(algs, alg)
+	}
+	return
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf b/vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf
new file mode 100644
index 00000000..53745d51
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf
@@ -0,0 +1 @@
+checks = ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1023"]
diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go
new file mode 100644
index 00000000..9c7f4ab0
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/token.go
@@ -0,0 +1,100 @@
+package jwt
+
+import (
+	"crypto"
+	"encoding/base64"
+	"encoding/json"
+)
+
+// Keyfunc will be used by the Parse methods as a callback function to supply
+// the key for verification.  The function receives the parsed, but unverified
+// Token.  This allows you to use properties in the Header of the token (such as
+// `kid`) to identify which key to use.
+//
+// The returned interface{} may be a single key or a VerificationKeySet containing
+// multiple keys.
+type Keyfunc func(*Token) (interface{}, error)
+
+// VerificationKey represents a public or secret key for verifying a token's signature.
+type VerificationKey interface {
+	crypto.PublicKey | []uint8
+}
+
+// VerificationKeySet is a set of public or secret keys. It is used by the parser to verify a token.
+type VerificationKeySet struct {
+	Keys []VerificationKey
+}
+
+// Token represents a JWT Token.  Different fields will be used depending on
+// whether you're creating or parsing/verifying a token.
+type Token struct {
+	Raw       string                 // Raw contains the raw token.  Populated when you [Parse] a token
+	Method    SigningMethod          // Method is the signing method used or to be used
+	Header    map[string]interface{} // Header is the first segment of the token in decoded form
+	Claims    Claims                 // Claims is the second segment of the token in decoded form
+	Signature []byte                 // Signature is the third segment of the token in decoded form.  Populated when you Parse a token
+	Valid     bool                   // Valid specifies if the token is valid.  Populated when you Parse/Verify a token
+}
+
+// New creates a new [Token] with the specified signing method and an empty map
+// of claims. Additional options can be specified, but are currently unused.
+func New(method SigningMethod, opts ...TokenOption) *Token {
+	return NewWithClaims(method, MapClaims{}, opts...)
+}
+
+// NewWithClaims creates a new [Token] with the specified signing method and
+// claims. Additional options can be specified, but are currently unused.
+func NewWithClaims(method SigningMethod, claims Claims, opts ...TokenOption) *Token {
+	return &Token{
+		Header: map[string]interface{}{
+			"typ": "JWT",
+			"alg": method.Alg(),
+		},
+		Claims: claims,
+		Method: method,
+	}
+}
+
+// SignedString creates and returns a complete, signed JWT. The token is signed
+// using the SigningMethod specified in the token. Please refer to
+// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types
+// for an overview of the different signing methods and their respective key
+// types.
+func (t *Token) SignedString(key interface{}) (string, error) {
+	sstr, err := t.SigningString()
+	if err != nil {
+		return "", err
+	}
+
+	sig, err := t.Method.Sign(sstr, key)
+	if err != nil {
+		return "", err
+	}
+
+	return sstr + "." + t.EncodeSegment(sig), nil
+}
+
+// SigningString generates the signing string.  This is the most expensive part
+// of the whole deal. Unless you need this for something special, just go
+// straight for the SignedString.
+func (t *Token) SigningString() (string, error) {
+	h, err := json.Marshal(t.Header)
+	if err != nil {
+		return "", err
+	}
+
+	c, err := json.Marshal(t.Claims)
+	if err != nil {
+		return "", err
+	}
+
+	return t.EncodeSegment(h) + "." + t.EncodeSegment(c), nil
+}
+
+// EncodeSegment encodes a JWT specific base64url encoding with padding
+// stripped. In the future, this function might take into account a
+// [TokenOption]. Therefore, this function exists as a method of [Token], rather
+// than a global function.
+func (*Token) EncodeSegment(seg []byte) string {
+	return base64.RawURLEncoding.EncodeToString(seg)
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/token_option.go b/vendor/github.com/golang-jwt/jwt/v5/token_option.go
new file mode 100644
index 00000000..b4ae3bad
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/token_option.go
@@ -0,0 +1,5 @@
+package jwt
+
+// TokenOption is a reserved type, which provides some forward compatibility,
+// if we ever want to introduce token creation-related options.
+type TokenOption func(*Token)
diff --git a/vendor/github.com/golang-jwt/jwt/v5/types.go b/vendor/github.com/golang-jwt/jwt/v5/types.go
new file mode 100644
index 00000000..b2655a9e
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/types.go
@@ -0,0 +1,149 @@
+package jwt
+
+import (
+	"encoding/json"
+	"fmt"
+	"math"
+	"strconv"
+	"time"
+)
+
+// TimePrecision sets the precision of times and dates within this library. This
+// has an influence on the precision of times when comparing expiry or other
+// related time fields. Furthermore, it is also the precision of times when
+// serializing.
+//
+// For backwards compatibility the default precision is set to seconds, so that
+// no fractional timestamps are generated.
+var TimePrecision = time.Second
+
+// MarshalSingleStringAsArray modifies the behavior of the ClaimStrings type,
+// especially its MarshalJSON function.
+//
+// If it is set to true (the default), it will always serialize the type as an
+// array of strings, even if it just contains one element, defaulting to the
+// behavior of the underlying []string. If it is set to false, it will serialize
+// to a single string, if it contains one element. Otherwise, it will serialize
+// to an array of strings.
+var MarshalSingleStringAsArray = true
+
+// NumericDate represents a JSON numeric date value, as referenced at
+// https://datatracker.ietf.org/doc/html/rfc7519#section-2.
+type NumericDate struct {
+	time.Time
+}
+
+// NewNumericDate constructs a new *NumericDate from a standard library time.Time struct.
+// It will truncate the timestamp according to the precision specified in TimePrecision.
+func NewNumericDate(t time.Time) *NumericDate {
+	return &NumericDate{t.Truncate(TimePrecision)}
+}
+
+// newNumericDateFromSeconds creates a new *NumericDate out of a float64 representing a
+// UNIX epoch with the float fraction representing non-integer seconds.
+func newNumericDateFromSeconds(f float64) *NumericDate {
+	round, frac := math.Modf(f)
+	return NewNumericDate(time.Unix(int64(round), int64(frac*1e9)))
+}
+
+// MarshalJSON is an implementation of the json.RawMessage interface and serializes the UNIX epoch
+// represented in NumericDate to a byte array, using the precision specified in TimePrecision.
+func (date NumericDate) MarshalJSON() (b []byte, err error) {
+	var prec int
+	if TimePrecision < time.Second {
+		prec = int(math.Log10(float64(time.Second) / float64(TimePrecision)))
+	}
+	truncatedDate := date.Truncate(TimePrecision)
+
+	// For very large timestamps, UnixNano would overflow an int64, but this
+	// function requires nanosecond level precision, so we have to use the
+	// following technique to get round the issue:
+	//
+	// 1. Take the normal unix timestamp to form the whole number part of the
+	//    output,
+	// 2. Take the result of the Nanosecond function, which returns the offset
+	//    within the second of the particular unix time instance, to form the
+	//    decimal part of the output
+	// 3. Concatenate them to produce the final result
+	seconds := strconv.FormatInt(truncatedDate.Unix(), 10)
+	nanosecondsOffset := strconv.FormatFloat(float64(truncatedDate.Nanosecond())/float64(time.Second), 'f', prec, 64)
+
+	output := append([]byte(seconds), []byte(nanosecondsOffset)[1:]...)
+
+	return output, nil
+}
+
+// UnmarshalJSON is an implementation of the json.RawMessage interface and
+// deserializes a [NumericDate] from a JSON representation, i.e. a
+// [json.Number]. This number represents an UNIX epoch with either integer or
+// non-integer seconds.
+func (date *NumericDate) UnmarshalJSON(b []byte) (err error) {
+	var (
+		number json.Number
+		f      float64
+	)
+
+	if err = json.Unmarshal(b, &number); err != nil {
+		return fmt.Errorf("could not parse NumericData: %w", err)
+	}
+
+	if f, err = number.Float64(); err != nil {
+		return fmt.Errorf("could not convert json number value to float: %w", err)
+	}
+
+	n := newNumericDateFromSeconds(f)
+	*date = *n
+
+	return nil
+}
+
+// ClaimStrings is basically just a slice of strings, but it can be either
+// serialized from a string array or just a string. This type is necessary,
+// since the "aud" claim can either be a single string or an array.
+type ClaimStrings []string
+
+func (s *ClaimStrings) UnmarshalJSON(data []byte) (err error) {
+	var value interface{}
+
+	if err = json.Unmarshal(data, &value); err != nil {
+		return err
+	}
+
+	var aud []string
+
+	switch v := value.(type) {
+	case string:
+		aud = append(aud, v)
+	case []string:
+		aud = ClaimStrings(v)
+	case []interface{}:
+		for _, vv := range v {
+			vs, ok := vv.(string)
+			if !ok {
+				return ErrInvalidType
+			}
+			aud = append(aud, vs)
+		}
+	case nil:
+		return nil
+	default:
+		return ErrInvalidType
+	}
+
+	*s = aud
+
+	return
+}
+
+func (s ClaimStrings) MarshalJSON() (b []byte, err error) {
+	// This handles a special case in the JWT RFC. If the string array, e.g.
+	// used by the "aud" field, only contains one element, it MAY be serialized
+	// as a single string. This may or may not be desired based on the ecosystem
+	// of other JWT library used, so we make it configurable by the variable
+	// MarshalSingleStringAsArray.
+	if len(s) == 1 && !MarshalSingleStringAsArray {
+		return json.Marshal(s[0])
+	}
+
+	return json.Marshal([]string(s))
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/validator.go b/vendor/github.com/golang-jwt/jwt/v5/validator.go
new file mode 100644
index 00000000..008ecd87
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/validator.go
@@ -0,0 +1,316 @@
+package jwt
+
+import (
+	"crypto/subtle"
+	"fmt"
+	"time"
+)
+
+// ClaimsValidator is an interface that can be implemented by custom claims who
+// wish to execute any additional claims validation based on
+// application-specific logic. The Validate function is then executed in
+// addition to the regular claims validation and any error returned is appended
+// to the final validation result.
+//
+//	type MyCustomClaims struct {
+//	    Foo string `json:"foo"`
+//	    jwt.RegisteredClaims
+//	}
+//
+//	func (m MyCustomClaims) Validate() error {
+//	    if m.Foo != "bar" {
+//	        return errors.New("must be foobar")
+//	    }
+//	    return nil
+//	}
+type ClaimsValidator interface {
+	Claims
+	Validate() error
+}
+
+// Validator is the core of the new Validation API. It is automatically used by
+// a [Parser] during parsing and can be modified with various parser options.
+//
+// The [NewValidator] function should be used to create an instance of this
+// struct.
+type Validator struct {
+	// leeway is an optional leeway that can be provided to account for clock skew.
+	leeway time.Duration
+
+	// timeFunc is used to supply the current time that is needed for
+	// validation. If unspecified, this defaults to time.Now.
+	timeFunc func() time.Time
+
+	// requireExp specifies whether the exp claim is required
+	requireExp bool
+
+	// verifyIat specifies whether the iat (Issued At) claim will be verified.
+	// According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
+	// only specifies the age of the token, but no validation check is
+	// necessary. However, if wanted, it can be checked if the iat is
+	// unrealistic, i.e., in the future.
+	verifyIat bool
+
+	// expectedAud contains the audience this token expects. Supplying an empty
+	// string will disable aud checking.
+	expectedAud string
+
+	// expectedIss contains the issuer this token expects. Supplying an empty
+	// string will disable iss checking.
+	expectedIss string
+
+	// expectedSub contains the subject this token expects. Supplying an empty
+	// string will disable sub checking.
+	expectedSub string
+}
+
+// NewValidator can be used to create a stand-alone validator with the supplied
+// options. This validator can then be used to validate already parsed claims.
+//
+// Note: Under normal circumstances, explicitly creating a validator is not
+// needed and can potentially be dangerous; instead functions of the [Parser]
+// class should be used.
+//
+// The [Validator] is only checking the *validity* of the claims, such as its
+// expiration time, but it does NOT perform *signature verification* of the
+// token.
+func NewValidator(opts ...ParserOption) *Validator {
+	p := NewParser(opts...)
+	return p.validator
+}
+
+// Validate validates the given claims. It will also perform any custom
+// validation if claims implements the [ClaimsValidator] interface.
+//
+// Note: It will NOT perform any *signature verification* on the token that
+// contains the claims and expects that the [Claim] was already successfully
+// verified.
+func (v *Validator) Validate(claims Claims) error {
+	var (
+		now  time.Time
+		errs []error = make([]error, 0, 6)
+		err  error
+	)
+
+	// Check, if we have a time func
+	if v.timeFunc != nil {
+		now = v.timeFunc()
+	} else {
+		now = time.Now()
+	}
+
+	// We always need to check the expiration time, but usage of the claim
+	// itself is OPTIONAL by default. requireExp overrides this behavior
+	// and makes the exp claim mandatory.
+	if err = v.verifyExpiresAt(claims, now, v.requireExp); err != nil {
+		errs = append(errs, err)
+	}
+
+	// We always need to check not-before, but usage of the claim itself is
+	// OPTIONAL.
+	if err = v.verifyNotBefore(claims, now, false); err != nil {
+		errs = append(errs, err)
+	}
+
+	// Check issued-at if the option is enabled
+	if v.verifyIat {
+		if err = v.verifyIssuedAt(claims, now, false); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	// If we have an expected audience, we also require the audience claim
+	if v.expectedAud != "" {
+		if err = v.verifyAudience(claims, v.expectedAud, true); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	// If we have an expected issuer, we also require the issuer claim
+	if v.expectedIss != "" {
+		if err = v.verifyIssuer(claims, v.expectedIss, true); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	// If we have an expected subject, we also require the subject claim
+	if v.expectedSub != "" {
+		if err = v.verifySubject(claims, v.expectedSub, true); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	// Finally, we want to give the claim itself some possibility to do some
+	// additional custom validation based on a custom Validate function.
+	cvt, ok := claims.(ClaimsValidator)
+	if ok {
+		if err := cvt.Validate(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+
+	return joinErrors(errs...)
+}
+
+// verifyExpiresAt compares the exp claim in claims against cmp. This function
+// will succeed if cmp < exp. Additional leeway is taken into account.
+//
+// If exp is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool) error {
+	exp, err := claims.GetExpirationTime()
+	if err != nil {
+		return err
+	}
+
+	if exp == nil {
+		return errorIfRequired(required, "exp")
+	}
+
+	return errorIfFalse(cmp.Before((exp.Time).Add(+v.leeway)), ErrTokenExpired)
+}
+
+// verifyIssuedAt compares the iat claim in claims against cmp. This function
+// will succeed if cmp >= iat. Additional leeway is taken into account.
+//
+// If iat is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool) error {
+	iat, err := claims.GetIssuedAt()
+	if err != nil {
+		return err
+	}
+
+	if iat == nil {
+		return errorIfRequired(required, "iat")
+	}
+
+	return errorIfFalse(!cmp.Before(iat.Add(-v.leeway)), ErrTokenUsedBeforeIssued)
+}
+
+// verifyNotBefore compares the nbf claim in claims against cmp. This function
+// will return true if cmp >= nbf. Additional leeway is taken into account.
+//
+// If nbf is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyNotBefore(claims Claims, cmp time.Time, required bool) error {
+	nbf, err := claims.GetNotBefore()
+	if err != nil {
+		return err
+	}
+
+	if nbf == nil {
+		return errorIfRequired(required, "nbf")
+	}
+
+	return errorIfFalse(!cmp.Before(nbf.Add(-v.leeway)), ErrTokenNotValidYet)
+}
+
+// verifyAudience compares the aud claim against cmp.
+//
+// If aud is not set or an empty list, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyAudience(claims Claims, cmp string, required bool) error {
+	aud, err := claims.GetAudience()
+	if err != nil {
+		return err
+	}
+
+	if len(aud) == 0 {
+		return errorIfRequired(required, "aud")
+	}
+
+	// use a var here to keep constant time compare when looping over a number of claims
+	result := false
+
+	var stringClaims string
+	for _, a := range aud {
+		if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
+			result = true
+		}
+		stringClaims = stringClaims + a
+	}
+
+	// case where "" is sent in one or many aud claims
+	if stringClaims == "" {
+		return errorIfRequired(required, "aud")
+	}
+
+	return errorIfFalse(result, ErrTokenInvalidAudience)
+}
+
+// verifyIssuer compares the iss claim in claims against cmp.
+//
+// If iss is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyIssuer(claims Claims, cmp string, required bool) error {
+	iss, err := claims.GetIssuer()
+	if err != nil {
+		return err
+	}
+
+	if iss == "" {
+		return errorIfRequired(required, "iss")
+	}
+
+	return errorIfFalse(iss == cmp, ErrTokenInvalidIssuer)
+}
+
+// verifySubject compares the sub claim against cmp.
+//
+// If sub is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifySubject(claims Claims, cmp string, required bool) error {
+	sub, err := claims.GetSubject()
+	if err != nil {
+		return err
+	}
+
+	if sub == "" {
+		return errorIfRequired(required, "sub")
+	}
+
+	return errorIfFalse(sub == cmp, ErrTokenInvalidSubject)
+}
+
+// errorIfFalse returns the error specified in err, if the value is true.
+// Otherwise, nil is returned.
+func errorIfFalse(value bool, err error) error {
+	if value {
+		return nil
+	} else {
+		return err
+	}
+}
+
+// errorIfRequired returns an ErrTokenRequiredClaimMissing error if required is
+// true. Otherwise, nil is returned.
+func errorIfRequired(required bool, claim string) error {
+	if required {
+		return newError(fmt.Sprintf("%s claim is required", claim), ErrTokenRequiredClaimMissing)
+	} else {
+		return nil
+	}
+}
diff --git a/vendor/github.com/openshift/api/config/v1/Makefile b/vendor/github.com/openshift/api/config/v1/Makefile
new file mode 100644
index 00000000..66bf6363
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/Makefile
@@ -0,0 +1,3 @@
+.PHONY: test
+test:
+	make -C ../../tests test GINKGO_EXTRA_ARGS=--focus="config.openshift.io/v1"
diff --git a/vendor/github.com/openshift/api/config/v1/doc.go b/vendor/github.com/openshift/api/config/v1/doc.go
new file mode 100644
index 00000000..f9945475
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/doc.go
@@ -0,0 +1,9 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+// +openshift:featuregated-schema-gen=true
+
+// +kubebuilder:validation:Optional
+// +groupName=config.openshift.io
+// Package v1 is the v1 version of the API.
+package v1
diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go
new file mode 100644
index 00000000..eac29a23
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/register.go
@@ -0,0 +1,82 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupName     = "config.openshift.io"
+	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1"}
+	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// Install is a function which adds this version to a scheme
+	Install = schemeBuilder.AddToScheme
+
+	// SchemeGroupVersion generated code relies on this name
+	// Deprecated
+	SchemeGroupVersion = GroupVersion
+	// AddToScheme exists solely to keep the old generators creating valid code
+	// DEPRECATED
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+// Resource generated code relies on this being here, but it logically belongs to the group
+// DEPRECATED
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(GroupVersion,
+		&APIServer{},
+		&APIServerList{},
+		&Authentication{},
+		&AuthenticationList{},
+		&Build{},
+		&BuildList{},
+		&ClusterOperator{},
+		&ClusterOperatorList{},
+		&ClusterVersion{},
+		&ClusterVersionList{},
+		&Console{},
+		&ConsoleList{},
+		&DNS{},
+		&DNSList{},
+		&FeatureGate{},
+		&FeatureGateList{},
+		&Image{},
+		&ImageList{},
+		&Infrastructure{},
+		&InfrastructureList{},
+		&Ingress{},
+		&IngressList{},
+		&Node{},
+		&NodeList{},
+		&Network{},
+		&NetworkList{},
+		&OAuth{},
+		&OAuthList{},
+		&OperatorHub{},
+		&OperatorHubList{},
+		&Project{},
+		&ProjectList{},
+		&Proxy{},
+		&ProxyList{},
+		&Scheduler{},
+		&SchedulerList{},
+		&ImageContentPolicy{},
+		&ImageContentPolicyList{},
+		&ImageDigestMirrorSet{},
+		&ImageDigestMirrorSetList{},
+		&ImageTagMirrorSet{},
+		&ImageTagMirrorSetList{},
+		&ImagePolicy{},
+		&ImagePolicyList{},
+		&ClusterImagePolicy{},
+		&ClusterImagePolicyList{},
+	)
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}
diff --git a/vendor/github.com/openshift/api/config/v1/stringsource.go b/vendor/github.com/openshift/api/config/v1/stringsource.go
new file mode 100644
index 00000000..6a5718c1
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/stringsource.go
@@ -0,0 +1,31 @@
+package v1
+
+import "encoding/json"
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+// If the value is a string, it sets the Value field of the StringSource.
+// Otherwise, it is unmarshaled into the StringSourceSpec struct
+func (s *StringSource) UnmarshalJSON(value []byte) error {
+	// If we can unmarshal to a simple string, just set the value
+	var simpleValue string
+	if err := json.Unmarshal(value, &simpleValue); err == nil {
+		s.Value = simpleValue
+		return nil
+	}
+
+	// Otherwise do the full struct unmarshal
+	return json.Unmarshal(value, &s.StringSourceSpec)
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+// If the StringSource contains only a string Value (or is empty), it is marshaled as a JSON string.
+// Otherwise, the StringSourceSpec struct is marshaled as a JSON object.
+func (s *StringSource) MarshalJSON() ([]byte, error) {
+	// If we have only a cleartext value set, do a simple string marshal
+	if s.StringSourceSpec == (StringSourceSpec{Value: s.Value}) {
+		return json.Marshal(s.Value)
+	}
+
+	// Otherwise do the full struct marshal of the externalized bits
+	return json.Marshal(s.StringSourceSpec)
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types.go b/vendor/github.com/openshift/api/config/v1/types.go
new file mode 100644
index 00000000..3e17ca0c
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types.go
@@ -0,0 +1,431 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConfigMapFileReference references a config map in a specific namespace.
+// The namespace must be specified at the point of use.
+type ConfigMapFileReference struct {
+	Name string `json:"name"`
+	// key allows pointing to a specific key/value inside of the configmap.  This is useful for logical file references.
+	Key string `json:"key,omitempty"`
+}
+
+// ConfigMapNameReference references a config map in a specific namespace.
+// The namespace must be specified at the point of use.
+type ConfigMapNameReference struct {
+	// name is the metadata.name of the referenced config map
+	// +required
+	Name string `json:"name"`
+}
+
+// SecretNameReference references a secret in a specific namespace.
+// The namespace must be specified at the point of use.
+type SecretNameReference struct {
+	// name is the metadata.name of the referenced secret
+	// +required
+	Name string `json:"name"`
+}
+
+// HTTPServingInfo holds configuration for serving HTTP
+type HTTPServingInfo struct {
+	// ServingInfo is the HTTP serving information
+	ServingInfo `json:",inline"`
+	// maxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.
+	MaxRequestsInFlight int64 `json:"maxRequestsInFlight"`
+	// requestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if
+	// -1 there is no limit on requests.
+	RequestTimeoutSeconds int64 `json:"requestTimeoutSeconds"`
+}
+
+// ServingInfo holds information about serving web pages
+type ServingInfo struct {
+	// bindAddress is the ip:port to serve on
+	BindAddress string `json:"bindAddress"`
+	// bindNetwork is the type of network to bind to - defaults to "tcp4", accepts "tcp",
+	// "tcp4", and "tcp6"
+	BindNetwork string `json:"bindNetwork"`
+	// CertInfo is the TLS cert info for serving secure traffic.
+	// this is anonymous so that we can inline it for serialization
+	CertInfo `json:",inline"`
+	// clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
+	// +optional
+	ClientCA string `json:"clientCA,omitempty"`
+	// namedCertificates is a list of certificates to use to secure requests to specific hostnames
+	NamedCertificates []NamedCertificate `json:"namedCertificates,omitempty"`
+	// minTLSVersion is the minimum TLS version supported.
+	// Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants
+	MinTLSVersion string `json:"minTLSVersion,omitempty"`
+	// cipherSuites contains an overridden list of ciphers for the server to support.
+	// Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants
+	CipherSuites []string `json:"cipherSuites,omitempty"`
+}
+
+// CertInfo relates a certificate with a private key
+type CertInfo struct {
+	// certFile is a file containing a PEM-encoded certificate
+	CertFile string `json:"certFile"`
+	// keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile
+	KeyFile string `json:"keyFile"`
+}
+
+// NamedCertificate specifies a certificate/key, and the names it should be served for
+type NamedCertificate struct {
+	// names is a list of DNS names this certificate should be used to secure
+	// A name can be a normal DNS name, or can contain leading wildcard segments.
+	Names []string `json:"names,omitempty"`
+	// CertInfo is the TLS cert info for serving secure traffic
+	CertInfo `json:",inline"`
+}
+
+// LeaderElection provides information to elect a leader
+type LeaderElection struct {
+	// disable allows leader election to be suspended while allowing a fully defaulted "normal" startup case.
+	Disable bool `json:"disable,omitempty"`
+	// namespace indicates which namespace the resource is in
+	Namespace string `json:"namespace,omitempty"`
+	// name indicates what name to use for the resource
+	Name string `json:"name,omitempty"`
+
+	// leaseDuration is the duration that non-leader candidates will wait
+	// after observing a leadership renewal until attempting to acquire
+	// leadership of a led but unrenewed leader slot. This is effectively the
+	// maximum duration that a leader can be stopped before it is replaced
+	// by another candidate. This is only applicable if leader election is
+	// enabled.
+	// +nullable
+	LeaseDuration metav1.Duration `json:"leaseDuration"`
+	// renewDeadline is the interval between attempts by the acting master to
+	// renew a leadership slot before it stops leading. This must be less
+	// than or equal to the lease duration. This is only applicable if leader
+	// election is enabled.
+	// +nullable
+	RenewDeadline metav1.Duration `json:"renewDeadline"`
+	// retryPeriod is the duration the clients should wait between attempting
+	// acquisition and renewal of a leadership. This is only applicable if
+	// leader election is enabled.
+	// +nullable
+	RetryPeriod metav1.Duration `json:"retryPeriod"`
+}
+
+// StringSource allows specifying a string inline, or externally via env var or file.
+// When it contains only a string value, it marshals to a simple JSON string.
+type StringSource struct {
+	// StringSourceSpec specifies the string value, or external location
+	StringSourceSpec `json:",inline"`
+}
+
+// StringSourceSpec specifies a string value, or external location
+type StringSourceSpec struct {
+	// value specifies the cleartext value, or an encrypted value if keyFile is specified.
+	Value string `json:"value"`
+
+	// env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.
+	Env string `json:"env"`
+
+	// file references a file containing the cleartext value, or an encrypted value if a keyFile is specified.
+	File string `json:"file"`
+
+	// keyFile references a file containing the key to use to decrypt the value.
+	KeyFile string `json:"keyFile"`
+}
+
+// RemoteConnectionInfo holds information necessary for establishing a remote connection
+type RemoteConnectionInfo struct {
+	// url is the remote URL to connect to
+	URL string `json:"url"`
+	// ca is the CA for verifying TLS connections
+	CA string `json:"ca"`
+	// CertInfo is the TLS client cert information to present
+	// this is anonymous so that we can inline it for serialization
+	CertInfo `json:",inline"`
+}
+
+type AdmissionConfig struct {
+	PluginConfig map[string]AdmissionPluginConfig `json:"pluginConfig,omitempty"`
+
+	// enabledPlugins is a list of admission plugins that must be on in addition to the default list.
+	// Some admission plugins are disabled by default, but certain configurations require them.  This is fairly uncommon
+	// and can result in performance penalties and unexpected behavior.
+	EnabledAdmissionPlugins []string `json:"enabledPlugins,omitempty"`
+
+	// disabledPlugins is a list of admission plugins that must be off.  Putting something in this list
+	// is almost always a mistake and likely to result in cluster instability.
+	DisabledAdmissionPlugins []string `json:"disabledPlugins,omitempty"`
+}
+
+// AdmissionPluginConfig holds the necessary configuration options for admission plugins
+type AdmissionPluginConfig struct {
+	// location is the path to a configuration file that contains the plugin's
+	// configuration
+	Location string `json:"location"`
+
+	// configuration is an embedded configuration object to be used as the plugin's
+	// configuration. If present, it will be used instead of the path to the configuration file.
+	// +nullable
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Configuration runtime.RawExtension `json:"configuration"`
+}
+
+type LogFormatType string
+
+type WebHookModeType string
+
+const (
+	// LogFormatLegacy saves event in 1-line text format.
+	LogFormatLegacy LogFormatType = "legacy"
+	// LogFormatJson saves event in structured json format.
+	LogFormatJson LogFormatType = "json"
+
+	// WebHookModeBatch indicates that the webhook should buffer audit events
+	// internally, sending batch updates either once a certain number of
+	// events have been received or a certain amount of time has passed.
+	WebHookModeBatch WebHookModeType = "batch"
+	// WebHookModeBlocking causes the webhook to block on every attempt to process
+	// a set of events. This causes requests to the API server to wait for a
+	// round trip to the external audit service before sending a response.
+	WebHookModeBlocking WebHookModeType = "blocking"
+)
+
+// AuditConfig holds configuration for the audit capabilities
+type AuditConfig struct {
+	// If this flag is set, audit log will be printed in the logs.
+	// The logs contains, method, user and a requested URL.
+	Enabled bool `json:"enabled"`
+	// All requests coming to the apiserver will be logged to this file.
+	AuditFilePath string `json:"auditFilePath"`
+	// Maximum number of days to retain old log files based on the timestamp encoded in their filename.
+	MaximumFileRetentionDays int32 `json:"maximumFileRetentionDays"`
+	// Maximum number of old log files to retain.
+	MaximumRetainedFiles int32 `json:"maximumRetainedFiles"`
+	// Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.
+	MaximumFileSizeMegabytes int32 `json:"maximumFileSizeMegabytes"`
+
+	// policyFile is a path to the file that defines the audit policy configuration.
+	PolicyFile string `json:"policyFile"`
+	// policyConfiguration is an embedded policy configuration object to be used
+	// as the audit policy configuration. If present, it will be used instead of
+	// the path to the policy file.
+	// +nullable
+	// +kubebuilder:pruning:PreserveUnknownFields
+	PolicyConfiguration runtime.RawExtension `json:"policyConfiguration"`
+
+	// Format of saved audits (legacy or json).
+	LogFormat LogFormatType `json:"logFormat"`
+
+	// Path to a .kubeconfig formatted file that defines the audit webhook configuration.
+	WebHookKubeConfig string `json:"webHookKubeConfig"`
+	// Strategy for sending audit events (block or batch).
+	WebHookMode WebHookModeType `json:"webHookMode"`
+}
+
+// EtcdConnectionInfo holds information necessary for connecting to an etcd server
+type EtcdConnectionInfo struct {
+	// urls are the URLs for etcd
+	URLs []string `json:"urls,omitempty"`
+	// ca is a file containing trusted roots for the etcd server certificates
+	CA string `json:"ca"`
+	// CertInfo is the TLS client cert information for securing communication to etcd
+	// this is anonymous so that we can inline it for serialization
+	CertInfo `json:",inline"`
+}
+
+type EtcdStorageConfig struct {
+	EtcdConnectionInfo `json:",inline"`
+
+	// storagePrefix is the path within etcd that the OpenShift resources will
+	// be rooted under. This value, if changed, will mean existing objects in etcd will
+	// no longer be located.
+	StoragePrefix string `json:"storagePrefix"`
+}
+
+// GenericAPIServerConfig is an inline-able struct for aggregated apiservers that need to store data in etcd
+type GenericAPIServerConfig struct {
+	// servingInfo describes how to start serving
+	ServingInfo HTTPServingInfo `json:"servingInfo"`
+
+	// corsAllowedOrigins
+	CORSAllowedOrigins []string `json:"corsAllowedOrigins"`
+
+	// auditConfig describes how to configure audit information
+	AuditConfig AuditConfig `json:"auditConfig"`
+
+	// storageConfig contains information about how to use
+	StorageConfig EtcdStorageConfig `json:"storageConfig"`
+
+	// admissionConfig holds information about how to configure admission.
+	AdmissionConfig AdmissionConfig `json:"admission"`
+
+	KubeClientConfig KubeClientConfig `json:"kubeClientConfig"`
+}
+
+type KubeClientConfig struct {
+	// kubeConfig is a .kubeconfig filename for going to the owning kube-apiserver.  Empty uses an in-cluster-config
+	KubeConfig string `json:"kubeConfig"`
+
+	// connectionOverrides specifies client overrides for system components to loop back to this master.
+	ConnectionOverrides ClientConnectionOverrides `json:"connectionOverrides"`
+}
+
+type ClientConnectionOverrides struct {
+	// acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
+	// default value of 'application/json'. This field will control all connections to the server used by a particular
+	// client.
+	AcceptContentTypes string `json:"acceptContentTypes"`
+	// contentType is the content type used when sending data to the server from this client.
+	ContentType string `json:"contentType"`
+
+	// qps controls the number of queries per second allowed for this connection.
+	QPS float32 `json:"qps"`
+	// burst allows extra queries to accumulate when a client is exceeding its rate.
+	Burst int32 `json:"burst"`
+}
+
+// GenericControllerConfig provides information to configure a controller
+type GenericControllerConfig struct {
+	// servingInfo is the HTTP serving information for the controller's endpoints
+	ServingInfo HTTPServingInfo `json:"servingInfo"`
+
+	// leaderElection provides information to elect a leader. Only override this if you have a specific need
+	LeaderElection LeaderElection `json:"leaderElection"`
+
+	// authentication allows configuration of authentication for the endpoints
+	Authentication DelegatedAuthentication `json:"authentication"`
+	// authorization allows configuration of authentication for the endpoints
+	Authorization DelegatedAuthorization `json:"authorization"`
+}
+
+// DelegatedAuthentication allows authentication to be disabled.
+type DelegatedAuthentication struct {
+	// disabled indicates that authentication should be disabled.  By default it will use delegated authentication.
+	Disabled bool `json:"disabled,omitempty"`
+}
+
+// DelegatedAuthorization allows authorization to be disabled.
+type DelegatedAuthorization struct {
+	// disabled indicates that authorization should be disabled.  By default it will use delegated authorization.
+	Disabled bool `json:"disabled,omitempty"`
+}
+type RequiredHSTSPolicy struct {
+	// namespaceSelector specifies a label selector such that the policy applies only to those routes that
+	// are in namespaces with labels that match the selector, and are in one of the DomainPatterns.
+	// Defaults to the empty LabelSelector, which matches everything.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
+	// domainPatterns is a list of domains for which the desired HSTS annotations are required.
+	// If domainPatterns is specified and a route is created with a spec.host matching one of the domains,
+	// the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy.
+	//
+	// The use of wildcards is allowed like this: *.foo.com matches everything under foo.com.
+	// foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*.
+	// +kubebuilder:validation:MinItems=1
+	// +required
+	DomainPatterns []string `json:"domainPatterns"`
+
+	// maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts.
+	// If set to 0, it negates the effect, and hosts are removed as HSTS hosts.
+	// If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts.
+	// maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS
+	// policy will eventually expire on that client.
+	MaxAge MaxAgePolicy `json:"maxAge"`
+
+	// preloadPolicy directs the client to include hosts in its host preload list so that
+	// it never needs to do an initial load to get the HSTS header (note that this is not defined
+	// in RFC 6797 and is therefore client implementation-dependent).
+	// +optional
+	PreloadPolicy PreloadPolicy `json:"preloadPolicy,omitempty"`
+
+	// includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's
+	// domain name.  Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains:
+	// - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com
+	// - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com
+	// - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com
+	// - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com
+	// +optional
+	IncludeSubDomainsPolicy IncludeSubDomainsPolicy `json:"includeSubDomainsPolicy,omitempty"`
+}
+
+// MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy
+type MaxAgePolicy struct {
+	// The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age
+	// This value can be left unspecified, in which case no upper limit is enforced.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=2147483647
+	LargestMaxAge *int32 `json:"largestMaxAge,omitempty"`
+
+	// The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age
+	// Setting max-age=0 allows the deletion of an existing HSTS header from a host.  This is a necessary
+	// tool for administrators to quickly correct mistakes.
+	// This value can be left unspecified, in which case no lower limit is enforced.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=2147483647
+	SmallestMaxAge *int32 `json:"smallestMaxAge,omitempty"`
+}
+
+// PreloadPolicy contains a value for specifying a compliant HSTS preload policy for the enclosing RequiredHSTSPolicy
+// +kubebuilder:validation:Enum=RequirePreload;RequireNoPreload;NoOpinion
+type PreloadPolicy string
+
+const (
+	// RequirePreloadPolicy means HSTS "preload" is required by the RequiredHSTSPolicy
+	RequirePreloadPolicy PreloadPolicy = "RequirePreload"
+
+	// RequireNoPreloadPolicy means HSTS "preload" is forbidden by the RequiredHSTSPolicy
+	RequireNoPreloadPolicy PreloadPolicy = "RequireNoPreload"
+
+	// NoOpinionPreloadPolicy means HSTS "preload" doesn't matter to the RequiredHSTSPolicy
+	NoOpinionPreloadPolicy PreloadPolicy = "NoOpinion"
+)
+
+// IncludeSubDomainsPolicy contains a value for specifying a compliant HSTS includeSubdomains policy
+// for the enclosing RequiredHSTSPolicy
+// +kubebuilder:validation:Enum=RequireIncludeSubDomains;RequireNoIncludeSubDomains;NoOpinion
+type IncludeSubDomainsPolicy string
+
+const (
+	// RequireIncludeSubDomains means HSTS "includeSubDomains" is required by the RequiredHSTSPolicy
+	RequireIncludeSubDomains IncludeSubDomainsPolicy = "RequireIncludeSubDomains"
+
+	// RequireNoIncludeSubDomains means HSTS "includeSubDomains" is forbidden by the RequiredHSTSPolicy
+	RequireNoIncludeSubDomains IncludeSubDomainsPolicy = "RequireNoIncludeSubDomains"
+
+	// NoOpinionIncludeSubDomains means HSTS "includeSubDomains" doesn't matter to the RequiredHSTSPolicy
+	NoOpinionIncludeSubDomains IncludeSubDomainsPolicy = "NoOpinion"
+)
+
+// IBMCloudServiceName contains a value specifying the name of an IBM Cloud Service,
+// which are used by MAPI, CIRO, CIO, Installer, etc.
+// +kubebuilder:validation:Enum=CIS;COS;COSConfig;DNSServices;GlobalCatalog;GlobalSearch;GlobalTagging;HyperProtect;IAM;KeyProtect;ResourceController;ResourceManager;VPC
+type IBMCloudServiceName string
+
+const (
+	// IBMCloudServiceCIS is the name for IBM Cloud CIS.
+	IBMCloudServiceCIS IBMCloudServiceName = "CIS"
+	// IBMCloudServiceCOS is the name for IBM Cloud COS.
+	IBMCloudServiceCOS IBMCloudServiceName = "COS"
+	// IBMCloudServiceCOSConfig is the name for IBM Cloud COS Config service.
+	IBMCloudServiceCOSConfig IBMCloudServiceName = "COSConfig"
+	// IBMCloudServiceDNSServices is the name for IBM Cloud DNS Services.
+	IBMCloudServiceDNSServices IBMCloudServiceName = "DNSServices"
+	// IBMCloudServiceGlobalCatalog is the name for IBM Cloud Global Catalog service.
+	IBMCloudServiceGlobalCatalog IBMCloudServiceName = "GlobalCatalog"
+	// IBMCloudServiceGlobalSearch is the name for IBM Cloud Global Search.
+	IBMCloudServiceGlobalSearch IBMCloudServiceName = "GlobalSearch"
+	// IBMCloudServiceGlobalTagging is the name for IBM Cloud Global Tagging.
+	IBMCloudServiceGlobalTagging IBMCloudServiceName = "GlobalTagging"
+	// IBMCloudServiceHyperProtect is the name for IBM Cloud Hyper Protect.
+	IBMCloudServiceHyperProtect IBMCloudServiceName = "HyperProtect"
+	// IBMCloudServiceIAM is the name for IBM Cloud IAM.
+	IBMCloudServiceIAM IBMCloudServiceName = "IAM"
+	// IBMCloudServiceKeyProtect is the name for IBM Cloud Key Protect.
+	IBMCloudServiceKeyProtect IBMCloudServiceName = "KeyProtect"
+	// IBMCloudServiceResourceController is the name for IBM Cloud Resource Controller.
+	IBMCloudServiceResourceController IBMCloudServiceName = "ResourceController"
+	// IBMCloudServiceResourceManager is the name for IBM Cloud Resource Manager.
+	IBMCloudServiceResourceManager IBMCloudServiceName = "ResourceManager"
+	// IBMCloudServiceVPC is the name for IBM Cloud VPC.
+	IBMCloudServiceVPC IBMCloudServiceName = "VPC"
+)
diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
new file mode 100644
index 00000000..e1a98cb2
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
@@ -0,0 +1,251 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIServer holds configuration (like serving certificates, client CA and CORS domains)
+// shared by all API servers in the system, among them especially kube-apiserver
+// and openshift-apiserver. The canonical name of an instance is 'cluster'.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=apiservers,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type APIServer struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// spec holds user settable values for configuration
+	// +required
+	Spec APIServerSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status APIServerStatus `json:"status"`
+}
+
+type APIServerSpec struct {
+	// servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
+	// will be used for serving secure traffic.
+	// +optional
+	ServingCerts APIServerServingCerts `json:"servingCerts"`
+	// clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for
+	// incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid.
+	// You usually only have to set this if you have your own PKI you wish to honor client certificates from.
+	// The ConfigMap must exist in the openshift-config namespace and contain the following required fields:
+	// - ConfigMap.Data["ca-bundle.crt"] - CA bundle.
+	// +optional
+	ClientCA ConfigMapNameReference `json:"clientCA"`
+	// additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the
+	// API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth
+	// server from JavaScript applications.
+	// The values are regular expressions that correspond to the Golang regular expression language.
+	// +optional
+	// +listType=atomic
+	AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"`
+	// encryption allows the configuration of encryption of resources at the datastore layer.
+	// +optional
+	Encryption APIServerEncryption `json:"encryption"`
+	// tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
+	//
+	// If unset, a default (which may change between releases) is chosen. Note that only Old,
+	// Intermediate and Custom profiles are currently supported, and the maximum available
+	// minTLSVersion is VersionTLS12.
+	// +optional
+	TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
+	// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
+	// API servers in the cluster.
+	// +optional
+	// +kubebuilder:default={profile: Default}
+	Audit Audit `json:"audit"`
+}
+
+// AuditProfileType defines the audit policy profile type.
+// +kubebuilder:validation:Enum=Default;WriteRequestBodies;AllRequestBodies;None
+type AuditProfileType string
+
+const (
+	// "None" disables audit logs.
+	NoneAuditProfileType AuditProfileType = "None"
+
+	// "Default" is the existing default audit configuration policy.
+	DefaultAuditProfileType AuditProfileType = "Default"
+
+	// "WriteRequestBodies" is similar to Default but it logs request and response
+	// HTTP payloads for write requests (create, update, patch)
+	WriteRequestBodiesAuditProfileType AuditProfileType = "WriteRequestBodies"
+
+	// "AllRequestBodies" is similar to WriteRequestBodies, but also logs request
+	// and response HTTP payloads for read requests (get, list).
+	AllRequestBodiesAuditProfileType AuditProfileType = "AllRequestBodies"
+)
+
+type Audit struct {
+	// profile specifies the name of the desired top-level audit profile to be applied to all requests
+	// sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver,
+	// openshift-apiserver and oauth-apiserver), with the exception of those requests that match
+	// one or more of the customRules.
+	//
+	// The following profiles are provided:
+	// - Default: default policy which means MetaData level logging with the exception of events
+	//   (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody
+	//   level).
+	// - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+	// write requests (create, update, patch).
+	// - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+	// HTTP payloads for read requests (get, list).
+	// - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+	//
+	// Warning: It is not recommended to disable audit logging by using the `None` profile unless you
+	// are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues.
+	// If you disable audit logging and a support situation arises, you might need to enable audit logging
+	// and reproduce the issue in order to troubleshoot properly.
+	//
+	// If unset, the 'Default' profile is used as the default.
+	//
+	// +kubebuilder:default=Default
+	Profile AuditProfileType `json:"profile,omitempty"`
+	// customRules specify profiles per group. These profile take precedence over the
+	// top-level profile field if they apply. They are evaluation from top to bottom and
+	// the first one that matches, applies.
+	// +listType=map
+	// +listMapKey=group
+	// +optional
+	CustomRules []AuditCustomRule `json:"customRules,omitempty"`
+}
+
+// AuditCustomRule describes a custom rule for an audit profile that takes precedence over
+// the top-level profile.
+type AuditCustomRule struct {
+	// group is a name of group a request user must be member of in order to this profile to apply.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	Group string `json:"group"`
+	// profile specifies the name of the desired audit policy configuration to be deployed to
+	// all OpenShift-provided API servers in the cluster.
+	//
+	// The following profiles are provided:
+	// - Default: the existing default policy.
+	// - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+	// write requests (create, update, patch).
+	// - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+	// HTTP payloads for read requests (get, list).
+	// - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+	//
+	// If unset, the 'Default' profile is used as the default.
+	//
+	// +required
+	Profile AuditProfileType `json:"profile"`
+}
+
+type APIServerServingCerts struct {
+	// namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames.
+	// If no named certificates are provided, or no named certificates match the server name as understood by a client,
+	// the defaultServingCertificate will be used.
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"`
+}
+
+// APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate.
+type APIServerNamedServingCert struct {
+	// names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to
+	// serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates.
+	// Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=64
+	Names []string `json:"names,omitempty"`
+	// servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
+	// The secret must exist in the openshift-config namespace and contain the following required fields:
+	// - Secret.Data["tls.key"] - TLS private key.
+	// - Secret.Data["tls.crt"] - TLS certificate.
+	ServingCertificate SecretNameReference `json:"servingCertificate"`
+}
+
+// APIServerEncryption is used to encrypt sensitive resources on the cluster.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ?  has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise"
+// +union
+type APIServerEncryption struct {
+	// type defines what encryption type should be used to encrypt resources at the datastore layer.
+	// When this field is unset (i.e. when it is set to the empty string), identity is implied.
+	// The behavior of unset can and will change over time.  Even if encryption is enabled by default,
+	// the meaning of unset may change to a different encryption type based on changes in best practices.
+	//
+	// When encryption is enabled, all sensitive resources shipped with the platform are encrypted.
+	// This list of sensitive resources can and will change over time.  The current authoritative list is:
+	//
+	//   1. secrets
+	//   2. configmaps
+	//   3. routes.route.openshift.io
+	//   4. oauthaccesstokens.oauth.openshift.io
+	//   5. oauthauthorizetokens.oauth.openshift.io
+	//
+	// +unionDiscriminator
+	// +optional
+	Type EncryptionType `json:"type,omitempty"`
+
+	// kms defines the configuration for the external KMS instance that manages the encryption keys,
+	// when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
+	// externally configured KMS instance.
+	//
+	// The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
+	// managing the lifecyle of the encryption keys outside of the control plane.
+	// This allows integration with an external provider to manage the data encryption keys securely.
+	//
+	// +openshift:enable:FeatureGate=KMSEncryptionProvider
+	// +unionMember
+	// +optional
+	KMS *KMSConfig `json:"kms,omitempty"`
+}
+
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
+// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS
+type EncryptionType string
+
+const (
+	// identity refers to a type where no encryption is performed at the datastore layer.
+	// Resources are written as-is without encryption.
+	EncryptionTypeIdentity EncryptionType = "identity"
+
+	// aescbc refers to a type where AES-CBC with PKCS#7 padding and a 32-byte key
+	// is used to perform encryption at the datastore layer.
+	EncryptionTypeAESCBC EncryptionType = "aescbc"
+
+	// aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key
+	// is used to perform encryption at the datastore layer.
+	EncryptionTypeAESGCM EncryptionType = "aesgcm"
+
+	// kms refers to a type of encryption where the encryption keys are managed
+	// outside the control plane in a Key Management Service instance,
+	// encryption is still performed at the datastore layer.
+	EncryptionTypeKMS EncryptionType = "KMS"
+)
+
+type APIServerStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type APIServerList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+	Items           []APIServer `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go
new file mode 100644
index 00000000..004e9472
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go
@@ -0,0 +1,765 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
+
+// Authentication specifies cluster-wide settings for authentication (like OAuth and
+// webhook token authenticators). The canonical name of an instance is `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=authentications,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Authentication struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec AuthenticationSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status AuthenticationStatus `json:"status"`
+}
+
+type AuthenticationSpec struct {
+	// type identifies the cluster managed, user facing authentication mode in use.
+	// Specifically, it manages the component that responds to login attempts.
+	// The default is IntegratedOAuth.
+	// +optional
+	Type AuthenticationType `json:"type"`
+
+	// oauthMetadata contains the discovery endpoint data for OAuth 2.0
+	// Authorization Server Metadata for an external OAuth server.
+	// This discovery document can be viewed from its served location:
+	// oc get --raw '/.well-known/oauth-authorization-server'
+	// For further details, see the IETF Draft:
+	// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	// If oauthMetadata.name is non-empty, this value has precedence
+	// over any metadata reference stored in status.
+	// The key "oauthMetadata" is used to locate the data.
+	// If specified and the config map or expected key is not found, no metadata is served.
+	// If the specified metadata is not valid, no metadata is served.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	OAuthMetadata ConfigMapNameReference `json:"oauthMetadata"`
+
+	// webhookTokenAuthenticators is DEPRECATED, setting it has no effect.
+	// +listType=atomic
+	WebhookTokenAuthenticators []DeprecatedWebhookTokenAuthenticator `json:"webhookTokenAuthenticators,omitempty"`
+
+	// webhookTokenAuthenticator configures a remote token reviewer.
+	// These remote authentication webhooks can be used to verify bearer tokens
+	// via the tokenreviews.authentication.k8s.io REST API. This is required to
+	// honor bearer tokens that are provisioned by an external authentication service.
+	//
+	// Can only be set if "Type" is set to "None".
+	//
+	// +optional
+	WebhookTokenAuthenticator *WebhookTokenAuthenticator `json:"webhookTokenAuthenticator,omitempty"`
+
+	// serviceAccountIssuer is the identifier of the bound service account token
+	// issuer.
+	// The default is https://kubernetes.default.svc
+	// WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the
+	// previous issuer value. Instead, the tokens issued by previous service account issuer will continue to
+	// be trusted for a time period chosen by the platform (currently set to 24h).
+	// This time period is subject to change over time.
+	// This allows internal components to transition to use new service account issuer without service distruption.
+	// +optional
+	ServiceAccountIssuer string `json:"serviceAccountIssuer"`
+
+	// oidcProviders are OIDC identity providers that can issue tokens
+	// for this cluster
+	// Can only be set if "Type" is set to "OIDC".
+	//
+	// At most one provider can be configured.
+	//
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=1
+	// +openshift:enable:FeatureGate=ExternalOIDC
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
+}
+
+type AuthenticationStatus struct {
+	// integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0
+	// Authorization Server Metadata for the in-cluster integrated OAuth server.
+	// This discovery document can be viewed from its served location:
+	// oc get --raw '/.well-known/oauth-authorization-server'
+	// For further details, see the IETF Draft:
+	// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	// This contains the observed value based on cluster state.
+	// An explicitly set value in spec.oauthMetadata has precedence over this field.
+	// This field has no meaning if authentication spec.type is not set to IntegratedOAuth.
+	// The key "oauthMetadata" is used to locate the data.
+	// If the config map or expected key is not found, no metadata is served.
+	// If the specified metadata is not valid, no metadata is served.
+	// The namespace for this config map is openshift-config-managed.
+	// +optional
+	IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"`
+
+	// oidcClients is where participating operators place the current OIDC client status
+	// for OIDC clients that can be customized by the cluster-admin.
+	//
+	// +listType=map
+	// +listMapKey=componentNamespace
+	// +listMapKey=componentName
+	// +kubebuilder:validation:MaxItems=20
+	// +openshift:enable:FeatureGate=ExternalOIDC
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	// +optional
+	OIDCClients []OIDCClientStatus `json:"oidcClients"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type AuthenticationList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Authentication `json:"items"`
+}
+
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";None;IntegratedOAuth
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,enum="";None;IntegratedOAuth;OIDC
+type AuthenticationType string
+
+const (
+	// None means that no cluster managed authentication system is in place.
+	// Note that user login will only work if a manually configured system is in place and
+	// referenced in authentication spec via oauthMetadata and
+	// webhookTokenAuthenticator/oidcProviders
+	AuthenticationTypeNone AuthenticationType = "None"
+
+	// IntegratedOAuth refers to the cluster managed OAuth server.
+	// It is configured via the top level OAuth config.
+	AuthenticationTypeIntegratedOAuth AuthenticationType = "IntegratedOAuth"
+
+	// AuthenticationTypeOIDC refers to a configuration with an external
+	// OIDC server configured directly with the kube-apiserver.
+	AuthenticationTypeOIDC AuthenticationType = "OIDC"
+)
+
+// deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator.
+// It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.
+type DeprecatedWebhookTokenAuthenticator struct {
+	// kubeConfig contains kube config file data which describes how to access the remote webhook service.
+	// For further details, see:
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+	// The key "kubeConfig" is used to locate the data.
+	// If the secret or expected key is not found, the webhook is not honored.
+	// If the specified kube config data is not valid, the webhook is not honored.
+	// The namespace for this secret is determined by the point of use.
+	KubeConfig SecretNameReference `json:"kubeConfig"`
+}
+
+// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator
+type WebhookTokenAuthenticator struct {
+	// kubeConfig references a secret that contains kube config file data which
+	// describes how to access the remote webhook service.
+	// The namespace for the referenced secret is openshift-config.
+	//
+	// For further details, see:
+	//
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+	//
+	// The key "kubeConfig" is used to locate the data.
+	// If the secret or expected key is not found, the webhook is not honored.
+	// If the specified kube config data is not valid, the webhook is not honored.
+	// +required
+	KubeConfig SecretNameReference `json:"kubeConfig"`
+}
+
+const (
+	// OAuthMetadataKey is the key for the oauth authorization server metadata
+	OAuthMetadataKey = "oauthMetadata"
+
+	// KubeConfigKey is the key for the kube config file data in a secret
+	KubeConfigKey = "kubeConfig"
+)
+
+type OIDCProvider struct {
+	// name is a required field that configures the unique human-readable identifier
+	// associated with the identity provider.
+	// It is used to distinguish between multiple identity providers
+	// and has no impact on token validation or authentication mechanics.
+	//
+	// name must not be an empty string ("").
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	Name string `json:"name"`
+
+	// issuer is a required field that configures how the platform interacts
+	// with the identity provider and how tokens issued from the identity provider
+	// are evaluated by the Kubernetes API server.
+	//
+	// +required
+	Issuer TokenIssuer `json:"issuer"`
+
+	// oidcClients is an optional field that configures how on-cluster,
+	// platform clients should request tokens from the identity provider.
+	// oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.
+	//
+	// +listType=map
+	// +listMapKey=componentNamespace
+	// +listMapKey=componentName
+	// +kubebuilder:validation:MaxItems=20
+	// +optional
+	OIDCClients []OIDCClientConfig `json:"oidcClients"`
+
+	// claimMappings is a required field that configures the rules to be used by
+	// the Kubernetes API server for translating claims in a JWT token, issued
+	// by the identity provider, to a cluster identity.
+	//
+	// +required
+	ClaimMappings TokenClaimMappings `json:"claimMappings"`
+
+	// claimValidationRules is an optional field that configures the rules to
+	// be used by the Kubernetes API server for validating the claims in a JWT
+	// token issued by the identity provider.
+	//
+	// Validation rules are joined via an AND operation.
+	//
+	// +listType=atomic
+	// +optional
+	ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"`
+}
+
+// +kubebuilder:validation:MinLength=1
+type TokenAudience string
+
+type TokenIssuer struct {
+	// issuerURL is a required field that configures the URL used to issue tokens
+	// by the identity provider.
+	// The Kubernetes API server determines how authentication tokens should be handled
+	// by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
+	//
+	// issuerURL must use the 'https' scheme.
+	//
+	// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
+	// +required
+	URL string `json:"issuerURL"`
+
+	// audiences is a required field that configures the acceptable audiences
+	// the JWT token, issued by the identity provider, must be issued to.
+	// At least one of the entries must match the 'aud' claim in the JWT token.
+	//
+	// audiences must contain at least one entry and must not exceed ten entries.
+	//
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=10
+	// +required
+	Audiences []TokenAudience `json:"audiences"`
+
+	// issuerCertificateAuthority is an optional field that configures the
+	// certificate authority, used by the Kubernetes API server, to validate
+	// the connection to the identity provider when fetching discovery information.
+	//
+	// When not specified, the system trust is used.
+	//
+	// When specified, it must reference a ConfigMap in the openshift-config
+	// namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt'
+	// key in the data field of the ConfigMap.
+	//
+	// +optional
+	CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"`
+}
+
+type TokenClaimMappings struct {
+	// username is a required field that configures how the username of a cluster identity
+	// should be constructed from the claims in a JWT token issued by the identity provider.
+	//
+	// +required
+	Username UsernameClaimMapping `json:"username"`
+
+	// groups is an optional field that configures how the groups of a cluster identity
+	// should be constructed from the claims in a JWT token issued
+	// by the identity provider.
+	// When referencing a claim, if the claim is present in the JWT
+	// token, its value must be a list of groups separated by a comma (',').
+	// For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values.
+	//
+	// +optional
+	Groups PrefixedClaimMapping `json:"groups,omitempty"`
+
+	// uid is an optional field for configuring the claim mapping
+	// used to construct the uid for the cluster identity.
+	//
+	// When using uid.claim to specify the claim it must be a single string value.
+	// When using uid.expression the expression must result in a single string value.
+	//
+	// When omitted, this means the user has no opinion and the platform
+	// is left to choose a default, which is subject to change over time.
+	// The current default is to use the 'sub' claim.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"`
+
+	// extra is an optional field for configuring the mappings
+	// used to construct the extra attribute for the cluster identity.
+	// When omitted, no extra attributes will be present on the cluster identity.
+	// key values for extra mappings must be unique.
+	// A maximum of 64 extra attribute mappings may be provided.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxItems=64
+	// +listType=map
+	// +listMapKey=key
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	Extra []ExtraMapping `json:"extra,omitempty"`
+}
+
+// TokenClaimMapping allows specifying a JWT token
+// claim to be used when mapping claims from an
+// authentication token to cluster identities.
+type TokenClaimMapping struct {
+	// claim is a required field that configures the JWT token
+	// claim whose value is assigned to the cluster identity
+	// field associated with this mapping.
+	//
+	// +required
+	Claim string `json:"claim"`
+}
+
+// TokenClaimOrExpressionMapping allows specifying either a JWT
+// token claim or CEL expression to be used when mapping claims
+// from an authentication token to cluster identities.
+// +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set"
+type TokenClaimOrExpressionMapping struct {
+	// claim is an optional field for specifying the
+	// JWT token claim that is used in the mapping.
+	// The value of this claim will be assigned to
+	// the field in which this mapping is associated.
+	//
+	// Precisely one of claim or expression must be set.
+	// claim must not be specified when expression is set.
+	// When specified, claim must be at least 1 character in length
+	// and must not exceed 256 characters in length.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxLength=256
+	// +kubebuilder:validation:MinLength=1
+	Claim string `json:"claim,omitempty"`
+
+	// expression is an optional field for specifying a
+	// CEL expression that produces a string value from
+	// JWT token claims.
+	//
+	// CEL expressions have access to the token claims
+	// through a CEL variable, 'claims'.
+	// 'claims' is a map of claim names to claim values.
+	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
+	// Nested claims can be accessed using dot notation ('claims.foo.bar').
+	//
+	// Precisely one of claim or expression must be set.
+	// expression must not be specified when claim is set.
+	// When specified, expression must be at least 1 character in length
+	// and must not exceed 4096 characters in length.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxLength=4096
+	// +kubebuilder:validation:MinLength=1
+	Expression string `json:"expression,omitempty"`
+}
+
+// ExtraMapping allows specifying a key and CEL expression
+// to evaluate the keys' value. It is used to create additional
+// mappings and attributes added to a cluster identity from
+// a provided authentication token.
+type ExtraMapping struct {
+	// key is a required field that specifies the string
+	// to use as the extra attribute key.
+	//
+	// key must be a domain-prefix path (e.g 'example.org/foo').
+	// key must not exceed 510 characters in length.
+	// key must contain the '/' character, separating the domain and path characters.
+	// key must not be empty.
+	//
+	// The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain.
+	// It must not exceed 253 characters in length.
+	// It must start and end with an alphanumeric character.
+	// It must only contain lower case alphanumeric characters and '-' or '.'.
+	// It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io".
+	//
+	// The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one
+	// alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
+	// It must not exceed 256 characters in length.
+	//
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=510
+	// +kubebuilder:validation:XValidation:rule="self.contains('/')",message="key must contain the '/' character"
+	//
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="the domain of the key must consist of only lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0].size() <= 253",message="the domain of the key must not exceed 253 characters in length"
+	//
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'kubernetes.io'",message="the domain 'kubernetes.io' is reserved for Kubernetes use"
+	// +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.kubernetes.io')",message="the subdomains '*.kubernetes.io' are reserved for Kubernetes use"
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'k8s.io'",message="the domain 'k8s.io' is reserved for Kubernetes use"
+	// +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.k8s.io')",message="the subdomains '*.k8s.io' are reserved for Kubernetes use"
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[0] != 'openshift.io'",message="the domain 'openshift.io' is reserved for OpenShift use"
+	// +kubebuilder:validation:XValidation:rule="!self.split('/', 2)[0].endsWith('.openshift.io')",message="the subdomains '*.openshift.io' are reserved for OpenShift use"
+	//
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].matches('[A-Za-z0-9/\\\\-._~%!$&\\'()*+;=:]+')",message="the path of the key must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, apostrophe, '-', '.', '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=', and ':'"
+	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length"
+	Key string `json:"key"`
+
+	// valueExpression is a required field to specify the CEL expression to extract
+	// the extra attribute value from a JWT token's claims.
+	// valueExpression must produce a string or string array value.
+	// "", [], and null are treated as the extra mapping not being present.
+	// Empty string values within an array are filtered out.
+	//
+	// CEL expressions have access to the token claims
+	// through a CEL variable, 'claims'.
+	// 'claims' is a map of claim names to claim values.
+	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
+	// Nested claims can be accessed using dot notation ('claims.foo.bar').
+	//
+	// valueExpression must not exceed 4096 characters in length.
+	// valueExpression must not be empty.
+	//
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=4096
+	ValueExpression string `json:"valueExpression"`
+}
+
+// OIDCClientConfig configures how platform clients
+// interact with identity providers as an authentication
+// method
+type OIDCClientConfig struct {
+	// componentName is a required field that specifies the name of the platform
+	// component being configured to use the identity provider as an authentication mode.
+	// It is used in combination with componentNamespace as a unique identifier.
+	//
+	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +required
+	ComponentName string `json:"componentName"`
+
+	// componentNamespace is a required field that specifies the namespace in which the
+	// platform component being configured to use the identity provider as an authentication
+	// mode is running.
+	// It is used in combination with componentName as a unique identifier.
+	//
+	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +required
+	ComponentNamespace string `json:"componentNamespace"`
+
+	// clientID is a required field that configures the client identifier, from
+	// the identity provider, that the platform component uses for authentication
+	// requests made to the identity provider.
+	// The identity provider must accept this identifier for platform components
+	// to be able to use the identity provider as an authentication mode.
+	//
+	// clientID must not be an empty string ("").
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	ClientID string `json:"clientID"`
+
+	// clientSecret is an optional field that configures the client secret used
+	// by the platform component when making authentication requests to the identity provider.
+	//
+	// When not specified, no client secret will be used when making authentication requests
+	// to the identity provider.
+	//
+	// When specified, clientSecret references a Secret in the 'openshift-config'
+	// namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
+	// The client secret will be used when making authentication requests to the identity provider.
+	//
+	// Public clients do not require a client secret but private
+	// clients do require a client secret to work with the identity provider.
+	//
+	// +optional
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// extraScopes is an optional field that configures the extra scopes that should
+	// be requested by the platform component when making authentication requests to the
+	// identity provider.
+	// This is useful if you have configured claim mappings that requires specific
+	// scopes to be requested beyond the standard OIDC scopes.
+	//
+	// When omitted, no additional scopes are requested.
+	//
+	// +listType=set
+	// +optional
+	ExtraScopes []string `json:"extraScopes"`
+}
+
+// OIDCClientStatus represents the current state
+// of platform components and how they interact with
+// the configured identity providers.
+type OIDCClientStatus struct {
+	// componentName is a required field that specifies the name of the platform
+	// component using the identity provider as an authentication mode.
+	// It is used in combination with componentNamespace as a unique identifier.
+	//
+	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +required
+	ComponentName string `json:"componentName"`
+
+	// componentNamespace is a required field that specifies the namespace in which the
+	// platform component using the identity provider as an authentication
+	// mode is running.
+	// It is used in combination with componentName as a unique identifier.
+	//
+	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +required
+	ComponentNamespace string `json:"componentNamespace"`
+
+	// currentOIDCClients is an optional list of clients that the component is currently using.
+	// Entries must have unique issuerURL/clientID pairs.
+	//
+	// +listType=map
+	// +listMapKey=issuerURL
+	// +listMapKey=clientID
+	// +optional
+	CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"`
+
+	// consumingUsers is an optional list of ServiceAccounts requiring
+	// read permissions on the `clientSecret` secret.
+	//
+	// consumingUsers must not exceed 5 entries.
+	//
+	// +kubebuilder:validation:MaxItems=5
+	// +listType=set
+	// +optional
+	ConsumingUsers []ConsumingUser `json:"consumingUsers"`
+
+	// conditions are used to communicate the state of the `oidcClients` entry.
+	//
+	// Supported conditions include Available, Degraded and Progressing.
+	//
+	// If Available is true, the component is successfully using the configured client.
+	// If Degraded is true, that means something has gone wrong trying to handle the client configuration.
+	// If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.
+	//
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// OIDCClientReference is a reference to a platform component
+// client configuration.
+type OIDCClientReference struct {
+	// oidcProviderName is a required reference to the 'name' of the identity provider
+	// configured in 'oidcProviders' that this client is associated with.
+	//
+	// oidcProviderName must not be an empty string ("").
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	OIDCProviderName string `json:"oidcProviderName"`
+
+	// issuerURL is a required field that specifies the URL of the identity
+	// provider that this client is configured to make requests against.
+	//
+	// issuerURL must use the 'https' scheme.
+	//
+	// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
+	// +required
+	IssuerURL string `json:"issuerURL"`
+
+	// clientID is a required field that specifies the client identifier, from
+	// the identity provider, that the platform component is using for authentication
+	// requests made to the identity provider.
+	//
+	// clientID must not be empty.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	ClientID string `json:"clientID"`
+}
+
+// +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
+// +union
+type UsernameClaimMapping struct {
+	// claim is a required field that configures the JWT token
+	// claim whose value is assigned to the cluster identity
+	// field associated with this mapping.
+	//
+	// claim must not be an empty string ("") and must not exceed 256 characters.
+	//
+	// +required
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=256
+	Claim string `json:"claim"`
+
+	// prefixPolicy is an optional field that configures how a prefix should be
+	// applied to the value of the JWT claim specified in the 'claim' field.
+	//
+	// Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
+	//
+	// When set to 'Prefix', the value specified in the prefix field will be
+	// prepended to the value of the JWT claim.
+	// The prefix field must be set when prefixPolicy is 'Prefix'.
+	//
+	// When set to 'NoPrefix', no prefix will be prepended to the value
+	// of the JWT claim.
+	//
+	// When omitted, this means no opinion and the platform is left to choose
+	// any prefixes that are applied which is subject to change over time.
+	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim
+	// when the claim is not 'email'.
+	// As an example, consider the following scenario:
+	//    `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
+	//    the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
+	//    and `claim` is set to:
+	//    - "username": the mapped value will be "https://myoidc.tld#userA"
+	//    - "email": the mapped value will be "userA@myoidc.tld"
+	//
+	// +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"}
+	// +optional
+	// +unionDiscriminator
+	PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"`
+
+	// prefix configures the prefix that should be prepended to the value
+	// of the JWT claim.
+	//
+	// prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.
+	//
+	// +optional
+	// +unionMember
+	Prefix *UsernamePrefix `json:"prefix"`
+}
+
+// UsernamePrefixPolicy configures how prefixes should be applied
+// to values extracted from the JWT claims during the process of mapping
+// JWT claims to cluster identity attributes.
+// +enum
+type UsernamePrefixPolicy string
+
+var (
+	// NoOpinion let's the cluster assign prefixes.  If the username claim is email, there is no prefix
+	// If the username claim is anything else, it is prefixed by the issuerURL
+	NoOpinion UsernamePrefixPolicy = ""
+
+	// NoPrefix means the username claim value will not have any  prefix
+	NoPrefix UsernamePrefixPolicy = "NoPrefix"
+
+	// Prefix means the prefix value must be specified.  It cannot be empty
+	Prefix UsernamePrefixPolicy = "Prefix"
+)
+
+// UsernamePrefix configures the string that should
+// be used as a prefix for username claim mappings.
+type UsernamePrefix struct {
+	// prefixString is a required field that configures the prefix that will
+	// be applied to cluster identity username attribute
+	// during the process of mapping JWT claims to cluster identity attributes.
+	//
+	// prefixString must not be an empty string ("").
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	PrefixString string `json:"prefixString"`
+}
+
+// PrefixedClaimMapping configures a claim mapping
+// that allows for an optional prefix.
+type PrefixedClaimMapping struct {
+	TokenClaimMapping `json:",inline"`
+
+	// prefix is an optional field that configures the prefix that will be
+	// applied to the cluster identity attribute during the process of mapping
+	// JWT claims to cluster identity attributes.
+	//
+	// When omitted (""), no prefix is applied to the cluster identity attribute.
+	//
+	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains
+	// an array of strings "a", "b" and  "c", the mapping will result in an
+	// array of string "myoidc:a", "myoidc:b" and "myoidc:c".
+	//
+	// +optional
+	Prefix string `json:"prefix"`
+}
+
+// TokenValidationRuleType represents the different
+// claim validation rule types that can be configured.
+// +enum
+type TokenValidationRuleType string
+
+const (
+	TokenValidationRuleTypeRequiredClaim = "RequiredClaim"
+)
+
+type TokenClaimValidationRule struct {
+	// type is an optional field that configures the type of the validation rule.
+	//
+	// Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
+	//
+	// When set to 'RequiredClaim', the Kubernetes API server
+	// will be configured to validate that the incoming JWT
+	// contains the required claim and that its value matches
+	// the required value.
+	//
+	// Defaults to 'RequiredClaim'.
+	//
+	// +kubebuilder:validation:Enum={"RequiredClaim"}
+	// +kubebuilder:default="RequiredClaim"
+	Type TokenValidationRuleType `json:"type"`
+
+	// requiredClaim is an optional field that configures the required claim
+	// and value that the Kubernetes API server will use to validate if an incoming
+	// JWT is valid for this identity provider.
+	//
+	// +optional
+	RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"`
+}
+
+type TokenRequiredClaim struct {
+	// claim is a required field that configures the name of the required claim.
+	// When taken from the JWT claims, claim must be a string value.
+	//
+	// claim must not be an empty string ("").
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	Claim string `json:"claim"`
+
+	// requiredValue is a required field that configures the value that 'claim' must
+	// have when taken from the incoming JWT claims.
+	// If the value in the JWT claims does not match, the token
+	// will be rejected for authentication.
+	//
+	// requiredValue must not be an empty string ("").
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	RequiredValue string `json:"requiredValue"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_build.go b/vendor/github.com/openshift/api/config/v1/types_build.go
new file mode 100644
index 00000000..dcde1fc5
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_build.go
@@ -0,0 +1,132 @@
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Build configures the behavior of OpenShift builds for the entire cluster.
+// This includes default settings that can be overridden in BuildConfig objects, and overrides which are applied to all builds.
+//
+// The canonical name is "cluster"
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=openshift-controller-manager,operatorOrdering=01
+// +openshift:capability=Build
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=builds,scope=Cluster
+// +kubebuilder:subresource:status
+type Build struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user-settable values for the build controller configuration
+	// +required
+	Spec BuildSpec `json:"spec"`
+}
+
+type BuildSpec struct {
+	// additionalTrustedCA is a reference to a ConfigMap containing additional CAs that
+	// should be trusted for image pushes and pulls during builds.
+	// The namespace for this config map is openshift-config.
+	//
+	// DEPRECATED: Additional CAs for image pull and push should be set on
+	// image.config.openshift.io/cluster instead.
+	//
+	// +optional
+	AdditionalTrustedCA ConfigMapNameReference `json:"additionalTrustedCA"`
+	// buildDefaults controls the default information for Builds
+	// +optional
+	BuildDefaults BuildDefaults `json:"buildDefaults"`
+	// buildOverrides controls override settings for builds
+	// +optional
+	BuildOverrides BuildOverrides `json:"buildOverrides"`
+}
+
+type BuildDefaults struct {
+	// defaultProxy contains the default proxy settings for all build operations, including image pull/push
+	// and source download.
+	//
+	// Values can be overrode by setting the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables
+	// in the build config's strategy.
+	// +optional
+	DefaultProxy *ProxySpec `json:"defaultProxy,omitempty"`
+
+	// gitProxy contains the proxy settings for git operations only. If set, this will override
+	// any Proxy settings for all git commands, such as git clone.
+	//
+	// Values that are not set here will be inherited from DefaultProxy.
+	// +optional
+	GitProxy *ProxySpec `json:"gitProxy,omitempty"`
+
+	// env is a set of default environment variables that will be applied to the
+	// build if the specified variables do not exist on the build
+	// +optional
+	Env []corev1.EnvVar `json:"env,omitempty"`
+
+	// imageLabels is a list of docker labels that are applied to the resulting image.
+	// User can override a default label by providing a label with the same name in their
+	// Build/BuildConfig.
+	// +optional
+	ImageLabels []ImageLabel `json:"imageLabels,omitempty"`
+
+	// resources defines resource requirements to execute the build.
+	// +optional
+	Resources corev1.ResourceRequirements `json:"resources"`
+}
+
+type ImageLabel struct {
+	// name defines the name of the label. It must have non-zero length.
+	Name string `json:"name"`
+
+	// value defines the literal value of the label.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
+type BuildOverrides struct {
+	// imageLabels is a list of docker labels that are applied to the resulting image.
+	// If user provided a label in their Build/BuildConfig with the same name as one in this
+	// list, the user's label will be overwritten.
+	// +optional
+	ImageLabels []ImageLabel `json:"imageLabels,omitempty"`
+
+	// nodeSelector is a selector which must be true for the build pod to fit on a node
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+
+	// tolerations is a list of Tolerations that will override any existing
+	// tolerations set on a build pod.
+	// +optional
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+
+	// forcePull overrides, if set, the equivalent value in the builds,
+	// i.e. false disables force pull for all builds,
+	// true enables force pull for all builds,
+	// independently of what each build specifies itself
+	// +optional
+	ForcePull *bool `json:"forcePull,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type BuildList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Build `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
new file mode 100644
index 00000000..ca604e05
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
@@ -0,0 +1,87 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterImagePolicy holds cluster-wide configuration for image signature verification
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=clusterimagepolicies,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=SigstoreImageVerification
+// +openshift:compatibility-gen:level=1
+type ClusterImagePolicy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec contains the configuration for the cluster image policy.
+	// +required
+	Spec ClusterImagePolicySpec `json:"spec"`
+	// status contains the observed state of the resource.
+	// +optional
+	Status ClusterImagePolicyStatus `json:"status"`
+}
+
+// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.
+type ClusterImagePolicySpec struct {
+	// scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
+	// Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
+	// More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
+	// namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
+	// Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not.
+	// This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
+	// In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories
+	// quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation.
+	// If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied.
+	// For additional details about the format, please refer to the document explaining the docker transport field,
+	// which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
+	// +required
+	// +kubebuilder:validation:MaxItems=256
+	// +listType=set
+	Scopes []ImageScope `json:"scopes"`
+	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
+	// images not matching the verification policy will be treated.
+	// +required
+	Policy Policy `json:"policy"`
+}
+
+// +k8s:deepcopy-gen=true
+type ClusterImagePolicyStatus struct {
+	// conditions provide details on the status of this API Resource.
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterImagePolicyList is a list of ClusterImagePolicy resources
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ClusterImagePolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ListMeta `json:"metadata"`
+
+	// items is a list of ClusterImagePolices
+	// +kubebuilder:validation:MaxItems=1000
+	// +required
+	Items []ClusterImagePolicy `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go
new file mode 100644
index 00000000..a447adb9
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_operator.go
@@ -0,0 +1,220 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterOperator is the Custom Resource object which holds the current state
+// of an operator. This object is used by operators to convey their state to
+// the rest of the cluster.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/497
+// +openshift:file-pattern=cvoRunLevel=0000_00,operatorName=cluster-version-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=clusteroperators,scope=Cluster,shortName=co
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name=Version,JSONPath=.status.versions[?(@.name=="operator")].version,type=string,description=The version the operator is at.
+// +kubebuilder:printcolumn:name=Available,JSONPath=.status.conditions[?(@.type=="Available")].status,type=string,description=Whether the operator is running and stable.
+// +kubebuilder:printcolumn:name=Progressing,JSONPath=.status.conditions[?(@.type=="Progressing")].status,type=string,description=Whether the operator is processing changes.
+// +kubebuilder:printcolumn:name=Degraded,JSONPath=.status.conditions[?(@.type=="Degraded")].status,type=string,description=Whether the operator is degraded.
+// +kubebuilder:printcolumn:name=Since,JSONPath=.status.conditions[?(@.type=="Available")].lastTransitionTime,type=date,description=The time the operator's Available status last changed.
+// +kubebuilder:metadata:annotations=include.release.openshift.io/self-managed-high-availability=true
+type ClusterOperator struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec holds configuration that could apply to any operator.
+	// +required
+	Spec ClusterOperatorSpec `json:"spec"`
+
+	// status holds the information about the state of an operator.  It is consistent with status information across
+	// the Kubernetes ecosystem.
+	// +optional
+	Status ClusterOperatorStatus `json:"status"`
+}
+
+// ClusterOperatorSpec is empty for now, but you could imagine holding information like "pause".
+type ClusterOperatorSpec struct {
+}
+
+// ClusterOperatorStatus provides information about the status of the operator.
+// +k8s:deepcopy-gen=true
+type ClusterOperatorStatus struct {
+	// conditions describes the state of the operator's managed and monitored components.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty"  patchStrategy:"merge" patchMergeKey:"type"`
+
+	// versions is a slice of operator and operand version tuples.  Operators which manage multiple operands will have multiple
+	// operand entries in the array.  Available operators must report the version of the operator itself with the name "operator".
+	// An operator reports a new "operator" version when it has rolled out the new version to all of its operands.
+	// +optional
+	Versions []OperandVersion `json:"versions,omitempty"`
+
+	// relatedObjects is a list of objects that are "interesting" or related to this operator.  Common uses are:
+	// 1. the detailed resource driving the operator
+	// 2. operator namespaces
+	// 3. operand namespaces
+	// +optional
+	RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"`
+
+	// extension contains any additional status information specific to the
+	// operator which owns this status object.
+	// +nullable
+	// +optional
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Extension runtime.RawExtension `json:"extension"`
+}
+
+type OperandVersion struct {
+	// name is the name of the particular operand this version is for.  It usually matches container images, not operators.
+	// +required
+	Name string `json:"name"`
+
+	// version indicates which version of a particular operand is currently being managed.  It must always match the Available
+	// operand.  If 1.0.0 is Available, then this must indicate 1.0.0 even if the operator is trying to rollout
+	// 1.1.0
+	// +required
+	Version string `json:"version"`
+}
+
+// ObjectReference contains enough information to let you inspect or modify the referred object.
+type ObjectReference struct {
+	// group of the referent.
+	// +required
+	Group string `json:"group"`
+	// resource of the referent.
+	// +required
+	Resource string `json:"resource"`
+	// namespace of the referent.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+	// name of the referent.
+	// +required
+	Name string `json:"name"`
+}
+
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// ClusterOperatorStatusCondition represents the state of the operator's
+// managed and monitored components.
+// +k8s:deepcopy-gen=true
+type ClusterOperatorStatusCondition struct {
+	// type specifies the aspect reported by this condition.
+	// +required
+	Type ClusterStatusConditionType `json:"type"`
+
+	// status of the condition, one of True, False, Unknown.
+	// +required
+	Status ConditionStatus `json:"status"`
+
+	// lastTransitionTime is the time of the last update to the current status property.
+	// +required
+	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+
+	// reason is the CamelCase reason for the condition's current status.
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// message provides additional information about the current condition.
+	// This is only to be consumed by humans.  It may contain Line Feed
+	// characters (U+000A), which should be rendered as new lines.
+	// +optional
+	Message string `json:"message,omitempty"`
+}
+
+// ClusterStatusConditionType is an aspect of operator state.
+type ClusterStatusConditionType string
+
+const (
+	// Available indicates that the component (operator and all configured operands)
+	// is functional and available in the cluster. Available=False means at least
+	// part of the component is non-functional, and that the condition requires
+	// immediate administrator intervention.
+	OperatorAvailable ClusterStatusConditionType = "Available"
+
+	// Progressing indicates that the component (operator and all configured operands)
+	// is actively rolling out new code, propagating config changes, or otherwise
+	// moving from one steady state to another. Operators should not report
+	// progressing when they are reconciling (without action) a previously known
+	// state. If the observed cluster state has changed and the component is
+	// reacting to it (scaling up for instance), Progressing should become true
+	// since it is moving from one steady state to another.
+	OperatorProgressing ClusterStatusConditionType = "Progressing"
+
+	// Degraded indicates that the component (operator and all configured operands)
+	// does not match its desired state over a period of time resulting in a lower
+	// quality of service. The period of time may vary by component, but a Degraded
+	// state represents persistent observation of a condition. As a result, a
+	// component should not oscillate in and out of Degraded state. A component may
+	// be Available even if its degraded. For example, a component may desire 3
+	// running pods, but 1 pod is crash-looping. The component is Available but
+	// Degraded because it may have a lower quality of service. A component may be
+	// Progressing but not Degraded because the transition from one state to
+	// another does not persist over a long enough period to report Degraded. A
+	// component should not report Degraded during the course of a normal upgrade.
+	// A component may report Degraded in response to a persistent infrastructure
+	// failure that requires eventual administrator intervention.  For example, if
+	// a control plane host is unhealthy and must be replaced. A component should
+	// report Degraded if unexpected errors occur over a period, but the
+	// expectation is that all unexpected errors are handled as operators mature.
+	OperatorDegraded ClusterStatusConditionType = "Degraded"
+
+	// Upgradeable indicates whether the component (operator and all configured
+	// operands) is safe to upgrade based on the current cluster state. When
+	// Upgradeable is False, the cluster-version operator will prevent the
+	// cluster from performing impacted updates unless forced.  When set on
+	// ClusterVersion, the message will explain which updates (minor or patch)
+	// are impacted. When set on ClusterOperator, False will block minor
+	// OpenShift updates. The message field should contain a human readable
+	// description of what the administrator should do to allow the cluster or
+	// component to successfully update. The cluster-version operator will
+	// allow updates when this condition is not False, including when it is
+	// missing, True, or Unknown.
+	OperatorUpgradeable ClusterStatusConditionType = "Upgradeable"
+
+	// EvaluationConditionsDetected is used to indicate the result of the detection
+	// logic that was added to a component to evaluate the introduction of an
+	// invasive change that could potentially result in highly visible alerts,
+	// breakages or upgrade failures. You can concatenate multiple Reason using
+	// the "::" delimiter if you need to evaluate the introduction of multiple changes.
+	EvaluationConditionsDetected ClusterStatusConditionType = "EvaluationConditionsDetected"
+)
+
+// ClusterOperatorList is a list of OperatorStatus resources.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +openshift:compatibility-gen:level=1
+type ClusterOperatorList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ClusterOperator `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
new file mode 100644
index 00000000..54e1de94
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
@@ -0,0 +1,908 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterVersion is the configuration for the ClusterVersionOperator. This is where
+// parameters related to automatic updates can be set.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/495
+// +openshift:file-pattern=cvoRunLevel=0000_00,operatorName=cluster-version-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=clusterversions,scope=Cluster
+// +kubebuilder:validation:XValidation:rule="has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == 'None' && 'marketplace' in self.spec.capabilities.additionalEnabledCapabilities ? 'OperatorLifecycleManager' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && 'OperatorLifecycleManager' in self.status.capabilities.enabledCapabilities) : true",message="the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability"
+// +kubebuilder:printcolumn:name=Version,JSONPath=.status.history[?(@.state=="Completed")].version,type=string
+// +kubebuilder:printcolumn:name=Available,JSONPath=.status.conditions[?(@.type=="Available")].status,type=string
+// +kubebuilder:printcolumn:name=Progressing,JSONPath=.status.conditions[?(@.type=="Progressing")].status,type=string
+// +kubebuilder:printcolumn:name=Since,JSONPath=.status.conditions[?(@.type=="Progressing")].lastTransitionTime,type=date
+// +kubebuilder:printcolumn:name=Status,JSONPath=.status.conditions[?(@.type=="Progressing")].message,type=string
+// +kubebuilder:metadata:annotations=include.release.openshift.io/self-managed-high-availability=true
+type ClusterVersion struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec is the desired state of the cluster version - the operator will work
+	// to ensure that the desired version is applied to the cluster.
+	// +required
+	Spec ClusterVersionSpec `json:"spec"`
+	// status contains information about the available updates and any in-progress
+	// updates.
+	// +optional
+	Status ClusterVersionStatus `json:"status"`
+}
+
+// ClusterVersionSpec is the desired version state of the cluster. It includes
+// the version the cluster should be at, how the cluster is identified, and
+// where the cluster should look for version updates.
+// +k8s:deepcopy-gen=true
+type ClusterVersionSpec struct {
+	// clusterID uniquely identifies this cluster. This is expected to be
+	// an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in
+	// hexadecimal values). This is a required field.
+	// +required
+	ClusterID ClusterID `json:"clusterID"`
+
+	// desiredUpdate is an optional field that indicates the desired value of
+	// the cluster version. Setting this value will trigger an upgrade (if
+	// the current version does not match the desired version). The set of
+	// recommended update values is listed as part of available updates in
+	// status, and setting values outside that range may cause the upgrade
+	// to fail.
+	//
+	// Some of the fields are inter-related with restrictions and meanings described here.
+	// 1. image is specified, version is specified, architecture is specified. API validation error.
+	// 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version.
+	// 3. image is specified, version is not specified, architecture is specified. API validation error.
+	// 4. image is specified, version is not specified, architecture is not specified. image is used.
+	// 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image.
+	// 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image.
+	// 7. image is not specified, version is not specified, architecture is specified. API validation error.
+	// 8. image is not specified, version is not specified, architecture is not specified. API validation error.
+	//
+	// If an upgrade fails the operator will halt and report status
+	// about the failing component. Setting the desired update value back to
+	// the previous version will cause a rollback to be attempted. Not all
+	// rollbacks will succeed.
+	//
+	// +optional
+	DesiredUpdate *Update `json:"desiredUpdate,omitempty"`
+
+	// upstream may be used to specify the preferred update server. By default
+	// it will use the appropriate update server for the cluster and region.
+	//
+	// +optional
+	Upstream URL `json:"upstream,omitempty"`
+	// channel is an identifier for explicitly requesting a non-default set
+	// of updates to be applied to this cluster. The default channel will
+	// contain stable updates that are appropriate for production clusters.
+	//
+	// +optional
+	Channel string `json:"channel,omitempty"`
+
+	// capabilities configures the installation of optional, core
+	// cluster components.  A null value here is identical to an
+	// empty object; see the child properties for default semantics.
+	// +optional
+	Capabilities *ClusterVersionCapabilitiesSpec `json:"capabilities,omitempty"`
+
+	// signatureStores contains the upstream URIs to verify release signatures and optional
+	// reference to a config map by name containing the PEM-encoded CA bundle.
+	//
+	// By default, CVO will use existing signature stores if this property is empty.
+	// The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature
+	// in these stores in parallel only when local ConfigMaps did not include a valid signature.
+	// Validation will fail if none of the signature stores reply with valid signature before timeout.
+	// Setting signatureStores will replace the default signature stores with custom signature stores.
+	// Default stores can be used with custom signature stores by adding them manually.
+	//
+	// A maximum of 32 signature stores may be configured.
+	// +kubebuilder:validation:MaxItems=32
+	// +openshift:enable:FeatureGate=SignatureStores
+	// +listType=map
+	// +listMapKey=url
+	// +optional
+	SignatureStores []SignatureStore `json:"signatureStores"`
+
+	// overrides is list of overides for components that are managed by
+	// cluster version operator. Marking a component unmanaged will prevent
+	// the operator from creating or updating the object.
+	// +listType=map
+	// +listMapKey=kind
+	// +listMapKey=group
+	// +listMapKey=namespace
+	// +listMapKey=name
+	// +optional
+	Overrides []ComponentOverride `json:"overrides,omitempty"`
+}
+
+// ClusterVersionStatus reports the status of the cluster versioning,
+// including any upgrades that are in progress. The current field will
+// be set to whichever version the cluster is reconciling to, and the
+// conditions array will report whether the update succeeded, is in
+// progress, or is failing.
+// +k8s:deepcopy-gen=true
+type ClusterVersionStatus struct {
+	// desired is the version that the cluster is reconciling towards.
+	// If the cluster is not yet fully initialized desired will be set
+	// with the information available, which may be an image or a tag.
+	// +required
+	Desired Release `json:"desired"`
+
+	// history contains a list of the most recent versions applied to the cluster.
+	// This value may be empty during cluster startup, and then will be updated
+	// when a new update is being applied. The newest update is first in the
+	// list and it is ordered by recency. Updates in the history have state
+	// Completed if the rollout completed - if an update was failing or halfway
+	// applied the state will be Partial. Only a limited amount of update history
+	// is preserved.
+	// +listType=atomic
+	// +optional
+	History []UpdateHistory `json:"history,omitempty"`
+
+	// observedGeneration reports which version of the spec is being synced.
+	// If this value is not equal to metadata.generation, then the desired
+	// and conditions fields may represent a previous version.
+	// +required
+	ObservedGeneration int64 `json:"observedGeneration"`
+
+	// versionHash is a fingerprint of the content that the cluster will be
+	// updated with. It is used by the operator to avoid unnecessary work
+	// and is for internal use only.
+	// +required
+	VersionHash string `json:"versionHash"`
+
+	// capabilities describes the state of optional, core cluster components.
+	// +optional
+	Capabilities ClusterVersionCapabilitiesStatus `json:"capabilities"`
+
+	// conditions provides information about the cluster version. The condition
+	// "Available" is set to true if the desiredUpdate has been reached. The
+	// condition "Progressing" is set to true if an update is being applied.
+	// The condition "Degraded" is set to true if an update is currently blocked
+	// by a temporary or permanent error. Conditions are only valid for the
+	// current desiredUpdate when metadata.generation is equal to
+	// status.generation.
+	// +listType=map
+	// +listMapKey=type
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +optional
+	Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+
+	// availableUpdates contains updates recommended for this
+	// cluster. Updates which appear in conditionalUpdates but not in
+	// availableUpdates may expose this cluster to known issues. This list
+	// may be empty if no updates are recommended, if the update service
+	// is unavailable, or if an invalid channel has been specified.
+	// +nullable
+	// +listType=atomic
+	// +required
+	AvailableUpdates []Release `json:"availableUpdates"`
+
+	// conditionalUpdates contains the list of updates that may be
+	// recommended for this cluster if it meets specific required
+	// conditions. Consumers interested in the set of updates that are
+	// actually recommended for this cluster should use
+	// availableUpdates. This list may be empty if no updates are
+	// recommended, if the update service is unavailable, or if an empty
+	// or invalid channel has been specified.
+	// +listType=atomic
+	// +optional
+	ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"`
+}
+
+// UpdateState is a constant representing whether an update was successfully
+// applied to the cluster or not.
+type UpdateState string
+
+const (
+	// CompletedUpdate indicates an update was successfully applied
+	// to the cluster (all resource updates were successful).
+	CompletedUpdate UpdateState = "Completed"
+	// PartialUpdate indicates an update was never completely applied
+	// or is currently being applied.
+	PartialUpdate UpdateState = "Partial"
+)
+
+// UpdateHistory is a single attempted update to the cluster.
+type UpdateHistory struct {
+	// state reflects whether the update was fully applied. The Partial state
+	// indicates the update is not fully applied, while the Completed state
+	// indicates the update was successfully rolled out at least once (all
+	// parts of the update successfully applied).
+	// +required
+	State UpdateState `json:"state"`
+
+	// startedTime is the time at which the update was started.
+	// +required
+	StartedTime metav1.Time `json:"startedTime"`
+
+	// completionTime, if set, is when the update was fully applied. The update
+	// that is currently being applied will have a null completion time.
+	// Completion time will always be set for entries that are not the current
+	// update (usually to the started time of the next update).
+	// +required
+	// +nullable
+	CompletionTime *metav1.Time `json:"completionTime"`
+
+	// version is a semantic version identifying the update version. If the
+	// requested image does not define a version, or if a failure occurs
+	// retrieving the image, this value may be empty.
+	//
+	// +optional
+	Version string `json:"version"`
+
+	// image is a container image location that contains the update. This value
+	// is always populated.
+	// +required
+	Image string `json:"image"`
+
+	// verified indicates whether the provided update was properly verified
+	// before it was installed. If this is false the cluster may not be trusted.
+	// Verified does not cover upgradeable checks that depend on the cluster
+	// state at the time when the update target was accepted.
+	// +required
+	Verified bool `json:"verified"`
+
+	// acceptedRisks records risks which were accepted to initiate the update.
+	// For example, it may menition an Upgradeable=False or missing signature
+	// that was overriden via desiredUpdate.force, or an update that was
+	// initiated despite not being in the availableUpdates set of recommended
+	// update targets.
+	// +optional
+	AcceptedRisks string `json:"acceptedRisks,omitempty"`
+}
+
+// ClusterID is string RFC4122 uuid.
+type ClusterID string
+
+// ClusterVersionArchitecture enumerates valid cluster architectures.
+// +kubebuilder:validation:Enum="Multi";""
+type ClusterVersionArchitecture string
+
+const (
+	// ClusterVersionArchitectureMulti identifies a multi architecture. A multi
+	// architecture cluster is capable of running nodes with multiple architectures.
+	ClusterVersionArchitectureMulti ClusterVersionArchitecture = "Multi"
+)
+
+// ClusterVersionCapability enumerates optional, core cluster components.
+// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning;MachineAPI;Build;DeploymentConfig;ImageRegistry;OperatorLifecycleManager;CloudCredential;Ingress;CloudControllerManager;OperatorLifecycleManagerV1
+type ClusterVersionCapability string
+
+const (
+	// ClusterVersionCapabilityOpenShiftSamples manages the sample
+	// image streams and templates stored in the openshift
+	// namespace, and any registry credentials, stored as a secret,
+	// needed for the image streams to import the images they
+	// reference.
+	ClusterVersionCapabilityOpenShiftSamples ClusterVersionCapability = "openshift-samples"
+
+	// ClusterVersionCapabilityBaremetal manages the cluster
+	// baremetal operator which is responsible for running the metal3
+	// deployment.
+	ClusterVersionCapabilityBaremetal ClusterVersionCapability = "baremetal"
+
+	// ClusterVersionCapabilityMarketplace manages the Marketplace operator which
+	// supplies Operator Lifecycle Manager (OLM) users with default catalogs of
+	// "optional" operators.
+	//
+	// Note that Marketplace has a hard requirement on OLM. OLM can not be disabled
+	// while Marketplace is enabled.
+	ClusterVersionCapabilityMarketplace ClusterVersionCapability = "marketplace"
+
+	// ClusterVersionCapabilityConsole manages the Console operator which
+	// installs and maintains the web console.
+	ClusterVersionCapabilityConsole ClusterVersionCapability = "Console"
+
+	// ClusterVersionCapabilityInsights manages the Insights operator which
+	// collects anonymized information about the cluster to generate
+	// recommendations for possible cluster issues.
+	ClusterVersionCapabilityInsights ClusterVersionCapability = "Insights"
+
+	// ClusterVersionCapabilityStorage manages the storage operator which
+	// is responsible for providing cluster-wide storage defaults
+	// WARNING: Do not disable this capability when deployed to
+	// RHEV and OpenStack without reading the docs.
+	// These clusters heavily rely on that capability and may cause
+	// damage to the cluster.
+	ClusterVersionCapabilityStorage ClusterVersionCapability = "Storage"
+
+	// ClusterVersionCapabilityCSISnapshot manages the csi snapshot
+	// controller operator which is responsible for watching the
+	// VolumeSnapshot CRD objects and manages the creation and deletion
+	// lifecycle of volume snapshots
+	ClusterVersionCapabilityCSISnapshot ClusterVersionCapability = "CSISnapshot"
+
+	// ClusterVersionCapabilityNodeTuning manages the Node Tuning Operator
+	// which is responsible for watching the Tuned and Profile CRD
+	// objects and manages the containerized TuneD daemon which controls
+	// system level tuning of Nodes
+	ClusterVersionCapabilityNodeTuning ClusterVersionCapability = "NodeTuning"
+
+	// ClusterVersionCapabilityMachineAPI manages
+	// machine-api-operator
+	// cluster-autoscaler-operator
+	// cluster-control-plane-machine-set-operator
+	// which is responsible for machines configuration and heavily
+	// targeted for SNO clusters.
+	//
+	// The following CRDs are disabled as well
+	// machines
+	// machineset
+	// controlplanemachineset
+	//
+	// WARNING: Do not disable that capability without reading
+	// documentation. This is important part of openshift system
+	// and may cause cluster damage
+	ClusterVersionCapabilityMachineAPI ClusterVersionCapability = "MachineAPI"
+
+	// ClusterVersionCapabilityBuild manages the Build API which is responsible
+	// for watching the Build API objects and managing their lifecycle.
+	// The functionality is located under openshift-apiserver and openshift-controller-manager.
+	//
+	// The following resources are taken into account:
+	// - builds
+	// - buildconfigs
+	ClusterVersionCapabilityBuild ClusterVersionCapability = "Build"
+
+	// ClusterVersionCapabilityDeploymentConfig manages the DeploymentConfig API
+	// which is responsible for watching the DeploymentConfig API and managing their lifecycle.
+	// The functionality is located under openshift-apiserver and openshift-controller-manager.
+	//
+	// The following resources are taken into account:
+	// - deploymentconfigs
+	ClusterVersionCapabilityDeploymentConfig ClusterVersionCapability = "DeploymentConfig"
+
+	// ClusterVersionCapabilityImageRegistry manages the image registry which
+	// allows to distribute Docker images
+	ClusterVersionCapabilityImageRegistry ClusterVersionCapability = "ImageRegistry"
+
+	// ClusterVersionCapabilityOperatorLifecycleManager manages the Operator Lifecycle Manager (legacy)
+	// which itself manages the lifecycle of operators
+	ClusterVersionCapabilityOperatorLifecycleManager ClusterVersionCapability = "OperatorLifecycleManager"
+
+	// ClusterVersionCapabilityOperatorLifecycleManagerV1 manages the Operator Lifecycle Manager (v1)
+	// which itself manages the lifecycle of operators
+	ClusterVersionCapabilityOperatorLifecycleManagerV1 ClusterVersionCapability = "OperatorLifecycleManagerV1"
+
+	// ClusterVersionCapabilityCloudCredential manages credentials for cloud providers
+	// in openshift cluster
+	ClusterVersionCapabilityCloudCredential ClusterVersionCapability = "CloudCredential"
+
+	// ClusterVersionCapabilityIngress manages the cluster ingress operator
+	// which is responsible for running the ingress controllers (including OpenShift router).
+	//
+	// The following CRDs are part of the capability as well:
+	// IngressController
+	// DNSRecord
+	// GatewayClass
+	// Gateway
+	// HTTPRoute
+	// ReferenceGrant
+	//
+	// WARNING: This capability cannot be disabled on the standalone OpenShift.
+	ClusterVersionCapabilityIngress ClusterVersionCapability = "Ingress"
+
+	// ClusterVersionCapabilityCloudControllerManager manages various Cloud Controller
+	// Managers deployed on top of OpenShift. They help you to work with cloud
+	// provider API and embeds cloud-specific control logic.
+	ClusterVersionCapabilityCloudControllerManager ClusterVersionCapability = "CloudControllerManager"
+)
+
+// KnownClusterVersionCapabilities includes all known optional, core cluster components.
+var KnownClusterVersionCapabilities = []ClusterVersionCapability{
+	ClusterVersionCapabilityBaremetal,
+	ClusterVersionCapabilityConsole,
+	ClusterVersionCapabilityInsights,
+	ClusterVersionCapabilityMarketplace,
+	ClusterVersionCapabilityStorage,
+	ClusterVersionCapabilityOpenShiftSamples,
+	ClusterVersionCapabilityCSISnapshot,
+	ClusterVersionCapabilityNodeTuning,
+	ClusterVersionCapabilityMachineAPI,
+	ClusterVersionCapabilityBuild,
+	ClusterVersionCapabilityDeploymentConfig,
+	ClusterVersionCapabilityImageRegistry,
+	ClusterVersionCapabilityOperatorLifecycleManager,
+	ClusterVersionCapabilityOperatorLifecycleManagerV1,
+	ClusterVersionCapabilityCloudCredential,
+	ClusterVersionCapabilityIngress,
+	ClusterVersionCapabilityCloudControllerManager,
+}
+
+// ClusterVersionCapabilitySet defines sets of cluster version capabilities.
+// +kubebuilder:validation:Enum=None;v4.11;v4.12;v4.13;v4.14;v4.15;v4.16;v4.17;v4.18;vCurrent
+type ClusterVersionCapabilitySet string
+
+const (
+	// ClusterVersionCapabilitySetNone is an empty set enabling
+	// no optional capabilities.
+	ClusterVersionCapabilitySetNone ClusterVersionCapabilitySet = "None"
+
+	// ClusterVersionCapabilitySet4_11 is the recommended set of
+	// optional capabilities to enable for the 4.11 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_11 ClusterVersionCapabilitySet = "v4.11"
+
+	// ClusterVersionCapabilitySet4_12 is the recommended set of
+	// optional capabilities to enable for the 4.12 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_12 ClusterVersionCapabilitySet = "v4.12"
+
+	// ClusterVersionCapabilitySet4_13 is the recommended set of
+	// optional capabilities to enable for the 4.13 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_13 ClusterVersionCapabilitySet = "v4.13"
+
+	// ClusterVersionCapabilitySet4_14 is the recommended set of
+	// optional capabilities to enable for the 4.14 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_14 ClusterVersionCapabilitySet = "v4.14"
+
+	// ClusterVersionCapabilitySet4_15 is the recommended set of
+	// optional capabilities to enable for the 4.15 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_15 ClusterVersionCapabilitySet = "v4.15"
+
+	// ClusterVersionCapabilitySet4_16 is the recommended set of
+	// optional capabilities to enable for the 4.16 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_16 ClusterVersionCapabilitySet = "v4.16"
+
+	// ClusterVersionCapabilitySet4_17 is the recommended set of
+	// optional capabilities to enable for the 4.17 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_17 ClusterVersionCapabilitySet = "v4.17"
+
+	// ClusterVersionCapabilitySet4_18 is the recommended set of
+	// optional capabilities to enable for the 4.18 version of
+	// OpenShift.  This list will remain the same no matter which
+	// version of OpenShift is installed.
+	ClusterVersionCapabilitySet4_18 ClusterVersionCapabilitySet = "v4.18"
+
+	// ClusterVersionCapabilitySetCurrent is the recommended set
+	// of optional capabilities to enable for the cluster's
+	// current version of OpenShift.
+	ClusterVersionCapabilitySetCurrent ClusterVersionCapabilitySet = "vCurrent"
+)
+
+// ClusterVersionCapabilitySets defines sets of cluster version capabilities.
+var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVersionCapability{
+	ClusterVersionCapabilitySetNone: {},
+	ClusterVersionCapabilitySet4_11: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityMachineAPI,
+	},
+	ClusterVersionCapabilitySet4_12: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityMachineAPI,
+	},
+	ClusterVersionCapabilitySet4_13: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+	},
+	ClusterVersionCapabilitySet4_14: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+		ClusterVersionCapabilityBuild,
+		ClusterVersionCapabilityDeploymentConfig,
+		ClusterVersionCapabilityImageRegistry,
+	},
+	ClusterVersionCapabilitySet4_15: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+		ClusterVersionCapabilityBuild,
+		ClusterVersionCapabilityDeploymentConfig,
+		ClusterVersionCapabilityImageRegistry,
+		ClusterVersionCapabilityOperatorLifecycleManager,
+		ClusterVersionCapabilityCloudCredential,
+	},
+	ClusterVersionCapabilitySet4_16: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+		ClusterVersionCapabilityBuild,
+		ClusterVersionCapabilityDeploymentConfig,
+		ClusterVersionCapabilityImageRegistry,
+		ClusterVersionCapabilityOperatorLifecycleManager,
+		ClusterVersionCapabilityCloudCredential,
+		ClusterVersionCapabilityIngress,
+		ClusterVersionCapabilityCloudControllerManager,
+	},
+	ClusterVersionCapabilitySet4_17: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+		ClusterVersionCapabilityBuild,
+		ClusterVersionCapabilityDeploymentConfig,
+		ClusterVersionCapabilityImageRegistry,
+		ClusterVersionCapabilityOperatorLifecycleManager,
+		ClusterVersionCapabilityCloudCredential,
+		ClusterVersionCapabilityIngress,
+		ClusterVersionCapabilityCloudControllerManager,
+	},
+	ClusterVersionCapabilitySet4_18: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+		ClusterVersionCapabilityBuild,
+		ClusterVersionCapabilityDeploymentConfig,
+		ClusterVersionCapabilityImageRegistry,
+		ClusterVersionCapabilityOperatorLifecycleManager,
+		ClusterVersionCapabilityOperatorLifecycleManagerV1,
+		ClusterVersionCapabilityCloudCredential,
+		ClusterVersionCapabilityIngress,
+		ClusterVersionCapabilityCloudControllerManager,
+	},
+	ClusterVersionCapabilitySetCurrent: {
+		ClusterVersionCapabilityBaremetal,
+		ClusterVersionCapabilityConsole,
+		ClusterVersionCapabilityInsights,
+		ClusterVersionCapabilityMarketplace,
+		ClusterVersionCapabilityStorage,
+		ClusterVersionCapabilityOpenShiftSamples,
+		ClusterVersionCapabilityCSISnapshot,
+		ClusterVersionCapabilityNodeTuning,
+		ClusterVersionCapabilityMachineAPI,
+		ClusterVersionCapabilityBuild,
+		ClusterVersionCapabilityDeploymentConfig,
+		ClusterVersionCapabilityImageRegistry,
+		ClusterVersionCapabilityOperatorLifecycleManager,
+		ClusterVersionCapabilityOperatorLifecycleManagerV1,
+		ClusterVersionCapabilityCloudCredential,
+		ClusterVersionCapabilityIngress,
+		ClusterVersionCapabilityCloudControllerManager,
+	},
+}
+
+// ClusterVersionCapabilitiesSpec selects the managed set of
+// optional, core cluster components.
+// +k8s:deepcopy-gen=true
+type ClusterVersionCapabilitiesSpec struct {
+	// baselineCapabilitySet selects an initial set of
+	// optional capabilities to enable, which can be extended via
+	// additionalEnabledCapabilities.  If unset, the cluster will
+	// choose a default, and the default may change over time.
+	// The current default is vCurrent.
+	// +optional
+	BaselineCapabilitySet ClusterVersionCapabilitySet `json:"baselineCapabilitySet,omitempty"`
+
+	// additionalEnabledCapabilities extends the set of managed
+	// capabilities beyond the baseline defined in
+	// baselineCapabilitySet.  The default is an empty set.
+	// +listType=atomic
+	// +optional
+	AdditionalEnabledCapabilities []ClusterVersionCapability `json:"additionalEnabledCapabilities,omitempty"`
+}
+
+// ClusterVersionCapabilitiesStatus describes the state of optional,
+// core cluster components.
+// +k8s:deepcopy-gen=true
+type ClusterVersionCapabilitiesStatus struct {
+	// enabledCapabilities lists all the capabilities that are currently managed.
+	// +listType=atomic
+	// +optional
+	EnabledCapabilities []ClusterVersionCapability `json:"enabledCapabilities,omitempty"`
+
+	// knownCapabilities lists all the capabilities known to the current cluster.
+	// +listType=atomic
+	// +optional
+	KnownCapabilities []ClusterVersionCapability `json:"knownCapabilities,omitempty"`
+}
+
+// ComponentOverride allows overriding cluster version operator's behavior
+// for a component.
+// +k8s:deepcopy-gen=true
+type ComponentOverride struct {
+	// kind indentifies which object to override.
+	// +required
+	Kind string `json:"kind"`
+	// group identifies the API group that the kind is in.
+	// +required
+	Group string `json:"group"`
+
+	// namespace is the component's namespace. If the resource is cluster
+	// scoped, the namespace should be empty.
+	// +required
+	Namespace string `json:"namespace"`
+	// name is the component's name.
+	// +required
+	Name string `json:"name"`
+
+	// unmanaged controls if cluster version operator should stop managing the
+	// resources in this cluster.
+	// Default: false
+	// +required
+	Unmanaged bool `json:"unmanaged"`
+}
+
+// URL is a thin wrapper around string that ensures the string is a valid URL.
+type URL string
+
+// Update represents an administrator update request.
+// +kubebuilder:validation:XValidation:rule="has(self.architecture) && has(self.image) ? (self.architecture == \"\" || self.image == \"\") : true",message="cannot set both Architecture and Image"
+// +kubebuilder:validation:XValidation:rule="has(self.architecture) && self.architecture != \"\" ? self.version != \"\" : true",message="Version must be set if Architecture is set"
+// +k8s:deepcopy-gen=true
+type Update struct {
+	// architecture is an optional field that indicates the desired
+	// value of the cluster architecture. In this context cluster
+	// architecture means either a single architecture or a multi
+	// architecture. architecture can only be set to Multi thereby
+	// only allowing updates from single to multi architecture. If
+	// architecture is set, image cannot be set and version must be
+	// set.
+	// Valid values are 'Multi' and empty.
+	//
+	// +optional
+	Architecture ClusterVersionArchitecture `json:"architecture"`
+
+	// version is a semantic version identifying the update version.
+	// version is required if architecture is specified.
+	// If both version and image are set, the version extracted from the referenced image must match the specified version.
+	//
+	// +optional
+	Version string `json:"version"`
+
+	// image is a container image location that contains the update.
+	// image should be used when the desired version does not exist in availableUpdates or history.
+	// When image is set, architecture cannot be specified.
+	// If both version and image are set, the version extracted from the referenced image must match the specified version.
+	//
+	// +optional
+	Image string `json:"image"`
+
+	// force allows an administrator to update to an image that has failed
+	// verification or upgradeable checks. This option should only
+	// be used when the authenticity of the provided image has been verified out
+	// of band because the provided image will run with full administrative access
+	// to the cluster. Do not use this flag with images that comes from unknown
+	// or potentially malicious sources.
+	//
+	// +optional
+	Force bool `json:"force"`
+}
+
+// Release represents an OpenShift release image and associated metadata.
+// +k8s:deepcopy-gen=true
+type Release struct {
+	// architecture is an optional field that indicates the
+	// value of the cluster architecture. In this context cluster
+	// architecture means either a single architecture or a multi
+	// architecture.
+	// Valid values are 'Multi' and empty.
+	//
+	// +openshift:enable:FeatureGate=ImageStreamImportMode
+	// +optional
+	Architecture ClusterVersionArchitecture `json:"architecture,omitempty"`
+
+	// version is a semantic version identifying the update version. When this
+	// field is part of spec, version is optional if image is specified.
+	// +required
+	Version string `json:"version"`
+
+	// image is a container image location that contains the update. When this
+	// field is part of spec, image is optional if version is specified and the
+	// availableUpdates field contains a matching version.
+	// +required
+	Image string `json:"image"`
+
+	// url contains information about this release. This URL is set by
+	// the 'url' metadata property on a release or the metadata returned by
+	// the update API and should be displayed as a link in user
+	// interfaces. The URL field may not be set for test or nightly
+	// releases.
+	// +optional
+	URL URL `json:"url,omitempty"`
+
+	// channels is the set of Cincinnati channels to which the release
+	// currently belongs.
+	// +listType=set
+	// +optional
+	Channels []string `json:"channels,omitempty"`
+}
+
+// RetrievedUpdates reports whether available updates have been retrieved from
+// the upstream update server. The condition is Unknown before retrieval, False
+// if the updates could not be retrieved or recently failed, or True if the
+// availableUpdates field is accurate and recent.
+const RetrievedUpdates ClusterStatusConditionType = "RetrievedUpdates"
+
+// ConditionalUpdate represents an update which is recommended to some
+// clusters on the version the current cluster is reconciling, but which
+// may not be recommended for the current cluster.
+type ConditionalUpdate struct {
+	// release is the target of the update.
+	// +required
+	Release Release `json:"release"`
+
+	// risks represents the range of issues associated with
+	// updating to the target release. The cluster-version
+	// operator will evaluate all entries, and only recommend the
+	// update if there is at least one entry and all entries
+	// recommend the update.
+	// +kubebuilder:validation:MinItems=1
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +required
+	Risks []ConditionalUpdateRisk `json:"risks" patchStrategy:"merge" patchMergeKey:"name"`
+
+	// conditions represents the observations of the conditional update's
+	// current status. Known types are:
+	// * Recommended, for whether the update is recommended for the current cluster.
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// ConditionalUpdateRisk represents a reason and cluster-state
+// for not recommending a conditional update.
+// +k8s:deepcopy-gen=true
+type ConditionalUpdateRisk struct {
+	// url contains information about this risk.
+	// +kubebuilder:validation:Format=uri
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	URL string `json:"url"`
+
+	// name is the CamelCase reason for not recommending a
+	// conditional update, in the event that matchingRules match the
+	// cluster state.
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	Name string `json:"name"`
+
+	// message provides additional information about the risk of
+	// updating, in the event that matchingRules match the cluster
+	// state. This is only to be consumed by humans. It may
+	// contain Line Feed characters (U+000A), which should be
+	// rendered as new lines.
+	// +kubebuilder:validation:MinLength=1
+	// +required
+	Message string `json:"message"`
+
+	// matchingRules is a slice of conditions for deciding which
+	// clusters match the risk and which do not. The slice is
+	// ordered by decreasing precedence. The cluster-version
+	// operator will walk the slice in order, and stop after the
+	// first it can successfully evaluate. If no condition can be
+	// successfully evaluated, the update will not be recommended.
+	// +kubebuilder:validation:MinItems=1
+	// +listType=atomic
+	// +required
+	MatchingRules []ClusterCondition `json:"matchingRules"`
+}
+
+// ClusterCondition is a union of typed cluster conditions.  The 'type'
+// property determines which of the type-specific properties are relevant.
+// When evaluated on a cluster, the condition may match, not match, or
+// fail to evaluate.
+// +k8s:deepcopy-gen=true
+type ClusterCondition struct {
+	// type represents the cluster-condition type. This defines
+	// the members and semantics of any additional properties.
+	// +kubebuilder:validation:Enum={"Always","PromQL"}
+	// +required
+	Type string `json:"type"`
+
+	// promql represents a cluster condition based on PromQL.
+	// +optional
+	PromQL *PromQLClusterCondition `json:"promql,omitempty"`
+}
+
+// PromQLClusterCondition represents a cluster condition based on PromQL.
+type PromQLClusterCondition struct {
+	// promql is a PromQL query classifying clusters. This query
+	// query should return a 1 in the match case and a 0 in the
+	// does-not-match case. Queries which return no time
+	// series, or which return values besides 0 or 1, are
+	// evaluation failures.
+	// +required
+	PromQL string `json:"promql"`
+}
+
+// ClusterVersionList is a list of ClusterVersion resources.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +openshift:compatibility-gen:level=1
+type ClusterVersionList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ClusterVersion `json:"items"`
+}
+
+// SignatureStore represents the URL of custom Signature Store
+type SignatureStore struct {
+
+	// url contains the upstream custom signature store URL.
+	// url should be a valid absolute http/https URI of an upstream signature store as per rfc1738.
+	// This must be provided and cannot be empty.
+	//
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL"
+	// +required
+	URL string `json:"url"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the signature store is not honored.
+	// If the specified ca data is not valid, the signature store is not honored.
+	// If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_console.go b/vendor/github.com/openshift/api/config/v1/types_console.go
new file mode 100644
index 00000000..dc6967bf
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_console.go
@@ -0,0 +1,81 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Console holds cluster-wide configuration for the web console, including the
+// logout URL, and reports the public URL of the console. The canonical name is
+// `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=consoles,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Console struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ConsoleSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ConsoleStatus `json:"status"`
+}
+
+// ConsoleSpec is the specification of the desired behavior of the Console.
+type ConsoleSpec struct {
+	// +optional
+	Authentication ConsoleAuthentication `json:"authentication"`
+}
+
+// ConsoleStatus defines the observed status of the Console.
+type ConsoleStatus struct {
+	// The URL for the console. This will be derived from the host for the route that
+	// is created for the console.
+	// +optional
+	ConsoleURL string `json:"consoleURL"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ConsoleList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Console `json:"items"`
+}
+
+// ConsoleAuthentication defines a list of optional configuration for console authentication.
+type ConsoleAuthentication struct {
+	// An optional, absolute URL to redirect web browsers to after logging out of
+	// the console. If not specified, it will redirect to the default login page.
+	// This is required when using an identity provider that supports single
+	// sign-on (SSO) such as:
+	// - OpenID (Keycloak, Azure)
+	// - RequestHeader (GSSAPI, SSPI, SAML)
+	// - OAuth (GitHub, GitLab, Google)
+	// Logging out of the console will destroy the user's token. The logoutRedirect
+	// provides the user the option to perform single logout (SLO) through the identity
+	// provider to destroy their single sign-on session.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^$|^((https):\/\/?)[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|\/?))$`
+	LogoutRedirect string `json:"logoutRedirect,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_dns.go b/vendor/github.com/openshift/api/config/v1/types_dns.go
new file mode 100644
index 00000000..06eb75cc
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_dns.go
@@ -0,0 +1,140 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DNS holds cluster-wide information about DNS. The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=dnses,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type DNS struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec DNSSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status DNSStatus `json:"status"`
+}
+
+type DNSSpec struct {
+	// baseDomain is the base domain of the cluster. All managed DNS records will
+	// be sub-domains of this base.
+	//
+	// For example, given the base domain `openshift.example.com`, an API server
+	// DNS record may be created for `cluster-api.openshift.example.com`.
+	//
+	// Once set, this field cannot be changed.
+	BaseDomain string `json:"baseDomain"`
+	// publicZone is the location where all the DNS records that are publicly accessible to
+	// the internet exist.
+	//
+	// If this field is nil, no public records should be created.
+	//
+	// Once set, this field cannot be changed.
+	//
+	// +optional
+	PublicZone *DNSZone `json:"publicZone,omitempty"`
+	// privateZone is the location where all the DNS records that are only available internally
+	// to the cluster exist.
+	//
+	// If this field is nil, no private records should be created.
+	//
+	// Once set, this field cannot be changed.
+	//
+	// +optional
+	PrivateZone *DNSZone `json:"privateZone,omitempty"`
+	// platform holds configuration specific to the underlying
+	// infrastructure provider for DNS.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// +optional
+	Platform DNSPlatformSpec `json:"platform,omitempty"`
+}
+
+// DNSZone is used to define a DNS hosted zone.
+// A zone can be identified by an ID or tags.
+type DNSZone struct {
+	// id is the identifier that can be used to find the DNS hosted zone.
+	//
+	// on AWS zone can be fetched using `ID` as id in [1]
+	// on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+	// on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+	//
+	// [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+	// [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+	// [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+	// +optional
+	ID string `json:"id,omitempty"`
+
+	// tags can be used to query the DNS hosted zone.
+	//
+	// on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+	//
+	// [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+	// +optional
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type DNSStatus struct {
+	// dnsSuffix (service-ca amongst others)
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type DNSList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []DNS `json:"items"`
+}
+
+// DNSPlatformSpec holds cloud-provider-specific configuration
+// for DNS administration.
+// +union
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ?  has(self.aws) : !has(self.aws)",message="aws configuration is required when platform is AWS, and forbidden otherwise"
+type DNSPlatformSpec struct {
+	// type is the underlying infrastructure provider for the cluster.
+	// Allowed values: "", "AWS".
+	//
+	// Individual components may not support all platforms,
+	// and must handle unrecognized platforms with best-effort defaults.
+	//
+	// +unionDiscriminator
+	// +required
+	// +kubebuilder:validation:XValidation:rule="self in ['','AWS']",message="allowed values are '' and 'AWS'"
+	Type PlatformType `json:"type"`
+
+	// aws contains DNS configuration specific to the Amazon Web Services cloud provider.
+	// +optional
+	AWS *AWSDNSSpec `json:"aws"`
+}
+
+// AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider.
+type AWSDNSSpec struct {
+	// privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
+	// operations on the cluster's private hosted zone specified in the cluster DNS config.
+	// When left empty, no role should be assumed.
+	// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$`
+	// +optional
+	PrivateZoneIAMRole string `json:"privateZoneIAMRole"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go
new file mode 100644
index 00000000..169e29c5
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_feature.go
@@ -0,0 +1,153 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Feature holds cluster-wide information about feature gates.  The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=featuregates,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type FeatureGate struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	// +kubebuilder:validation:XValidation:rule="has(oldSelf.featureSet) ? has(self.featureSet) : true",message=".spec.featureSet cannot be removed"
+	Spec FeatureGateSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status FeatureGateStatus `json:"status"`
+}
+
+type FeatureSet string
+
+var (
+	// Default feature set that allows upgrades.
+	Default FeatureSet = ""
+
+	// TechPreviewNoUpgrade turns on tech preview features that are not part of the normal supported platform. Turning
+	// this feature set on CANNOT BE UNDONE and PREVENTS UPGRADES.
+	TechPreviewNoUpgrade FeatureSet = "TechPreviewNoUpgrade"
+
+	// DevPreviewNoUpgrade turns on dev preview features that are not part of the normal supported platform. Turning
+	// this feature set on CANNOT BE UNDONE and PREVENTS UPGRADES.
+	DevPreviewNoUpgrade FeatureSet = "DevPreviewNoUpgrade"
+
+	// CustomNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES.
+	// Because of its nature, this setting cannot be validated.  If you have any typos or accidentally apply invalid combinations
+	// your cluster may fail in an unrecoverable way.
+	CustomNoUpgrade FeatureSet = "CustomNoUpgrade"
+
+	// AllFixedFeatureSets are the featuresets that have known featuregates.  Custom doesn't for instance.  LatencySensitive is dead
+	AllFixedFeatureSets = []FeatureSet{Default, TechPreviewNoUpgrade, DevPreviewNoUpgrade}
+)
+
+type FeatureGateSpec struct {
+	FeatureGateSelection `json:",inline"`
+}
+
+// +union
+type FeatureGateSelection struct {
+	// featureSet changes the list of features in the cluster.  The default is empty.  Be very careful adjusting this setting.
+	// Turning on or off features may cause irreversible changes in your cluster which cannot be undone.
+	// +unionDiscriminator
+	// +optional
+	// +kubebuilder:validation:Enum=CustomNoUpgrade;DevPreviewNoUpgrade;TechPreviewNoUpgrade;""
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'CustomNoUpgrade' ? self == 'CustomNoUpgrade' : true",message="CustomNoUpgrade may not be changed"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'TechPreviewNoUpgrade' ? self == 'TechPreviewNoUpgrade' : true",message="TechPreviewNoUpgrade may not be changed"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'DevPreviewNoUpgrade' ? self == 'DevPreviewNoUpgrade' : true",message="DevPreviewNoUpgrade may not be changed"
+	FeatureSet FeatureSet `json:"featureSet,omitempty"`
+
+	// customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES.
+	// Because of its nature, this setting cannot be validated.  If you have any typos or accidentally apply invalid combinations
+	// your cluster may fail in an unrecoverable way.  featureSet must equal "CustomNoUpgrade" must be set to use this field.
+	// +optional
+	// +nullable
+	CustomNoUpgrade *CustomFeatureGates `json:"customNoUpgrade,omitempty"`
+}
+
+type CustomFeatureGates struct {
+	// enabled is a list of all feature gates that you want to force on
+	// +optional
+	Enabled []FeatureGateName `json:"enabled,omitempty"`
+	// disabled is a list of all feature gates that you want to force off
+	// +optional
+	Disabled []FeatureGateName `json:"disabled,omitempty"`
+}
+
+// FeatureGateName is a string to enforce patterns on the name of a FeatureGate
+// +kubebuilder:validation:Pattern=`^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$`
+type FeatureGateName string
+
+type FeatureGateStatus struct {
+	// conditions represent the observations of the current state.
+	// Known .status.conditions.type are: "DeterminationDegraded"
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// featureGates contains a list of enabled and disabled featureGates that are keyed by payloadVersion.
+	// Operators other than the CVO and cluster-config-operator, must read the .status.featureGates, locate
+	// the version they are managing, find the enabled/disabled featuregates and make the operand and operator match.
+	// The enabled/disabled values for a particular version may change during the life of the cluster as various
+	// .spec.featureSet values are selected.
+	// Operators may choose to restart their processes to pick up these changes, but remembering past enable/disable
+	// lists is beyond the scope of this API and is the responsibility of individual operators.
+	// Only featureGates with .version in the ClusterVersion.status will be present in this list.
+	// +listType=map
+	// +listMapKey=version
+	// +optional
+	FeatureGates []FeatureGateDetails `json:"featureGates"`
+}
+
+type FeatureGateDetails struct {
+	// version matches the version provided by the ClusterVersion and in the ClusterOperator.Status.Versions field.
+	// +required
+	Version string `json:"version"`
+	// enabled is a list of all feature gates that are enabled in the cluster for the named version.
+	// +optional
+	Enabled []FeatureGateAttributes `json:"enabled"`
+	// disabled is a list of all feature gates that are disabled in the cluster for the named version.
+	// +optional
+	Disabled []FeatureGateAttributes `json:"disabled"`
+}
+
+type FeatureGateAttributes struct {
+	// name is the name of the FeatureGate.
+	// +required
+	Name FeatureGateName `json:"name"`
+
+	// possible (probable?) future additions include
+	// 1. support level (Stable, ServiceDeliveryOnly, TechPreview, DevPreview)
+	// 2. description
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type FeatureGateList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []FeatureGate `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_image.go b/vendor/github.com/openshift/api/config/v1/types_image.go
new file mode 100644
index 00000000..82f46c8b
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_image.go
@@ -0,0 +1,191 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Image governs policies related to imagestream imports and runtime configuration
+// for external registries. It allows cluster admins to configure which registries
+// OpenShift is allowed to import images from, extra CA trust bundles for external
+// registries, and policies to block or allow registry hostnames.
+// When exposing OpenShift's image registry to the public, this also lets cluster
+// admins specify the external hostname.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=images,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Image struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ImageSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ImageStatus `json:"status"`
+}
+
+// ImportModeType describes how to import an image manifest.
+// +enum
+// +kubebuilder:validation:Enum:="";Legacy;PreserveOriginal
+type ImportModeType string
+
+const (
+	// ImportModeLegacy indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// This mode is the default.
+	ImportModeLegacy ImportModeType = "Legacy"
+	// ImportModePreserveOriginal indicates that the original manifest will be preserved.
+	// For manifest lists, the manifest list and all its sub-manifests will be imported.
+	ImportModePreserveOriginal ImportModeType = "PreserveOriginal"
+)
+
+type ImageSpec struct {
+	// allowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from. Users with
+	// permission to create Images or ImageStreamMappings via the API are not affected by
+	// this policy - typically only administrators or system integrations will have those
+	// permissions.
+	// +optional
+	// +listType=atomic
+	AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`
+
+	// externalRegistryHostnames provides the hostnames for the default external image
+	// registry. The external hostname should be set only when the image registry
+	// is exposed externally. The first value is used in 'publicDockerImageRepository'
+	// field in ImageStreams. The value must be in "hostname[:port]" format.
+	// +optional
+	// +listType=atomic
+	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+
+	// additionalTrustedCA is a reference to a ConfigMap containing additional CAs that
+	// should be trusted during imagestream import, pod image pull, build image pull, and
+	// imageregistry pullthrough.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	AdditionalTrustedCA ConfigMapNameReference `json:"additionalTrustedCA"`
+
+	// registrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images for builds+pods. (e.g.
+	// whether or not to allow insecure access).  It does not contain configuration for the
+	// internal cluster registry.
+	// +optional
+	RegistrySources RegistrySources `json:"registrySources"`
+
+	// imageStreamImportMode controls the import mode behaviour of imagestreams.
+	// It can be set to `Legacy` or `PreserveOriginal` or the empty string. If this value
+	// is specified, this setting is applied to all newly created imagestreams which do not have the
+	// value set. `Legacy` indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists,
+	// the manifest list and all its sub-manifests will be imported. When empty, the behaviour will be
+	// decided based on the payload type advertised by the ClusterVersion status, i.e single arch payload
+	// implies the import mode is Legacy and multi payload implies PreserveOriginal.
+	// +openshift:enable:FeatureGate=ImageStreamImportMode
+	// +optional
+	ImageStreamImportMode ImportModeType `json:"imageStreamImportMode"`
+}
+
+type ImageStatus struct {
+	// internalRegistryHostname sets the hostname for the default internal image
+	// registry. The value must be in "hostname[:port]" format.
+	// This value is set by the image registry operator which controls the internal registry
+	// hostname.
+	// +optional
+	InternalRegistryHostname string `json:"internalRegistryHostname,omitempty"`
+
+	// externalRegistryHostnames provides the hostnames for the default external image
+	// registry. The external hostname should be set only when the image registry
+	// is exposed externally. The first value is used in 'publicDockerImageRepository'
+	// field in ImageStreams. The value must be in "hostname[:port]" format.
+	// +optional
+	// +listType=atomic
+	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+
+	// imageStreamImportMode controls the import mode behaviour of imagestreams. It can be
+	// `Legacy` or `PreserveOriginal`. `Legacy` indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists,
+	// the manifest list and all its sub-manifests will be imported. This value will be reconciled based
+	// on either the spec value or if no spec value is specified, the image registry operator would look
+	// at the ClusterVersion status to determine the payload type and set the import mode accordingly,
+	// i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.
+	// +openshift:enable:FeatureGate=ImageStreamImportMode
+	// +optional
+	ImageStreamImportMode ImportModeType `json:"imageStreamImportMode,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ImageList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Image `json:"items"`
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain
+// name. The domain name might include wildcards, like '*' or '??'.
+type RegistryLocation struct {
+	// domainName specifies a domain name for the registry
+	// In case the registry use non-standard (80 or 443) port, the port should be included
+	// in the domain name as well.
+	DomainName string `json:"domainName"`
+	// insecure indicates whether the registry is secure (https) or insecure (http)
+	// By default (if not specified) the registry is assumed as secure.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+}
+
+// RegistrySources holds cluster-wide information about how to handle the registries config.
+//
+// +kubebuilder:validation:XValidation:rule="has(self.blockedRegistries) ? !has(self.allowedRegistries) : true",message="Only one of blockedRegistries or allowedRegistries may be set"
+type RegistrySources struct {
+	// insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+	// +optional
+	// +listType=atomic
+	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
+	// blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
+	//
+	// Only one of BlockedRegistries or AllowedRegistries may be set.
+	// +optional
+	// +listType=atomic
+	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
+	// allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
+	//
+	// Only one of BlockedRegistries or AllowedRegistries may be set.
+	// +optional
+	// +listType=atomic
+	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
+	// containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified
+	// domains in their pull specs. Registries will be searched in the order provided in the list.
+	// Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports.
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:Format=hostname
+	// +listType=set
+	ContainerRuntimeSearchRegistries []string `json:"containerRuntimeSearchRegistries,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go
new file mode 100644
index 00000000..0bd0d777
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_image_content_policy.go
@@ -0,0 +1,99 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageContentPolicy holds cluster-wide information about how to handle registry mirror rules.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/874
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=imagecontentpolicies,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type ImageContentPolicy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ImageContentPolicySpec `json:"spec"`
+}
+
+// ImageContentPolicySpec is the specification of the ImageContentPolicy CRD.
+type ImageContentPolicySpec struct {
+	// repositoryDigestMirrors allows images referenced by image digests in pods to be
+	// pulled from alternative mirrored repository locations. The image pull specification
+	// provided to the pod will be compared to the source locations described in RepositoryDigestMirrors
+	// and the image may be pulled down from any of the mirrors in the list instead of the
+	// specified repository allowing administrators to choose a potentially faster mirror.
+	// To pull image from mirrors by tags, should set the "allowMirrorByTags".
+	//
+	// Each “source� repository is treated independently; configurations for different “source�
+	// repositories don’t interact.
+	//
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec.
+	//
+	// When multiple policies are defined for the same “source� repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
+	// +optional
+	// +listType=map
+	// +listMapKey=source
+	RepositoryDigestMirrors []RepositoryDigestMirrors `json:"repositoryDigestMirrors"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageContentPolicyList lists the items in the ImageContentPolicy CRD.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ImageContentPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ImageContentPolicy `json:"items"`
+}
+
+// RepositoryDigestMirrors holds cluster-wide information about how to handle mirrors in the registries config.
+type RepositoryDigestMirrors struct {
+	// source is the repository that users refer to, e.g. in image pull specifications.
+	// +required
+	// +kubebuilder:validation:Pattern=`^(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])(:[0-9]+)?(\/[^\/:\n]+)*(\/[^\/:\n]+((:[^\/:\n]+)|(@[^\n]+)))?$`
+	Source string `json:"source"`
+	// allowMirrorByTags if true, the mirrors can be used to pull the images that are referenced by their tags. Default is false, the mirrors only work when pulling the images that are referenced by their digests.
+	// Pulling images by tag can potentially yield different images, depending on which endpoint
+	// we pull from. Forcing digest-pulls for mirrors avoids that issue.
+	// +optional
+	AllowMirrorByTags bool `json:"allowMirrorByTags,omitempty"`
+	// mirrors is zero or more repositories that may also contain the same images.
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec. No mirror will be configured.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors. Other cluster configuration,
+	// including (but not limited to) other repositoryDigestMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
+	// +optional
+	// +listType=set
+	Mirrors []Mirror `json:"mirrors,omitempty"`
+}
+
+// +kubebuilder:validation:Pattern=`^(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])(:[0-9]+)?(\/[^\/:\n]+)*(\/[^\/:\n]+((:[^\/:\n]+)|(@[^\n]+)))?$`
+type Mirror string
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_digest_mirror_set.go b/vendor/github.com/openshift/api/config/v1/types_image_digest_mirror_set.go
new file mode 100644
index 00000000..df2258d1
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_image_digest_mirror_set.go
@@ -0,0 +1,141 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageDigestMirrorSet holds cluster-wide information about how to handle registry mirror rules on using digest pull specification.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1126
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=imagedigestmirrorsets,scope=Cluster,shortName=idms
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type ImageDigestMirrorSet struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ImageDigestMirrorSetSpec `json:"spec"`
+	// status contains the observed state of the resource.
+	// +optional
+	Status ImageDigestMirrorSetStatus `json:"status,omitempty"`
+}
+
+// ImageDigestMirrorSetSpec is the specification of the ImageDigestMirrorSet CRD.
+type ImageDigestMirrorSetSpec struct {
+	// imageDigestMirrors allows images referenced by image digests in pods to be
+	// pulled from alternative mirrored repository locations. The image pull specification
+	// provided to the pod will be compared to the source locations described in imageDigestMirrors
+	// and the image may be pulled down from any of the mirrors in the list instead of the
+	// specified repository allowing administrators to choose a potentially faster mirror.
+	// To use mirrors to pull images using tag specification, users should configure
+	// a list of mirrors using "ImageTagMirrorSet" CRD.
+	//
+	// If the image pull specification matches the repository of "source" in multiple imagedigestmirrorset objects,
+	// only the objects which define the most specific namespace match will be used.
+	// For example, if there are objects using quay.io/libpod and quay.io/libpod/busybox as
+	// the "source", only the objects using quay.io/libpod/busybox are going to apply
+	// for pull specification quay.io/libpod/busybox.
+	// Each “source� repository is treated independently; configurations for different “source�
+	// repositories don’t interact.
+	//
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec.
+	//
+	// When multiple policies are defined for the same “source� repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
+	// Users who want to use a specific order of mirrors, should configure them into one list of mirrors using the expected order.
+	// +optional
+	// +listType=atomic
+	ImageDigestMirrors []ImageDigestMirrors `json:"imageDigestMirrors"`
+}
+
+type ImageDigestMirrorSetStatus struct{}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageDigestMirrorSetList lists the items in the ImageDigestMirrorSet CRD.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ImageDigestMirrorSetList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ImageDigestMirrorSet `json:"items"`
+}
+
+// +kubebuilder:validation:Pattern=`^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$`
+type ImageMirror string
+
+// MirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors.
+// +kubebuilder:validation:Enum=NeverContactSource;AllowContactingSource
+type MirrorSourcePolicy string
+
+const (
+	// NeverContactSource prevents image pull from the specified repository in the pull spec if the image pull from the mirror list fails.
+	NeverContactSource MirrorSourcePolicy = "NeverContactSource"
+
+	// AllowContactingSource allows falling back to the specified repository in the pull spec if the image pull from the mirror list fails.
+	AllowContactingSource MirrorSourcePolicy = "AllowContactingSource"
+)
+
+// ImageDigestMirrors holds cluster-wide information about how to handle mirrors in the registries config.
+type ImageDigestMirrors struct {
+	// source matches the repository that users refer to, e.g. in image pull specifications. Setting source to a registry hostname
+	// e.g. docker.io. quay.io, or registry.redhat.io, will match the image pull specification of corressponding registry.
+	// "source" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// [*.]host
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	// +required
+	// +kubebuilder:validation:Pattern=`^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$`
+	Source string `json:"source"`
+	// mirrors is zero or more locations that may also contain the same images. No mirror will be configured if not specified.
+	// Images can be pulled from these mirrors only if they are referenced by their digests.
+	// The mirrored location is obtained by replacing the part of the input reference that
+	// matches source by the mirrors entry, e.g. for registry.redhat.io/product/repo reference,
+	// a (source, mirror) pair *.redhat.io, mirror.local/redhat causes a mirror.local/redhat/product/repo
+	// repository to be used.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors.
+	// If no mirror is specified or all image pulls from the mirror list fail, the image will continue to be
+	// pulled from the repository in the pull spec unless explicitly prohibited by "mirrorSourcePolicy"
+	// Other cluster configuration, including (but not limited to) other imageDigestMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
+	// "mirrors" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	// +optional
+	// +listType=set
+	Mirrors []ImageMirror `json:"mirrors,omitempty"`
+	// mirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors.
+	// If unset, the image will continue to be pulled from the the repository in the pull spec.
+	// sourcePolicy is valid configuration only when one or more mirrors are in the mirror list.
+	// +optional
+	MirrorSourcePolicy MirrorSourcePolicy `json:"mirrorSourcePolicy,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go
new file mode 100644
index 00000000..54bd21ad
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go
@@ -0,0 +1,322 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImagePolicy holds namespace-wide configuration for image signature verification
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=imagepolicies,scope=Namespaced
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=SigstoreImageVerification
+// +openshift:compatibility-gen:level=1
+type ImagePolicy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ImagePolicySpec `json:"spec"`
+	// status contains the observed state of the resource.
+	// +optional
+	Status ImagePolicyStatus `json:"status"`
+}
+
+// ImagePolicySpec is the specification of the ImagePolicy CRD.
+type ImagePolicySpec struct {
+	// scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
+	// Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
+	// More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
+	// namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
+	// Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not.
+	// This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
+	// In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories
+	// quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation.
+	// If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied.
+	// For additional details about the format, please refer to the document explaining the docker transport field,
+	// which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
+	// +required
+	// +kubebuilder:validation:MaxItems=256
+	// +listType=set
+	Scopes []ImageScope `json:"scopes"`
+	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
+	// images not matching the verification policy will be treated.
+	// +required
+	Policy Policy `json:"policy"`
+}
+
+// +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'"
+// +kubebuilder:validation:XValidation:rule=`self.contains('*') ? self.matches('^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$') : true`,message="invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching"
+// +kubebuilder:validation:XValidation:rule=`!self.contains('*') ? self.matches('^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$') : true`,message="invalid repository namespace or image specification in the image scope"
+// +kubebuilder:validation:MaxLength=512
+type ImageScope string
+
+// Policy defines the verification policy for the items in the scopes list.
+type Policy struct {
+	// rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval.
+	// This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.
+	// +required
+	RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"`
+	// signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope.
+	// The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact".
+	// +optional
+	SignedIdentity *PolicyIdentity `json:"signedIdentity,omitempty"`
+}
+
+// PolicyRootOfTrust defines the root of trust based on the selected policyType.
+// +union
+// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
+// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
+type PolicyRootOfTrust struct {
+	// policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated.
+	// Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI".
+	// When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
+	// When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification.
+	// When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
+	// +unionDiscriminator
+	// +required
+	PolicyType PolicyType `json:"policyType"`
+	// publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification.
+	// publicKey is required when policyType is PublicKey, and forbidden otherwise.
+	// +optional
+	PublicKey *PublicKey `json:"publicKey,omitempty"`
+	// fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key.
+	// fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise
+	// For more information about Fulcio and Rekor, please refer to the document at:
+	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
+	// +optional
+	FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
+	// pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
+	// pki is required when policyType is PKI, and forbidden otherwise.
+	// +optional
+	// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
+	PKI *PKI `json:"pki,omitempty"`
+}
+
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor
+// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI
+type PolicyType string
+
+const (
+	PublicKeyRootOfTrust         PolicyType = "PublicKey"
+	FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor"
+	PKIRootOfTrust               PolicyType = "PKI"
+)
+
+// PublicKey defines the root of trust based on a sigstore public key.
+type PublicKey struct {
+	// keyData is a required field contains inline base64-encoded data for the PEM format public key.
+	// keyData must be at most 8192 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=8192
+	// +kubebuilder:validation:MinLength=68
+	// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the keyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the keyData must end with base64 encoding of '-----END PUBLIC KEY-----'."
+	KeyData []byte `json:"keyData"`
+	// rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key.
+	// rekorKeyData must be at most 8192 characters.
+	// +optional
+	// +kubebuilder:validation:MaxLength=8192
+	// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the rekorKeyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the rekorKeyData must end with base64 encoding of '-----END PUBLIC KEY-----'."
+	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
+}
+
+// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type FulcioCAWithRekor struct {
+	// fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA.
+	// fulcioCAData must be at most 8192 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=8192
+	// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the fulcioCAData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the fulcioCAData must end with base64 encoding of '-----END CERTIFICATE-----'."
+	FulcioCAData []byte `json:"fulcioCAData"`
+	// rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key.
+	// rekorKeyData must be at most 8192 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=8192
+	// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the rekorKeyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the rekorKeyData must end with base64 encoding of '-----END PUBLIC KEY-----'."
+	RekorKeyData []byte `json:"rekorKeyData"`
+	// fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.
+	// +required
+	FulcioSubject PolicyFulcioSubject `json:"fulcioSubject"`
+}
+
+// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.
+type PolicyFulcioSubject struct {
+	// oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length.
+	// It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL.
+	// When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token.
+	// Example: "https://expected.OIDC.issuer/"
+	// +required
+	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="oidcIssuer must be a valid URL"
+	OIDCIssuer string `json:"oidcIssuer"`
+	// signedEmail is a required field holds the email address that the Fulcio certificate is issued for.
+	// The signedEmail must be a valid email address and at most 320 characters in length.
+	// Example: "expected-signing-user@example.com"
+	// +required
+	// +kubebuilder:validation:MaxLength=320
+	// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address"
+	SignedEmail string `json:"signedEmail"`
+}
+
+// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type PKI struct {
+	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=8192
+	// +kubebuilder:validation:MinLength=72
+	// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers."
+	CertificateAuthorityRootsData []byte `json:"caRootsData"`
+	// caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters.
+	// caIntermediatesData requires caRootsData to be set.
+	// +optional
+	// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'."
+	// +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caIntermediatesData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers."
+	// +kubebuilder:validation:MaxLength=8192
+	// +kubebuilder:validation:MinLength=72
+	CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"`
+
+	// pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
+	// +required
+	PKICertificateSubject PKICertificateSubject `json:"pkiCertificateSubject"`
+}
+
+// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
+// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject"
+// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
+type PKICertificateSubject struct {
+	// email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.
+	// The email must be a valid email address and at most 320 characters in length.
+	// +optional
+	// +kubebuilder:validation:MaxLength:=320
+	// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address"
+	Email string `json:"email,omitempty"`
+	// hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.
+	// The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length.
+	// It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.
+	// +optional
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk."
+	Hostname string `json:"hostname,omitempty"`
+}
+
+// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact".
+// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise"
+// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise"
+// +union
+type PolicyIdentity struct {
+	// matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope.
+	// Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact".
+	// When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity.
+	// When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity.
+	// When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository".
+	// When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix� if the the image identity matches the specified remapPrefix.
+	// +unionDiscriminator
+	// +required
+	MatchPolicy IdentityMatchPolicy `json:"matchPolicy"`
+	// exactRepository specifies the repository that must be exactly matched by the identity in the signature.
+	// exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.
+	// +optional
+	PolicyMatchExactRepository *PolicyMatchExactRepository `json:"exactRepository,omitempty"`
+	// remapIdentity specifies the prefix remapping rule for verifying image identity.
+	// remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image.
+	// +optional
+	PolicyMatchRemapIdentity *PolicyMatchRemapIdentity `json:"remapIdentity,omitempty"`
+}
+
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:XValidation:rule=`self.matches('.*:([\\w][\\w.-]{0,127})$')? self.matches('^(localhost:[0-9]+)$'): true`,message="invalid repository or prefix in the signedIdentity, should not include the tag or digest"
+// +kubebuilder:validation:XValidation:rule=`self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$')`,message="invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes."
+type IdentityRepositoryPrefix string
+
+type PolicyMatchExactRepository struct {
+	// repository is the reference of the image identity to be matched.
+	// repository is required if matchPolicy is set to "ExactRepository".
+	// The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox
+	// +required
+	Repository IdentityRepositoryPrefix `json:"repository"`
+}
+
+type PolicyMatchRemapIdentity struct {
+	// prefix is required if matchPolicy is set to "RemapIdentity".
+	// prefix is the prefix of the image identity to be matched.
+	// If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix� (otherwise it is used as unchanged and no remapping takes place).
+	// This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure.
+	// The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces,
+	// or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form.
+	// For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.
+	// +required
+	Prefix IdentityRepositoryPrefix `json:"prefix"`
+	// signedPrefix is required if matchPolicy is set to "RemapIdentity".
+	// signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces,
+	// or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form.
+	// For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.
+	// +required
+	SignedPrefix IdentityRepositoryPrefix `json:"signedPrefix"`
+}
+
+// IdentityMatchPolicy defines the type of matching for "matchPolicy".
+// +kubebuilder:validation:Enum=MatchRepoDigestOrExact;MatchRepository;ExactRepository;RemapIdentity
+type IdentityMatchPolicy string
+
+const (
+	IdentityMatchPolicyMatchRepoDigestOrExact IdentityMatchPolicy = "MatchRepoDigestOrExact"
+	IdentityMatchPolicyMatchRepository        IdentityMatchPolicy = "MatchRepository"
+	IdentityMatchPolicyExactRepository        IdentityMatchPolicy = "ExactRepository"
+	IdentityMatchPolicyRemapIdentity          IdentityMatchPolicy = "RemapIdentity"
+)
+
+// +k8s:deepcopy-gen=true
+type ImagePolicyStatus struct {
+	// conditions provide details on the status of this API Resource.
+	// condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImagePolicyList is a list of ImagePolicy resources
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ImagePolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ListMeta `json:"metadata"`
+
+	// items is a list of ImagePolicies
+	// +kubebuilder:validation:MaxItems=1000
+	// +required
+	Items []ImagePolicy `json:"items"`
+}
+
+const (
+	// ImagePolicyPending indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.
+	ImagePolicyPending = "Pending"
+	// ImagePolicyApplied indicates that the policy has been applied
+	ImagePolicyApplied = "Applied"
+)
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_tag_mirror_set.go b/vendor/github.com/openshift/api/config/v1/types_image_tag_mirror_set.go
new file mode 100644
index 00000000..b7e1a6a8
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_image_tag_mirror_set.go
@@ -0,0 +1,128 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1126
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=imagetagmirrorsets,scope=Cluster,shortName=itms
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type ImageTagMirrorSet struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ImageTagMirrorSetSpec `json:"spec"`
+	// status contains the observed state of the resource.
+	// +optional
+	Status ImageTagMirrorSetStatus `json:"status,omitempty"`
+}
+
+// ImageTagMirrorSetSpec is the specification of the ImageTagMirrorSet CRD.
+type ImageTagMirrorSetSpec struct {
+	// imageTagMirrors allows images referenced by image tags in pods to be
+	// pulled from alternative mirrored repository locations. The image pull specification
+	// provided to the pod will be compared to the source locations described in imageTagMirrors
+	// and the image may be pulled down from any of the mirrors in the list instead of the
+	// specified repository allowing administrators to choose a potentially faster mirror.
+	// To use mirrors to pull images using digest specification only, users should configure
+	// a list of mirrors using "ImageDigestMirrorSet" CRD.
+	//
+	// If the image pull specification matches the repository of "source" in multiple imagetagmirrorset objects,
+	// only the objects which define the most specific namespace match will be used.
+	// For example, if there are objects using quay.io/libpod and quay.io/libpod/busybox as
+	// the "source", only the objects using quay.io/libpod/busybox are going to apply
+	// for pull specification quay.io/libpod/busybox.
+	// Each “source� repository is treated independently; configurations for different “source�
+	// repositories don’t interact.
+	//
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec.
+	//
+	// When multiple policies are defined for the same “source� repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
+	// Users who want to use a deterministic order of mirrors, should configure them into one list of mirrors using the expected order.
+	// +optional
+	// +listType=atomic
+	ImageTagMirrors []ImageTagMirrors `json:"imageTagMirrors"`
+}
+
+type ImageTagMirrorSetStatus struct{}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ImageTagMirrorSetList lists the items in the ImageTagMirrorSet CRD.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ImageTagMirrorSetList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ImageTagMirrorSet `json:"items"`
+}
+
+// ImageTagMirrors holds cluster-wide information about how to handle mirrors in the registries config.
+type ImageTagMirrors struct {
+	// source matches the repository that users refer to, e.g. in image pull specifications. Setting source to a registry hostname
+	// e.g. docker.io. quay.io, or registry.redhat.io, will match the image pull specification of corressponding registry.
+	// "source" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// [*.]host
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	// +required
+	// +kubebuilder:validation:Pattern=`^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$`
+	Source string `json:"source"`
+	// mirrors is zero or more locations that may also contain the same images. No mirror will be configured if not specified.
+	// Images can be pulled from these mirrors only if they are referenced by their tags.
+	// The mirrored location is obtained by replacing the part of the input reference that
+	// matches source by the mirrors entry, e.g. for registry.redhat.io/product/repo reference,
+	// a (source, mirror) pair *.redhat.io, mirror.local/redhat causes a mirror.local/redhat/product/repo
+	// repository to be used.
+	// Pulling images by tag can potentially yield different images, depending on which endpoint we pull from.
+	// Configuring a list of mirrors using "ImageDigestMirrorSet" CRD and forcing digest-pulls for mirrors avoids that issue.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors.
+	// If no mirror is specified or all image pulls from the mirror list fail, the image will continue to be
+	// pulled from the repository in the pull spec unless explicitly prohibited by "mirrorSourcePolicy".
+	// Other cluster configuration, including (but not limited to) other imageTagMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
+	// "mirrors" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	// +optional
+	// +listType=set
+	Mirrors []ImageMirror `json:"mirrors,omitempty"`
+	// mirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors.
+	// If unset, the image will continue to be pulled from the repository in the pull spec.
+	// sourcePolicy is valid configuration only when one or more mirrors are in the mirror list.
+	// +optional
+	MirrorSourcePolicy MirrorSourcePolicy `json:"mirrorSourcePolicy,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
new file mode 100644
index 00000000..1fc06418
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
@@ -0,0 +1,2121 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:subresource:status
+
+// Infrastructure holds cluster-wide information about Infrastructure.  The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=infrastructures,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Infrastructure struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec InfrastructureSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status InfrastructureStatus `json:"status"`
+}
+
+// InfrastructureSpec contains settings that apply to the cluster infrastructure.
+type InfrastructureSpec struct {
+	// cloudConfig is a reference to a ConfigMap containing the cloud provider configuration file.
+	// This configuration file is used to configure the Kubernetes cloud provider integration
+	// when using the built-in cloud provider integration or the external cloud controller manager.
+	// The namespace for this config map is openshift-config.
+	//
+	// cloudConfig should only be consumed by the kube_cloud_config controller.
+	// The controller is responsible for using the user configuration in the spec
+	// for various platforms and combining that with the user provided ConfigMap in this field
+	// to create a stitched kube cloud config.
+	// The controller generates a ConfigMap `kube-cloud-config` in `openshift-config-managed` namespace
+	// with the kube cloud config is stored in `cloud.conf` key.
+	// All the clients are expected to use the generated ConfigMap only.
+	//
+	// +optional
+	CloudConfig ConfigMapFileReference `json:"cloudConfig"`
+
+	// platformSpec holds desired information specific to the underlying
+	// infrastructure provider.
+	PlatformSpec PlatformSpec `json:"platformSpec,omitempty"`
+}
+
+// InfrastructureStatus describes the infrastructure the cluster is leveraging.
+type InfrastructureStatus struct {
+	// infrastructureName uniquely identifies a cluster with a human friendly name.
+	// Once set it should not be changed. Must be of max length 27 and must have only
+	// alphanumeric or hyphen characters.
+	// +optional
+	InfrastructureName string `json:"infrastructureName"`
+
+	// platform is the underlying infrastructure provider for the cluster.
+	//
+	// Deprecated: Use platformStatus.type instead.
+	// +optional
+	Platform PlatformType `json:"platform,omitempty"`
+
+	// platformStatus holds status information specific to the underlying
+	// infrastructure provider.
+	// +optional
+	PlatformStatus *PlatformStatus `json:"platformStatus,omitempty"`
+
+	// etcdDiscoveryDomain is the domain used to fetch the SRV records for discovering
+	// etcd servers and clients.
+	// For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery
+	// deprecated: as of 4.7, this field is no longer set or honored.  It will be removed in a future release.
+	// +optional
+	EtcdDiscoveryDomain string `json:"etcdDiscoveryDomain"`
+
+	// apiServerURL is a valid URI with scheme 'https', address and
+	// optionally a port (defaulting to 443).  apiServerURL can be used by components like the web console
+	// to tell users where to find the Kubernetes API.
+	// +optional
+	APIServerURL string `json:"apiServerURL"`
+
+	// apiServerInternalURL is a valid URI with scheme 'https',
+	// address and optionally a port (defaulting to 443).  apiServerInternalURL can be used by components
+	// like kubelets, to contact the Kubernetes API server using the
+	// infrastructure provider rather than Kubernetes networking.
+	// +optional
+	APIServerInternalURL string `json:"apiServerInternalURI"`
+
+	// controlPlaneTopology expresses the expectations for operands that normally run on control nodes.
+	// The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster.
+	// The 'SingleReplica' mode will be used in single-node deployments
+	// and the operators should not configure the operand for highly-available operation
+	// The 'External' mode indicates that the control plane is hosted externally to the cluster and that
+	// its components are not visible within the cluster.
+	// +kubebuilder:default=HighlyAvailable
+	// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=HighlyAvailable;SingleReplica;External
+	// +openshift:validation:FeatureGateAwareEnum:featureGate=HighlyAvailableArbiter,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;External
+	// +openshift:validation:FeatureGateAwareEnum:featureGate=DualReplica,enum=HighlyAvailable;SingleReplica;DualReplica;External
+	// +openshift:validation:FeatureGateAwareEnum:requiredFeatureGate=HighlyAvailableArbiter;DualReplica,enum=HighlyAvailable;HighlyAvailableArbiter;SingleReplica;DualReplica;External
+	// +optional
+	ControlPlaneTopology TopologyMode `json:"controlPlaneTopology"`
+
+	// infrastructureTopology expresses the expectations for infrastructure services that do not run on control
+	// plane nodes, usually indicated by a node selector for a `role` value
+	// other than `master`.
+	// The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster.
+	// The 'SingleReplica' mode will be used in single-node deployments
+	// and the operators should not configure the operand for highly-available operation
+	// NOTE: External topology mode is not applicable for this field.
+	// +kubebuilder:default=HighlyAvailable
+	// +kubebuilder:validation:Enum=HighlyAvailable;SingleReplica
+	// +optional
+	InfrastructureTopology TopologyMode `json:"infrastructureTopology,omitempty"`
+
+	// cpuPartitioning expresses if CPU partitioning is a currently enabled feature in the cluster.
+	// CPU Partitioning means that this cluster can support partitioning workloads to specific CPU Sets.
+	// Valid values are "None" and "AllNodes". When omitted, the default value is "None".
+	// The default value of "None" indicates that no nodes will be setup with CPU partitioning.
+	// The "AllNodes" value indicates that all nodes have been setup with CPU partitioning,
+	// and can then be further configured via the PerformanceProfile API.
+	// +kubebuilder:default=None
+	// +default="None"
+	// +kubebuilder:validation:Enum=None;AllNodes
+	// +optional
+	CPUPartitioning CPUPartitioningMode `json:"cpuPartitioning,omitempty"`
+}
+
+// TopologyMode defines the topology mode of the control/infra nodes.
+// NOTE: Enum validation is specified in each field that uses this type,
+// given that External value is not applicable to the InfrastructureTopology
+// field.
+type TopologyMode string
+
+const (
+	// "HighlyAvailable" is for operators to configure high-availability as much as possible.
+	HighlyAvailableTopologyMode TopologyMode = "HighlyAvailable"
+
+	// "HighlyAvailableArbiter" is for operators to configure for an arbiter HA deployment.
+	HighlyAvailableArbiterMode TopologyMode = "HighlyAvailableArbiter"
+
+	// "SingleReplica" is for operators to avoid spending resources for high-availability purpose.
+	SingleReplicaTopologyMode TopologyMode = "SingleReplica"
+
+	// "DualReplica" is for operators to configure for two node topology.
+	DualReplicaTopologyMode TopologyMode = "DualReplica"
+
+	// "External" indicates that the component is running externally to the cluster. When specified
+	// as the control plane topology, operators should avoid scheduling workloads to masters or assume
+	// that any of the control plane components such as kubernetes API server or etcd are visible within
+	// the cluster.
+	ExternalTopologyMode TopologyMode = "External"
+)
+
+// CPUPartitioningMode defines the mode for CPU partitioning
+type CPUPartitioningMode string
+
+const (
+	// CPUPartitioningNone means that no CPU Partitioning is on in this cluster infrastructure
+	CPUPartitioningNone CPUPartitioningMode = "None"
+
+	// CPUPartitioningAllNodes means that all nodes are configured with CPU Partitioning in this cluster
+	CPUPartitioningAllNodes CPUPartitioningMode = "AllNodes"
+)
+
+// PlatformLoadBalancerType defines the type of load balancer used by the cluster.
+type PlatformLoadBalancerType string
+
+const (
+	// LoadBalancerTypeUserManaged is a load balancer with control-plane VIPs managed outside of the cluster by the customer.
+	LoadBalancerTypeUserManaged PlatformLoadBalancerType = "UserManaged"
+
+	// LoadBalancerTypeOpenShiftManagedDefault is the default load balancer with control-plane VIPs managed by the OpenShift cluster.
+	LoadBalancerTypeOpenShiftManagedDefault PlatformLoadBalancerType = "OpenShiftManagedDefault"
+)
+
+// PlatformType is a specific supported infrastructure provider.
+// +kubebuilder:validation:Enum="";AWS;Azure;BareMetal;GCP;Libvirt;OpenStack;None;VSphere;oVirt;IBMCloud;KubeVirt;EquinixMetal;PowerVS;AlibabaCloud;Nutanix;External
+type PlatformType string
+
+const (
+	// AWSPlatformType represents Amazon Web Services infrastructure.
+	AWSPlatformType PlatformType = "AWS"
+
+	// AzurePlatformType represents Microsoft Azure infrastructure.
+	AzurePlatformType PlatformType = "Azure"
+
+	// BareMetalPlatformType represents managed bare metal infrastructure.
+	BareMetalPlatformType PlatformType = "BareMetal"
+
+	// GCPPlatformType represents Google Cloud Platform infrastructure.
+	GCPPlatformType PlatformType = "GCP"
+
+	// LibvirtPlatformType represents libvirt infrastructure.
+	LibvirtPlatformType PlatformType = "Libvirt"
+
+	// OpenStackPlatformType represents OpenStack infrastructure.
+	OpenStackPlatformType PlatformType = "OpenStack"
+
+	// NonePlatformType means there is no infrastructure provider.
+	NonePlatformType PlatformType = "None"
+
+	// VSpherePlatformType represents VMWare vSphere infrastructure.
+	VSpherePlatformType PlatformType = "VSphere"
+
+	// OvirtPlatformType represents oVirt/RHV infrastructure.
+	OvirtPlatformType PlatformType = "oVirt"
+
+	// IBMCloudPlatformType represents IBM Cloud infrastructure.
+	IBMCloudPlatformType PlatformType = "IBMCloud"
+
+	// KubevirtPlatformType represents KubeVirt/Openshift Virtualization infrastructure.
+	KubevirtPlatformType PlatformType = "KubeVirt"
+
+	// EquinixMetalPlatformType represents Equinix Metal infrastructure.
+	EquinixMetalPlatformType PlatformType = "EquinixMetal"
+
+	// PowerVSPlatformType represents IBM Power Systems Virtual Servers infrastructure.
+	PowerVSPlatformType PlatformType = "PowerVS"
+
+	// AlibabaCloudPlatformType represents Alibaba Cloud infrastructure.
+	AlibabaCloudPlatformType PlatformType = "AlibabaCloud"
+
+	// NutanixPlatformType represents Nutanix infrastructure.
+	NutanixPlatformType PlatformType = "Nutanix"
+
+	// ExternalPlatformType represents generic infrastructure provider. Platform-specific components should be supplemented separately.
+	ExternalPlatformType PlatformType = "External"
+)
+
+// IBMCloudProviderType is a specific supported IBM Cloud provider cluster type
+type IBMCloudProviderType string
+
+const (
+	// Classic  means that the IBM Cloud cluster is using classic infrastructure
+	IBMCloudProviderTypeClassic IBMCloudProviderType = "Classic"
+
+	// VPC means that the IBM Cloud cluster is using VPC infrastructure
+	IBMCloudProviderTypeVPC IBMCloudProviderType = "VPC"
+
+	// IBMCloudProviderTypeUPI means that the IBM Cloud cluster is using user provided infrastructure.
+	// This is utilized in IBM Cloud Satellite environments.
+	IBMCloudProviderTypeUPI IBMCloudProviderType = "UPI"
+)
+
+// DNSType indicates whether the cluster DNS is hosted by the cluster or Core DNS .
+type DNSType string
+
+const (
+	// ClusterHosted indicates that a DNS solution other than the default provided by the
+	// cloud platform is in use. In this mode, the cluster hosts a DNS solution during installation and the
+	// user is expected to provide their own DNS solution post-install.
+	// When the DNS solution is `ClusterHosted`, the cluster will continue to use the
+	// default Load Balancers provided by the cloud platform.
+	ClusterHostedDNSType DNSType = "ClusterHosted"
+
+	// PlatformDefault indicates that the cluster is using the default DNS solution for the
+	// cloud platform. OpenShift is responsible for all the LB and DNS configuration needed for the
+	// cluster to be functional with no intervention from the user. To accomplish this, OpenShift
+	// configures the default LB and DNS solutions provided by the underlying cloud.
+	PlatformDefaultDNSType DNSType = "PlatformDefault"
+)
+
+// ExternalPlatformSpec holds the desired state for the generic External infrastructure provider.
+type ExternalPlatformSpec struct {
+	// platformName holds the arbitrary string representing the infrastructure provider name, expected to be set at the installation time.
+	// This field is solely for informational and reporting purposes and is not expected to be used for decision-making.
+	// +kubebuilder:default:="Unknown"
+	// +default="Unknown"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'Unknown' || self == oldSelf",message="platform name cannot be changed once set"
+	// +optional
+	PlatformName string `json:"platformName,omitempty"`
+}
+
+// PlatformSpec holds the desired state specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at spec-level for the underlying cluster, it
+// is supposed that only one of the spec structs is set.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.vsphere) && has(self.vsphere) ? size(self.vsphere.vcenters) < 2 : true",message="vcenters can have at most 1 item when configured post-install"
+type PlatformSpec struct {
+	// type is the underlying infrastructure provider for the cluster. This
+	// value controls whether infrastructure automation such as service load
+	// balancers, dynamic volume provisioning, machine creation and deletion, and
+	// other integrations are enabled. If None, no infrastructure automation is
+	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS",
+	// "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms,
+	// and must handle unrecognized platforms as None if they do not support that platform.
+	//
+	// +unionDiscriminator
+	Type PlatformType `json:"type"`
+
+	// aws contains settings specific to the Amazon Web Services infrastructure provider.
+	// +optional
+	AWS *AWSPlatformSpec `json:"aws,omitempty"`
+
+	// azure contains settings specific to the Azure infrastructure provider.
+	// +optional
+	Azure *AzurePlatformSpec `json:"azure,omitempty"`
+
+	// gcp contains settings specific to the Google Cloud Platform infrastructure provider.
+	// +optional
+	GCP *GCPPlatformSpec `json:"gcp,omitempty"`
+
+	// baremetal contains settings specific to the BareMetal platform.
+	// +optional
+	BareMetal *BareMetalPlatformSpec `json:"baremetal,omitempty"`
+
+	// openstack contains settings specific to the OpenStack infrastructure provider.
+	// +optional
+	OpenStack *OpenStackPlatformSpec `json:"openstack,omitempty"`
+
+	// ovirt contains settings specific to the oVirt infrastructure provider.
+	// +optional
+	Ovirt *OvirtPlatformSpec `json:"ovirt,omitempty"`
+
+	// vsphere contains settings specific to the VSphere infrastructure provider.
+	// +optional
+	VSphere *VSpherePlatformSpec `json:"vsphere,omitempty"`
+
+	// ibmcloud contains settings specific to the IBMCloud infrastructure provider.
+	// +optional
+	IBMCloud *IBMCloudPlatformSpec `json:"ibmcloud,omitempty"`
+
+	// kubevirt contains settings specific to the kubevirt infrastructure provider.
+	// +optional
+	Kubevirt *KubevirtPlatformSpec `json:"kubevirt,omitempty"`
+
+	// equinixMetal contains settings specific to the Equinix Metal infrastructure provider.
+	// +optional
+	EquinixMetal *EquinixMetalPlatformSpec `json:"equinixMetal,omitempty"`
+
+	// powervs contains settings specific to the IBM Power Systems Virtual Servers infrastructure provider.
+	// +optional
+	PowerVS *PowerVSPlatformSpec `json:"powervs,omitempty"`
+
+	// alibabaCloud contains settings specific to the Alibaba Cloud infrastructure provider.
+	// +optional
+	AlibabaCloud *AlibabaCloudPlatformSpec `json:"alibabaCloud,omitempty"`
+
+	// nutanix contains settings specific to the Nutanix infrastructure provider.
+	// +optional
+	Nutanix *NutanixPlatformSpec `json:"nutanix,omitempty"`
+
+	// ExternalPlatformType represents generic infrastructure provider.
+	// Platform-specific components should be supplemented separately.
+	// +optional
+	External *ExternalPlatformSpec `json:"external,omitempty"`
+}
+
+// CloudControllerManagerState defines whether Cloud Controller Manager presence is expected or not
+type CloudControllerManagerState string
+
+const (
+	// Cloud Controller Manager is enabled and expected to be installed.
+	// This value indicates that new nodes should be tainted as uninitialized when created,
+	// preventing them from running workloads until they are initialized by the cloud controller manager.
+	CloudControllerManagerExternal CloudControllerManagerState = "External"
+
+	// Cloud Controller Manager is disabled and not expected to be installed.
+	// This value indicates that new nodes should not be tainted
+	// and no extra node initialization is expected from the cloud controller manager.
+	CloudControllerManagerNone CloudControllerManagerState = "None"
+)
+
+// CloudControllerManagerStatus holds the state of Cloud Controller Manager (a.k.a. CCM or CPI) related settings
+// +kubebuilder:validation:XValidation:rule="(has(self.state) == has(oldSelf.state)) || (!has(oldSelf.state) && self.state != \"External\")",message="state may not be added or removed once set"
+type CloudControllerManagerStatus struct {
+	// state determines whether or not an external Cloud Controller Manager is expected to
+	// be installed within the cluster.
+	// https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/#running-cloud-controller-manager
+	//
+	// Valid values are "External", "None" and omitted.
+	// When set to "External", new nodes will be tainted as uninitialized when created,
+	// preventing them from running workloads until they are initialized by the cloud controller manager.
+	// When omitted or set to "None", new nodes will be not tainted
+	// and no extra initialization from the cloud controller manager is expected.
+	// +kubebuilder:validation:Enum="";External;None
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="state is immutable once set"
+	// +optional
+	State CloudControllerManagerState `json:"state"`
+}
+
+// ExternalPlatformStatus holds the current status of the generic External infrastructure provider.
+// +kubebuilder:validation:XValidation:rule="has(self.cloudControllerManager) == has(oldSelf.cloudControllerManager)",message="cloudControllerManager may not be added or removed once set"
+type ExternalPlatformStatus struct {
+	// cloudControllerManager contains settings specific to the external Cloud Controller Manager (a.k.a. CCM or CPI).
+	// When omitted, new nodes will be not tainted
+	// and no extra initialization from the cloud controller manager is expected.
+	// +optional
+	CloudControllerManager CloudControllerManagerStatus `json:"cloudControllerManager"`
+}
+
+// PlatformStatus holds the current status specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at status-level for the underlying cluster, it
+// is supposed that only one of the status structs is set.
+type PlatformStatus struct {
+	// type is the underlying infrastructure provider for the cluster. This
+	// value controls whether infrastructure automation such as service load
+	// balancers, dynamic volume provisioning, machine creation and deletion, and
+	// other integrations are enabled. If None, no infrastructure automation is
+	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", "EquinixMetal", "PowerVS", "AlibabaCloud", "Nutanix" and "None".
+	// Individual components may not support all platforms, and must handle
+	// unrecognized platforms as None if they do not support that platform.
+	//
+	// This value will be synced with to the `status.platform` and `status.platformStatus.type`.
+	// Currently this value cannot be changed once set.
+	Type PlatformType `json:"type"`
+
+	// aws contains settings specific to the Amazon Web Services infrastructure provider.
+	// +optional
+	AWS *AWSPlatformStatus `json:"aws,omitempty"`
+
+	// azure contains settings specific to the Azure infrastructure provider.
+	// +optional
+	Azure *AzurePlatformStatus `json:"azure,omitempty"`
+
+	// gcp contains settings specific to the Google Cloud Platform infrastructure provider.
+	// +optional
+	GCP *GCPPlatformStatus `json:"gcp,omitempty"`
+
+	// baremetal contains settings specific to the BareMetal platform.
+	// +optional
+	BareMetal *BareMetalPlatformStatus `json:"baremetal,omitempty"`
+
+	// openstack contains settings specific to the OpenStack infrastructure provider.
+	// +optional
+	OpenStack *OpenStackPlatformStatus `json:"openstack,omitempty"`
+
+	// ovirt contains settings specific to the oVirt infrastructure provider.
+	// +optional
+	Ovirt *OvirtPlatformStatus `json:"ovirt,omitempty"`
+
+	// vsphere contains settings specific to the VSphere infrastructure provider.
+	// +optional
+	VSphere *VSpherePlatformStatus `json:"vsphere,omitempty"`
+
+	// ibmcloud contains settings specific to the IBMCloud infrastructure provider.
+	// +optional
+	IBMCloud *IBMCloudPlatformStatus `json:"ibmcloud,omitempty"`
+
+	// kubevirt contains settings specific to the kubevirt infrastructure provider.
+	// +optional
+	Kubevirt *KubevirtPlatformStatus `json:"kubevirt,omitempty"`
+
+	// equinixMetal contains settings specific to the Equinix Metal infrastructure provider.
+	// +optional
+	EquinixMetal *EquinixMetalPlatformStatus `json:"equinixMetal,omitempty"`
+
+	// powervs contains settings specific to the Power Systems Virtual Servers infrastructure provider.
+	// +optional
+	PowerVS *PowerVSPlatformStatus `json:"powervs,omitempty"`
+
+	// alibabaCloud contains settings specific to the Alibaba Cloud infrastructure provider.
+	// +optional
+	AlibabaCloud *AlibabaCloudPlatformStatus `json:"alibabaCloud,omitempty"`
+
+	// nutanix contains settings specific to the Nutanix infrastructure provider.
+	// +optional
+	Nutanix *NutanixPlatformStatus `json:"nutanix,omitempty"`
+
+	// external contains settings specific to the generic External infrastructure provider.
+	// +optional
+	External *ExternalPlatformStatus `json:"external,omitempty"`
+}
+
+// AWSServiceEndpoint store the configuration of a custom url to
+// override existing defaults of AWS Services.
+type AWSServiceEndpoint struct {
+	// name is the name of the AWS service.
+	// The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html
+	// This must be provided and cannot be empty.
+	//
+	// +kubebuilder:validation:Pattern=`^[a-z0-9-]+$`
+	Name string `json:"name"`
+
+	// url is fully qualified URI with scheme https, that overrides the default generated
+	// endpoint for a client.
+	// This must be provided and cannot be empty.
+	//
+	// +kubebuilder:validation:Pattern=`^https://`
+	URL string `json:"url"`
+}
+
+// AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type AWSPlatformSpec struct {
+	// serviceEndpoints list contains custom endpoints which will override default
+	// service endpoint of AWS Services.
+	// There must be only one ServiceEndpoint for a service.
+	// +listType=atomic
+	// +optional
+	ServiceEndpoints []AWSServiceEndpoint `json:"serviceEndpoints,omitempty"`
+}
+
+// AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.
+type AWSPlatformStatus struct {
+	// region holds the default AWS region for new AWS resources created by the cluster.
+	Region string `json:"region"`
+
+	// serviceEndpoints list contains custom endpoints which will override default
+	// service endpoint of AWS Services.
+	// There must be only one ServiceEndpoint for a service.
+	// +listType=atomic
+	// +optional
+	ServiceEndpoints []AWSServiceEndpoint `json:"serviceEndpoints,omitempty"`
+
+	// resourceTags is a list of additional tags to apply to AWS resources created for the cluster.
+	// See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources.
+	// AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags
+	// available for the user.
+	// +kubebuilder:validation:MaxItems=25
+	// +listType=atomic
+	// +optional
+	ResourceTags []AWSResourceTag `json:"resourceTags,omitempty"`
+
+	// cloudLoadBalancerConfig holds configuration related to DNS and cloud
+	// load balancers. It allows configuration of in-cluster DNS as an alternative
+	// to the platform default DNS implementation.
+	// When using the ClusterHosted DNS type, Load Balancer IP addresses
+	// must be provided for the API and internal API load balancers as well as the
+	// ingress load balancer.
+	//
+	// +default={"dnsType": "PlatformDefault"}
+	// +kubebuilder:default={"dnsType": "PlatformDefault"}
+	// +openshift:enable:FeatureGate=AWSClusterHostedDNS
+	// +optional
+	// +nullable
+	CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"`
+}
+
+// AWSResourceTag is a tag to apply to AWS resources created for the cluster.
+type AWSResourceTag struct {
+	// key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag.
+	// Key should consist of between 1 and 128 characters, and may
+	// contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +kubebuilder:validation:XValidation:rule=`self.matches('^[0-9A-Za-z_.:/=+-@ ]+$')`,message="invalid AWS resource tag key. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'"
+	// +required
+	Key string `json:"key"`
+	// value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag.
+	// Value should consist of between 1 and 256 characters, and may
+	// contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.
+	// Some AWS service do not support empty values. Since tags are added to resources in many services, the
+	// length of the tag value must meet the requirements of all services.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +kubebuilder:validation:XValidation:rule=`self.matches('^[0-9A-Za-z_.:/=+-@ ]+$')`,message="invalid AWS resource tag value. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'"
+	// +required
+	Value string `json:"value"`
+}
+
+// AzurePlatformSpec holds the desired state of the Azure infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type AzurePlatformSpec struct{}
+
+// AzurePlatformStatus holds the current status of the Azure infrastructure provider.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.resourceTags) && !has(self.resourceTags) || has(oldSelf.resourceTags) && has(self.resourceTags)",message="resourceTags may only be configured during installation"
+type AzurePlatformStatus struct {
+	// resourceGroupName is the Resource Group for new Azure resources created for the cluster.
+	ResourceGroupName string `json:"resourceGroupName"`
+
+	// networkResourceGroupName is the Resource Group for network resources like the Virtual Network and Subnets used by the cluster.
+	// If empty, the value is same as ResourceGroupName.
+	// +optional
+	NetworkResourceGroupName string `json:"networkResourceGroupName,omitempty"`
+
+	// cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK
+	// with the appropriate Azure API endpoints.
+	// If empty, the value is equal to `AzurePublicCloud`.
+	// +optional
+	CloudName AzureCloudEnvironment `json:"cloudName,omitempty"`
+
+	// armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.
+	// +optional
+	ARMEndpoint string `json:"armEndpoint,omitempty"`
+
+	// resourceTags is a list of additional tags to apply to Azure resources created for the cluster.
+	// See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources.
+	// Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags
+	// may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration.
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:XValidation:rule="self.all(x, x in oldSelf) && oldSelf.all(x, x in self)",message="resourceTags are immutable and may only be configured during installation"
+	// +listType=atomic
+	// +optional
+	ResourceTags []AzureResourceTag `json:"resourceTags,omitempty"`
+}
+
+// AzureResourceTag is a tag to apply to Azure resources created for the cluster.
+type AzureResourceTag struct {
+	// key is the key part of the tag. A tag key can have a maximum of 128 characters and cannot be empty. Key
+	// must begin with a letter, end with a letter, number or underscore, and must contain only alphanumeric
+	// characters and the following special characters `_ . -`.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z]([0-9A-Za-z_.-]*[0-9A-Za-z_])?$`
+	Key string `json:"key"`
+	// value is the value part of the tag. A tag value can have a maximum of 256 characters and cannot be empty. Value
+	// must contain only alphanumeric characters and the following special characters `_ + , - . / : ; < = > ? @`.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.=+-@]+$`
+	Value string `json:"value"`
+}
+
+// AzureCloudEnvironment is the name of the Azure cloud environment
+// +kubebuilder:validation:Enum="";AzurePublicCloud;AzureUSGovernmentCloud;AzureChinaCloud;AzureGermanCloud;AzureStackCloud
+type AzureCloudEnvironment string
+
+const (
+	// AzurePublicCloud is the general-purpose, public Azure cloud environment.
+	AzurePublicCloud AzureCloudEnvironment = "AzurePublicCloud"
+
+	// AzureUSGovernmentCloud is the Azure cloud environment for the US government.
+	AzureUSGovernmentCloud AzureCloudEnvironment = "AzureUSGovernmentCloud"
+
+	// AzureChinaCloud is the Azure cloud environment used in China.
+	AzureChinaCloud AzureCloudEnvironment = "AzureChinaCloud"
+
+	// AzureGermanCloud is the Azure cloud environment used in Germany.
+	AzureGermanCloud AzureCloudEnvironment = "AzureGermanCloud"
+
+	// AzureStackCloud is the Azure cloud environment used at the edge and on premises.
+	AzureStackCloud AzureCloudEnvironment = "AzureStackCloud"
+)
+
+// GCPServiceEndpointName is the name of the GCP Service Endpoint.
+// +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;ServiceUsage;Storage
+type GCPServiceEndpointName string
+
+const (
+	// GCPServiceEndpointNameCompute is the name used for the GCP Compute Service endpoint.
+	GCPServiceEndpointNameCompute GCPServiceEndpointName = "Compute"
+
+	// GCPServiceEndpointNameContainer is the name used for the GCP Container Service endpoint.
+	GCPServiceEndpointNameContainer GCPServiceEndpointName = "Container"
+
+	// GCPServiceEndpointNameCloudResource is the name used for the GCP Resource Manager Service endpoint.
+	GCPServiceEndpointNameCloudResource GCPServiceEndpointName = "CloudResourceManager"
+
+	// GCPServiceEndpointNameDNS is the name used for the GCP DNS Service endpoint.
+	GCPServiceEndpointNameDNS GCPServiceEndpointName = "DNS"
+
+	// GCPServiceEndpointNameFile is the name used for the GCP File Service endpoint.
+	GCPServiceEndpointNameFile GCPServiceEndpointName = "File"
+
+	// GCPServiceEndpointNameIAM is the name used for the GCP IAM Service endpoint.
+	GCPServiceEndpointNameIAM GCPServiceEndpointName = "IAM"
+
+	// GCPServiceEndpointNameServiceUsage is the name used for the GCP Service Usage Service endpoint.
+	GCPServiceEndpointNameServiceUsage GCPServiceEndpointName = "ServiceUsage"
+
+	// GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint.
+	GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage"
+)
+
+// GCPServiceEndpoint store the configuration of a custom url to
+// override existing defaults of GCP Services.
+type GCPServiceEndpoint struct {
+	// name is the name of the GCP service whose endpoint is being overridden.
+	// This must be provided and cannot be empty.
+	//
+	// Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage,
+	// Storage, and TagManager.
+	//
+	// As an example, when setting the name to Compute all requests made by the caller to the GCP Compute
+	// Service will be directed to the endpoint specified in the url field.
+	//
+	// +required
+	Name GCPServiceEndpointName `json:"name"`
+
+	// url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified
+	// in the name field.
+	// url is required, must use the scheme https, must not be more than 253 characters in length,
+	// and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)
+	//
+	// An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com"
+	//
+	// +required
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL"
+	// +kubebuilder:validation:XValidation:rule="isURL(self) ? (url(self).getScheme() == \"https\") : true",message="scheme must be https"
+	// +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath() == \"\" || url(self).getEscapedPath() == \"/\"",message="url must consist only of a scheme and domain. The url path must be empty."
+	URL string `json:"url"`
+}
+
+// GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type GCPPlatformSpec struct{}
+
+// GCPPlatformStatus holds the current status of the Google Cloud Platform infrastructure provider.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.resourceLabels) && !has(self.resourceLabels) || has(oldSelf.resourceLabels) && has(self.resourceLabels)",message="resourceLabels may only be configured during installation"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.resourceTags) && !has(self.resourceTags) || has(oldSelf.resourceTags) && has(self.resourceTags)",message="resourceTags may only be configured during installation"
+type GCPPlatformStatus struct {
+	// resourceGroupName is the Project ID for new GCP resources created for the cluster.
+	ProjectID string `json:"projectID"`
+
+	// region holds the region for new GCP resources created for the cluster.
+	Region string `json:"region"`
+
+	// resourceLabels is a list of additional labels to apply to GCP resources created for the cluster.
+	// See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources.
+	// GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use,
+	// allowing 32 labels for user configuration.
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, x in oldSelf) && oldSelf.all(x, x in self)",message="resourceLabels are immutable and may only be configured during installation"
+	// +listType=map
+	// +listMapKey=key
+	// +optional
+	ResourceLabels []GCPResourceLabel `json:"resourceLabels,omitempty"`
+
+	// resourceTags is a list of additional tags to apply to GCP resources created for the cluster.
+	// See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on
+	// tagging GCP resources. GCP supports a maximum of 50 tags per resource.
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:XValidation:rule="self.all(x, x in oldSelf) && oldSelf.all(x, x in self)",message="resourceTags are immutable and may only be configured during installation"
+	// +listType=map
+	// +listMapKey=key
+	// +optional
+	ResourceTags []GCPResourceTag `json:"resourceTags,omitempty"`
+
+	// This field was introduced and removed under tech preview.
+	// To avoid conflicts with serialisation, this field name may never be used again.
+	// Tombstone the field as a reminder.
+	// ClusterHostedDNS ClusterHostedDNS `json:"clusterHostedDNS,omitempty"`
+
+	// cloudLoadBalancerConfig holds configuration related to DNS and cloud
+	// load balancers. It allows configuration of in-cluster DNS as an alternative
+	// to the platform default DNS implementation.
+	// When using the ClusterHosted DNS type, Load Balancer IP addresses
+	// must be provided for the API and internal API load balancers as well as the
+	// ingress load balancer.
+	//
+	// +default={"dnsType": "PlatformDefault"}
+	// +kubebuilder:default={"dnsType": "PlatformDefault"}
+	// +openshift:enable:FeatureGate=GCPClusterHostedDNS
+	// +optional
+	// +nullable
+	CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"`
+
+	// serviceEndpoints specifies endpoints that override the default endpoints
+	// used when creating clients to interact with GCP services.
+	// When not specified, the default endpoint for the GCP region will be used.
+	// Only 1 endpoint override is permitted for each GCP service.
+	// The maximum number of endpoint overrides allowed is 9.
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name"
+	// +optional
+	// +openshift:enable:FeatureGate=GCPCustomAPIEndpoints
+	ServiceEndpoints []GCPServiceEndpoint `json:"serviceEndpoints,omitempty"`
+}
+
+// GCPResourceLabel is a label to apply to GCP resources created for the cluster.
+type GCPResourceLabel struct {
+	// key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty.
+	// Label key must begin with a lowercase letter, and must contain only lowercase letters, numeric characters,
+	// and the following special characters `_-`. Label key must not have the reserved prefixes `kubernetes-io`
+	// and `openshift-io`.
+	// +kubebuilder:validation:XValidation:rule="!self.startsWith('openshift-io') && !self.startsWith('kubernetes-io')",message="label keys must not start with either `openshift-io` or `kubernetes-io`"
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=`^[a-z][0-9a-z_-]{0,62}$`
+	Key string `json:"key"`
+
+	// value is the value part of the label. A label value can have a maximum of 63 characters and cannot be empty.
+	// Value must contain only lowercase letters, numeric characters, and the following special characters `_-`.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=`^[0-9a-z_-]{1,63}$`
+	Value string `json:"value"`
+}
+
+// GCPResourceTag is a tag to apply to GCP resources created for the cluster.
+type GCPResourceTag struct {
+	// parentID is the ID of the hierarchical resource where the tags are defined,
+	// e.g. at the Organization or the Project level. To find the Organization or Project ID refer to the following pages:
+	// https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id,
+	// https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects.
+	// An OrganizationID must consist of decimal numbers, and cannot have leading zeroes.
+	// A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers,
+	// and hyphens, and must start with a letter, and cannot end with a hyphen.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=32
+	// +kubebuilder:validation:Pattern=`(^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$)`
+	ParentID string `json:"parentID"`
+
+	// key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty.
+	// Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase
+	// alphanumeric characters, and the following special characters `._-`.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]([0-9A-Za-z_.-]{0,61}[a-zA-Z0-9])?$`
+	Key string `json:"key"`
+
+	// value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty.
+	// Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase
+	// alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]([0-9A-Za-z_.@%=+:,*#&()\[\]{}\-\s]{0,61}[a-zA-Z0-9])?$`
+	Value string `json:"value"`
+}
+
+// CloudLoadBalancerConfig contains an union discriminator indicating the type of DNS
+// solution in use within the cluster. When the DNSType is `ClusterHosted`, the cloud's
+// Load Balancer configuration needs to be provided so that the DNS solution hosted
+// within the cluster can be configured with those values.
+// +kubebuilder:validation:XValidation:rule="has(self.dnsType) && self.dnsType != 'ClusterHosted' ? !has(self.clusterHosted) : true",message="clusterHosted is permitted only when dnsType is ClusterHosted"
+// +union
+type CloudLoadBalancerConfig struct {
+	// dnsType indicates the type of DNS solution in use within the cluster. Its default value of
+	// `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform.
+	// It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode,
+	// the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed.
+	// The cluster's use of the cloud's Load Balancers is unaffected by this setting.
+	// The value is immutable after it has been set at install time.
+	// Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS.
+	// Enabling this functionality allows the user to start their own DNS solution outside the cluster after
+	// installation is complete. The customer would be responsible for configuring this custom DNS solution,
+	// and it can be run in addition to the in-cluster DNS solution.
+	// +default="PlatformDefault"
+	// +kubebuilder:default:="PlatformDefault"
+	// +kubebuilder:validation:Enum="ClusterHosted";"PlatformDefault"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="dnsType is immutable"
+	// +optional
+	// +unionDiscriminator
+	DNSType DNSType `json:"dnsType,omitempty"`
+
+	// clusterHosted holds the IP addresses of API, API-Int and Ingress Load
+	// Balancers on Cloud Platforms. The DNS solution hosted within the cluster
+	// use these IP addresses to provide resolution for API, API-Int and Ingress
+	// services.
+	// +optional
+	// +unionMember,optional
+	ClusterHosted *CloudLoadBalancerIPs `json:"clusterHosted,omitempty"`
+}
+
+// CloudLoadBalancerIPs contains the Load Balancer IPs for the cloud's API,
+// API-Int and Ingress Load balancers. They will be populated as soon as the
+// respective Load Balancers have been configured. These values are utilized
+// to configure the DNS solution hosted within the cluster.
+type CloudLoadBalancerIPs struct {
+	// apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service.
+	// These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
+	// Entries in the apiIntLoadBalancerIPs must be unique.
+	// A maximum of 16 IP addresses are permitted.
+	// +kubebuilder:validation:Format=ip
+	// +listType=set
+	// +kubebuilder:validation:MaxItems=16
+	// +optional
+	APIIntLoadBalancerIPs []IP `json:"apiIntLoadBalancerIPs,omitempty"`
+
+	// apiLoadBalancerIPs holds Load Balancer IPs for the API service.
+	// These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
+	// Could be empty for private clusters.
+	// Entries in the apiLoadBalancerIPs must be unique.
+	// A maximum of 16 IP addresses are permitted.
+	// +kubebuilder:validation:Format=ip
+	// +listType=set
+	// +kubebuilder:validation:MaxItems=16
+	// +optional
+	APILoadBalancerIPs []IP `json:"apiLoadBalancerIPs,omitempty"`
+
+	// ingressLoadBalancerIPs holds IPs for Ingress Load Balancers.
+	// These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
+	// Entries in the ingressLoadBalancerIPs must be unique.
+	// A maximum of 16 IP addresses are permitted.
+	// +kubebuilder:validation:Format=ip
+	// +listType=set
+	// +kubebuilder:validation:MaxItems=16
+	// +optional
+	IngressLoadBalancerIPs []IP `json:"ingressLoadBalancerIPs,omitempty"`
+}
+
+// BareMetalPlatformLoadBalancer defines the load balancer used by the cluster on BareMetal platform.
+// +union
+type BareMetalPlatformLoadBalancer struct {
+	// type defines the type of load balancer used by the cluster on BareMetal platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
+	// +default="OpenShiftManagedDefault"
+	// +kubebuilder:default:="OpenShiftManagedDefault"
+	// +kubebuilder:validation:Enum:="OpenShiftManagedDefault";"UserManaged"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="type is immutable once set"
+	// +optional
+	// +unionDiscriminator
+	Type PlatformLoadBalancerType `json:"type,omitempty"`
+}
+
+// BareMetalPlatformSpec holds the desired state of the BareMetal infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)",message="apiServerInternalIPs list is required once set"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.ingressIPs) || has(self.ingressIPs)",message="ingressIPs list is required once set"
+type BareMetalPlatformSpec struct {
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.apiServerInternalIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	//
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	// +optional
+	APIServerInternalIPs []IP `json:"apiServerInternalIPs"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.ingressIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	//
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	// +optional
+	IngressIPs []IP `json:"ingressIPs"`
+
+	// machineNetworks are IP networks used to connect all the OpenShift cluster
+	// nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6,
+	// for example "10.0.0.0/8" or "fd00::/8".
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"
+	// +optional
+	MachineNetworks []CIDR `json:"machineNetworks"`
+}
+
+// BareMetalPlatformStatus holds the current status of the BareMetal infrastructure provider.
+// For more information about the network architecture used with the BareMetal platform type, see:
+// https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md
+type BareMetalPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	APIServerInternalIPs []string `json:"apiServerInternalIPs"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	IngressIPs []string `json:"ingressIPs"`
+
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// BareMetal deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP string `json:"nodeDNSIP,omitempty"`
+
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	// +default={"type": "OpenShiftManagedDefault"}
+	// +kubebuilder:default={"type": "OpenShiftManagedDefault"}
+	// +optional
+	LoadBalancer *BareMetalPlatformLoadBalancer `json:"loadBalancer,omitempty"`
+
+	// machineNetworks are IP networks used to connect all the OpenShift cluster nodes.
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"
+	// +optional
+	MachineNetworks []CIDR `json:"machineNetworks"`
+}
+
+// OpenStackPlatformLoadBalancer defines the load balancer used by the cluster on OpenStack platform.
+// +union
+type OpenStackPlatformLoadBalancer struct {
+	// type defines the type of load balancer used by the cluster on OpenStack platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
+	// +default="OpenShiftManagedDefault"
+	// +kubebuilder:default:="OpenShiftManagedDefault"
+	// +kubebuilder:validation:Enum:="OpenShiftManagedDefault";"UserManaged"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="type is immutable once set"
+	// +optional
+	// +unionDiscriminator
+	Type PlatformLoadBalancerType `json:"type,omitempty"`
+}
+
+// OpenStackPlatformSpec holds the desired state of the OpenStack infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)",message="apiServerInternalIPs list is required once set"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.ingressIPs) || has(self.ingressIPs)",message="ingressIPs list is required once set"
+type OpenStackPlatformSpec struct {
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.apiServerInternalIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	//
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	// +optional
+	APIServerInternalIPs []IP `json:"apiServerInternalIPs"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.ingressIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	//
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	// +optional
+	IngressIPs []IP `json:"ingressIPs"`
+
+	// machineNetworks are IP networks used to connect all the OpenShift cluster
+	// nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6,
+	// for example "10.0.0.0/8" or "fd00::/8".
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"
+	// +optional
+	MachineNetworks []CIDR `json:"machineNetworks"`
+}
+
+// OpenStackPlatformStatus holds the current status of the OpenStack infrastructure provider.
+type OpenStackPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	APIServerInternalIPs []string `json:"apiServerInternalIPs"`
+
+	// cloudName is the name of the desired OpenStack cloud in the
+	// client configuration file (`clouds.yaml`).
+	CloudName string `json:"cloudName,omitempty"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	IngressIPs []string `json:"ingressIPs"`
+
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// OpenStack deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP string `json:"nodeDNSIP,omitempty"`
+
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	// +default={"type": "OpenShiftManagedDefault"}
+	// +kubebuilder:default={"type": "OpenShiftManagedDefault"}
+	// +optional
+	LoadBalancer *OpenStackPlatformLoadBalancer `json:"loadBalancer,omitempty"`
+
+	// machineNetworks are IP networks used to connect all the OpenShift cluster nodes.
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"
+	// +optional
+	MachineNetworks []CIDR `json:"machineNetworks"`
+}
+
+// OvirtPlatformLoadBalancer defines the load balancer used by the cluster on Ovirt platform.
+// +union
+type OvirtPlatformLoadBalancer struct {
+	// type defines the type of load balancer used by the cluster on Ovirt platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
+	// +default="OpenShiftManagedDefault"
+	// +kubebuilder:default:="OpenShiftManagedDefault"
+	// +kubebuilder:validation:Enum:="OpenShiftManagedDefault";"UserManaged"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="type is immutable once set"
+	// +optional
+	// +unionDiscriminator
+	Type PlatformLoadBalancerType `json:"type,omitempty"`
+}
+
+// OvirtPlatformSpec holds the desired state of the oVirt infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type OvirtPlatformSpec struct{}
+
+// OvirtPlatformStatus holds the current status of the  oVirt infrastructure provider.
+type OvirtPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=set
+	APIServerInternalIPs []string `json:"apiServerInternalIPs"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=set
+	IngressIPs []string `json:"ingressIPs"`
+
+	// deprecated: as of 4.6, this field is no longer set or honored.  It will be removed in a future release.
+	NodeDNSIP string `json:"nodeDNSIP,omitempty"`
+
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	// +default={"type": "OpenShiftManagedDefault"}
+	// +kubebuilder:default={"type": "OpenShiftManagedDefault"}
+	// +optional
+	LoadBalancer *OvirtPlatformLoadBalancer `json:"loadBalancer,omitempty"`
+}
+
+// VSpherePlatformLoadBalancer defines the load balancer used by the cluster on VSphere platform.
+// +union
+type VSpherePlatformLoadBalancer struct {
+	// type defines the type of load balancer used by the cluster on VSphere platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
+	// +default="OpenShiftManagedDefault"
+	// +kubebuilder:default:="OpenShiftManagedDefault"
+	// +kubebuilder:validation:Enum:="OpenShiftManagedDefault";"UserManaged"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="type is immutable once set"
+	// +optional
+	// +unionDiscriminator
+	Type PlatformLoadBalancerType `json:"type,omitempty"`
+}
+
+// The VSphereFailureDomainZoneType is a string representation of a failure domain
+// zone type. There are two supportable types HostGroup and ComputeCluster
+// +enum
+type VSphereFailureDomainZoneType string
+
+// The VSphereFailureDomainRegionType is a string representation of a failure domain
+// region type. There are two supportable types ComputeCluster and Datacenter
+// +enum
+type VSphereFailureDomainRegionType string
+
+const (
+	// HostGroupFailureDomainZone is a failure domain zone for a vCenter vm-host group.
+	HostGroupFailureDomainZone VSphereFailureDomainZoneType = "HostGroup"
+	// ComputeClusterFailureDomainZone is a failure domain zone for a vCenter compute cluster.
+	ComputeClusterFailureDomainZone VSphereFailureDomainZoneType = "ComputeCluster"
+	// DatacenterFailureDomainRegion is a failure domain region for a vCenter datacenter.
+	DatacenterFailureDomainRegion VSphereFailureDomainRegionType = "Datacenter"
+	// ComputeClusterFailureDomainRegion is a failure domain region for a vCenter compute cluster.
+	ComputeClusterFailureDomainRegion VSphereFailureDomainRegionType = "ComputeCluster"
+)
+
+// VSpherePlatformFailureDomainSpec holds the region and zone failure domain and the vCenter topology of that failure domain.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=VSphereHostVMGroupZonal,rule="has(self.zoneAffinity) && self.zoneAffinity.type == 'HostGroup' ?  has(self.regionAffinity) && self.regionAffinity.type == 'ComputeCluster' : true",message="when zoneAffinity type is HostGroup, regionAffinity type must be ComputeCluster"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=VSphereHostVMGroupZonal,rule="has(self.zoneAffinity) && self.zoneAffinity.type == 'ComputeCluster' ?  has(self.regionAffinity) && self.regionAffinity.type == 'Datacenter' : true",message="when zoneAffinity type is ComputeCluster, regionAffinity type must be Datacenter"
+type VSpherePlatformFailureDomainSpec struct {
+	// name defines the arbitrary but unique name
+	// of a failure domain.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	Name string `json:"name"`
+
+	// region defines the name of a region tag that will
+	// be attached to a vCenter datacenter. The tag
+	// category in vCenter must be named openshift-region.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=80
+	// +required
+	Region string `json:"region"`
+
+	// zone defines the name of a zone tag that will
+	// be attached to a vCenter cluster. The tag
+	// category in vCenter must be named openshift-zone.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=80
+	// +required
+	Zone string `json:"zone"`
+
+	// regionAffinity holds the type of region, Datacenter or ComputeCluster.
+	// When set to Datacenter, this means the region is a vCenter Datacenter as defined in topology.
+	// When set to ComputeCluster, this means the region is a vCenter Cluster as defined in topology.
+	// +openshift:validation:featureGate=VSphereHostVMGroupZonal
+	// +optional
+	RegionAffinity *VSphereFailureDomainRegionAffinity `json:"regionAffinity,omitempty"`
+
+	// zoneAffinity holds the type of the zone and the hostGroup which
+	// vmGroup and the hostGroup names in vCenter corresponds to
+	// a vm-host group of type Virtual Machine and Host respectively. Is also
+	// contains the vmHostRule which is an affinity vm-host rule in vCenter.
+	// +openshift:validation:featureGate=VSphereHostVMGroupZonal
+	// +optional
+	ZoneAffinity *VSphereFailureDomainZoneAffinity `json:"zoneAffinity,omitempty"`
+
+	// server is the fully-qualified domain name or the IP address of the vCenter server.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// ---
+	// + Validation is applied via a patch, we validate the format as either ipv4, ipv6 or hostname
+	Server string `json:"server"`
+
+	// topology describes a given failure domain using vSphere constructs
+	// +required
+	Topology VSpherePlatformTopology `json:"topology"`
+}
+
+// VSpherePlatformTopology holds the required and optional vCenter objects - datacenter,
+// computeCluster, networks, datastore and resourcePool - to provision virtual machines.
+type VSpherePlatformTopology struct {
+	// datacenter is the name of vCenter datacenter in which virtual machines will be located.
+	// The maximum length of the datacenter name is 80 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=80
+	Datacenter string `json:"datacenter"`
+
+	// computeCluster the absolute path of the vCenter cluster
+	// in which virtual machine will be located.
+	// The absolute path is of the form /<datacenter>/host/<cluster>.
+	// The maximum length of the path is 2048 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:Pattern=`^/.*?/host/.*?`
+	ComputeCluster string `json:"computeCluster"`
+
+	// networks is the list of port group network names within this failure domain.
+	// If feature gate VSphereMultiNetworks is enabled, up to 10 network adapters may be defined.
+	// 10 is the maximum number of virtual network devices which may be attached to a VM as defined by:
+	// https://configmax.esp.vmware.com/guest?vmwareproduct=vSphere&release=vSphere%208.0&categories=1-0
+	// The available networks (port groups) can be listed using
+	// `govc ls 'network/*'`
+	// Networks should be in the form of an absolute path:
+	// /<datacenter>/network/<portgroup>.
+	// +required
+	// +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1
+	// +openshift:validation:FeatureGateAwareMaxItems:featureGate=VSphereMultiNetworks,maxItems=10
+	// +kubebuilder:validation:MinItems=1
+	// +listType=atomic
+	Networks []string `json:"networks"`
+
+	// datastore is the absolute path of the datastore in which the
+	// virtual machine is located.
+	// The absolute path is of the form /<datacenter>/datastore/<datastore>
+	// The maximum length of the path is 2048 characters.
+	// +required
+	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:Pattern=`^/.*?/datastore/.*?`
+	Datastore string `json:"datastore"`
+
+	// resourcePool is the absolute path of the resource pool where virtual machines will be
+	// created. The absolute path is of the form /<datacenter>/host/<cluster>/Resources/<resourcepool>.
+	// The maximum length of the path is 2048 characters.
+	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:Pattern=`^/.*?/host/.*?/Resources.*`
+	// +optional
+	ResourcePool string `json:"resourcePool,omitempty"`
+
+	// folder is the absolute path of the folder where
+	// virtual machines are located. The absolute path
+	// is of the form /<datacenter>/vm/<folder>.
+	// The maximum length of the path is 2048 characters.
+	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:Pattern=`^/.*?/vm/.*?`
+	// +optional
+	Folder string `json:"folder,omitempty"`
+
+	// template is the full inventory path of the virtual machine or template
+	// that will be cloned when creating new machines in this failure domain.
+	// The maximum length of the path is 2048 characters.
+	//
+	// When omitted, the template will be calculated by the control plane
+	// machineset operator based on the region and zone defined in
+	// VSpherePlatformFailureDomainSpec.
+	// For example, for zone=zonea, region=region1, and infrastructure name=test,
+	// the template path would be calculated as /<datacenter>/vm/test-rhcos-region1-zonea.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:Pattern=`^/.*?/vm/.*?`
+	// +optional
+	Template string `json:"template,omitempty"`
+}
+
+// VSphereFailureDomainZoneAffinity contains the vCenter cluster vm-host group (virtual machine and host types)
+// and the vm-host affinity rule that together creates an affinity configuration for vm-host based zonal.
+// This configuration within vCenter creates the required association between a failure domain, virtual machines
+// and ESXi hosts to create a vm-host based zone.
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'HostGroup' ?  has(self.hostGroup) : !has(self.hostGroup)",message="hostGroup is required when type is HostGroup, and forbidden otherwise"
+// +union
+type VSphereFailureDomainZoneAffinity struct {
+	// type determines the vSphere object type for a zone within this failure domain.
+	// Available types are ComputeCluster and HostGroup.
+	// When set to ComputeCluster, this means the vCenter cluster defined is the zone.
+	// When set to HostGroup, hostGroup must be configured with hostGroup, vmGroup and vmHostRule and
+	// this means the zone is defined by the grouping of those fields.
+	// +kubebuilder:validation:Enum:=HostGroup;ComputeCluster
+	// +required
+	// +unionDiscriminator
+	Type VSphereFailureDomainZoneType `json:"type"`
+
+	// hostGroup holds the vmGroup and the hostGroup names in vCenter
+	// corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also
+	// contains the vmHostRule which is an affinity vm-host rule in vCenter.
+	// +unionMember
+	// +optional
+	HostGroup *VSphereFailureDomainHostGroup `json:"hostGroup,omitempty"`
+}
+
+// VSphereFailureDomainRegionAffinity contains the region type which is the string representation of the
+// VSphereFailureDomainRegionType with available options of Datacenter and ComputeCluster.
+// +union
+type VSphereFailureDomainRegionAffinity struct {
+	// type determines the vSphere object type for a region within this failure domain.
+	// Available types are Datacenter and ComputeCluster.
+	// When set to Datacenter, this means the vCenter Datacenter defined is the region.
+	// When set to ComputeCluster, this means the vCenter cluster defined is the region.
+	// +kubebuilder:validation:Enum:=ComputeCluster;Datacenter
+	// +required
+	// +unionDiscriminator
+	Type VSphereFailureDomainRegionType `json:"type"`
+}
+
+// VSphereFailureDomainHostGroup holds the vmGroup and the hostGroup names in vCenter
+// corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also
+// contains the vmHostRule which is an affinity vm-host rule in vCenter.
+type VSphereFailureDomainHostGroup struct {
+	// vmGroup is the name of the vm-host group of type virtual machine within vCenter for this failure domain.
+	// vmGroup is limited to 80 characters.
+	// This field is required when the VSphereFailureDomain ZoneType is HostGroup
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=80
+	// +required
+	VMGroup string `json:"vmGroup"`
+
+	// hostGroup is the name of the vm-host group of type host within vCenter for this failure domain.
+	// hostGroup is limited to 80 characters.
+	// This field is required when the VSphereFailureDomain ZoneType is HostGroup
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=80
+	// +required
+	HostGroup string `json:"hostGroup"`
+
+	// vmHostRule is the name of the affinity vm-host rule within vCenter for this failure domain.
+	// vmHostRule is limited to 80 characters.
+	// This field is required when the VSphereFailureDomain ZoneType is HostGroup
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=80
+	// +required
+	VMHostRule string `json:"vmHostRule"`
+}
+
+// VSpherePlatformVCenterSpec stores the vCenter connection fields.
+// This is used by the vSphere CCM.
+type VSpherePlatformVCenterSpec struct {
+
+	// server is the fully-qualified domain name or the IP address of the vCenter server.
+	// +required
+	// +kubebuilder:validation:MaxLength=255
+	// ---
+	// + Validation is applied via a patch, we validate the format as either ipv4, ipv6 or hostname
+	Server string `json:"server"`
+
+	// port is the TCP port that will be used to communicate to
+	// the vCenter endpoint.
+	// When omitted, this means the user has no opinion and
+	// it is up to the platform to choose a sensible default,
+	// which is subject to change over time.
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=32767
+	// +optional
+	Port int32 `json:"port,omitempty"`
+
+	// The vCenter Datacenters in which the RHCOS
+	// vm guests are located. This field will
+	// be used by the Cloud Controller Manager.
+	// Each datacenter listed here should be used within
+	// a topology.
+	// +required
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	Datacenters []string `json:"datacenters"`
+}
+
+// VSpherePlatformNodeNetworkingSpec holds the network CIDR(s) and port group name for
+// including and excluding IP ranges in the cloud provider.
+// This would be used for example when multiple network adapters are attached to
+// a guest to help determine which IP address the cloud config manager should use
+// for the external and internal node networking.
+type VSpherePlatformNodeNetworkingSpec struct {
+	// networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs
+	// that will be used in respective status.addresses fields.
+	// ---
+	// + Validation is applied via a patch, we validate the format as cidr
+	// +listType=set
+	// +optional
+	NetworkSubnetCIDR []string `json:"networkSubnetCidr,omitempty"`
+
+	// network VirtualMachine's VM Network names that will be used to when searching
+	// for status.addresses fields. Note that if internal.networkSubnetCIDR and
+	// external.networkSubnetCIDR are not set, then the vNIC associated to this network must
+	// only have a single IP address assigned to it.
+	// The available networks (port groups) can be listed using
+	// `govc ls 'network/*'`
+	// +optional
+	Network string `json:"network,omitempty"`
+
+	// excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting
+	// the IP address from the VirtualMachine's VM for use in the status.addresses fields.
+	// ---
+	// + Validation is applied via a patch, we validate the format as cidr
+	// +listType=atomic
+	// +optional
+	ExcludeNetworkSubnetCIDR []string `json:"excludeNetworkSubnetCidr,omitempty"`
+}
+
+// VSpherePlatformNodeNetworking holds the external and internal node networking spec.
+type VSpherePlatformNodeNetworking struct {
+	// external represents the network configuration of the node that is externally routable.
+	// +optional
+	External VSpherePlatformNodeNetworkingSpec `json:"external"`
+	// internal represents the network configuration of the node that is routable only within the cluster.
+	// +optional
+	Internal VSpherePlatformNodeNetworkingSpec `json:"internal"`
+}
+
+// VSpherePlatformSpec holds the desired state of the vSphere infrastructure provider.
+// In the future the cloud provider operator, storage operator and machine operator will
+// use these fields for configuration.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.apiServerInternalIPs) || has(self.apiServerInternalIPs)",message="apiServerInternalIPs list is required once set"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.ingressIPs) || has(self.ingressIPs)",message="ingressIPs list is required once set"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.vcenters) && has(self.vcenters) ? size(self.vcenters) < 2 : true",message="vcenters can have at most 1 item when configured post-install"
+type VSpherePlatformSpec struct {
+	// vcenters holds the connection details for services to communicate with vCenter.
+	// Currently, only a single vCenter is supported, but in tech preview 3 vCenters are supported.
+	// Once the cluster has been installed, you are unable to change the current number of defined
+	// vCenters except in the case where the cluster has been upgraded from a version of OpenShift
+	// where the vsphere platform spec was not present.  You may make modifications to the existing
+	// vCenters that are defined in the vcenters list in order to match with any added or modified
+	// failure domains.
+	// ---
+	// + If VCenters is not defined use the existing cloud-config configmap defined
+	// + in openshift-config.
+	// +kubebuilder:validation:MinItems=0
+	// +kubebuilder:validation:MaxItems=3
+	// +kubebuilder:validation:XValidation:rule="size(self) != size(oldSelf) ? size(oldSelf) == 0 && size(self) < 2 : true",message="vcenters cannot be added or removed once set"
+	// +listType=atomic
+	// +optional
+	VCenters []VSpherePlatformVCenterSpec `json:"vcenters,omitempty"`
+
+	// failureDomains contains the definition of region, zone and the vCenter topology.
+	// If this is omitted failure domains (regions and zones) will not be used.
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	FailureDomains []VSpherePlatformFailureDomainSpec `json:"failureDomains,omitempty"`
+
+	// nodeNetworking contains the definition of internal and external network constraints for
+	// assigning the node's networking.
+	// If this field is omitted, networking defaults to the legacy
+	// address selection behavior which is to only support a single address and
+	// return the first one found.
+	// +optional
+	NodeNetworking VSpherePlatformNodeNetworking `json:"nodeNetworking,omitempty"`
+
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.apiServerInternalIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	//
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	// +optional
+	APIServerInternalIPs []IP `json:"apiServerInternalIPs"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.ingressIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	//
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	// +optional
+	IngressIPs []IP `json:"ingressIPs"`
+
+	// machineNetworks are IP networks used to connect all the OpenShift cluster
+	// nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6,
+	// for example "10.0.0.0/8" or "fd00::/8".
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"
+	// +optional
+	MachineNetworks []CIDR `json:"machineNetworks"`
+}
+
+// VSpherePlatformStatus holds the current status of the vSphere infrastructure provider.
+type VSpherePlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	APIServerInternalIPs []string `json:"apiServerInternalIPs"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=atomic
+	IngressIPs []string `json:"ingressIPs"`
+
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// vSphere deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP string `json:"nodeDNSIP,omitempty"`
+
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	// +default={"type": "OpenShiftManagedDefault"}
+	// +kubebuilder:default={"type": "OpenShiftManagedDefault"}
+	// +optional
+	LoadBalancer *VSpherePlatformLoadBalancer `json:"loadBalancer,omitempty"`
+
+	// machineNetworks are IP networks used to connect all the OpenShift cluster nodes.
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=32
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"
+	// +optional
+	MachineNetworks []CIDR `json:"machineNetworks"`
+}
+
+// IBMCloudServiceEndpoint stores the configuration of a custom url to
+// override existing defaults of IBM Cloud Services.
+type IBMCloudServiceEndpoint struct {
+	// name is the name of the IBM Cloud service.
+	// Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC.
+	// For example, the IBM Cloud Private IAM service could be configured with the
+	// service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com`
+	// Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured
+	// with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`
+	//
+	// +required
+	Name IBMCloudServiceName `json:"name"`
+
+	// url is fully qualified URI with scheme https, that overrides the default generated
+	// endpoint for a client.
+	// This must be provided and cannot be empty. The path must follow the pattern
+	// /v[0,9]+ or /api/v[0,9]+
+	//
+	// +required
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:MaxLength=300
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL"
+	// +openshift:validation:FeatureGateAwareXValidation:featureGate=DyanmicServiceEndpointIBMCloud,rule="url(self).getScheme() == \"https\"",message="url must use https scheme"
+	// +openshift:validation:FeatureGateAwareXValidation:featureGate=DyanmicServiceEndpointIBMCloud,rule=`matches((url(self).getEscapedPath()), '^/(api/)?v[0-9]+/{0,1}$')`,message="url path must match /v[0,9]+ or /api/v[0,9]+"
+	URL string `json:"url"`
+}
+
+// IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type IBMCloudPlatformSpec struct {
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of an IBM service. These endpoints are used by components
+	// within the cluster when trying to reach the IBM Cloud Services that have been
+	// overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
+	// endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus
+	// are updated to reflect the same custom endpoints.
+	// A maximum of 13 service endpoints overrides are supported.
+	// +kubebuilder:validation:MaxItems=13
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	// +openshift:enable:FeatureGate=DyanmicServiceEndpointIBMCloud
+	ServiceEndpoints []IBMCloudServiceEndpoint `json:"serviceEndpoints,omitempty"`
+}
+
+// IBMCloudPlatformStatus holds the current status of the IBMCloud infrastructure provider.
+type IBMCloudPlatformStatus struct {
+	// location is where the cluster has been deployed
+	Location string `json:"location,omitempty"`
+
+	// resourceGroupName is the Resource Group for new IBMCloud resources created for the cluster.
+	ResourceGroupName string `json:"resourceGroupName,omitempty"`
+
+	// providerType indicates the type of cluster that was created
+	ProviderType IBMCloudProviderType `json:"providerType,omitempty"`
+
+	// cisInstanceCRN is the CRN of the Cloud Internet Services instance managing
+	// the DNS zone for the cluster's base domain
+	CISInstanceCRN string `json:"cisInstanceCRN,omitempty"`
+
+	// dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone
+	// for the cluster's base domain
+	DNSInstanceCRN string `json:"dnsInstanceCRN,omitempty"`
+
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of an IBM service. These endpoints are used by components
+	// within the cluster when trying to reach the IBM Cloud Services that have been
+	// overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
+	// endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus
+	// are updated to reflect the same custom endpoints.
+	// +openshift:validation:FeatureGateAwareMaxItems:featureGate=DyanmicServiceEndpointIBMCloud,maxItems=13
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	ServiceEndpoints []IBMCloudServiceEndpoint `json:"serviceEndpoints,omitempty"`
+}
+
+// KubevirtPlatformSpec holds the desired state of the kubevirt infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type KubevirtPlatformSpec struct{}
+
+// KubevirtPlatformStatus holds the current status of the kubevirt infrastructure provider.
+type KubevirtPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	IngressIP string `json:"ingressIP,omitempty"`
+}
+
+// EquinixMetalPlatformSpec holds the desired state of the Equinix Metal infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type EquinixMetalPlatformSpec struct{}
+
+// EquinixMetalPlatformStatus holds the current status of the Equinix Metal infrastructure provider.
+type EquinixMetalPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	IngressIP string `json:"ingressIP,omitempty"`
+}
+
+// PowervsServiceEndpoint stores the configuration of a custom url to
+// override existing defaults of PowerVS Services.
+type PowerVSServiceEndpoint struct {
+	// name is the name of the Power VS service.
+	// Few of the services are
+	// IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api
+	// ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller
+	// Power Cloud - https://cloud.ibm.com/apidocs/power-cloud
+	//
+	// +required
+	// +kubebuilder:validation:Enum=CIS;COS;COSConfig;DNSServices;GlobalCatalog;GlobalSearch;GlobalTagging;HyperProtect;IAM;KeyProtect;Power;ResourceController;ResourceManager;VPC
+	Name string `json:"name"`
+
+	// url is fully qualified URI with scheme https, that overrides the default generated
+	// endpoint for a client.
+	// This must be provided and cannot be empty.
+	//
+	// +required
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Format=uri
+	// +kubebuilder:validation:Pattern=`^https://`
+	URL string `json:"url"`
+}
+
+// PowerVSPlatformSpec holds the desired state of the IBM Power Systems Virtual Servers infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type PowerVSPlatformSpec struct {
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of a Power VS service.
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	ServiceEndpoints []PowerVSServiceEndpoint `json:"serviceEndpoints,omitempty"`
+}
+
+// PowerVSPlatformStatus holds the current status of the IBM Power Systems Virtual Servers infrastrucutre provider.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.resourceGroup) || has(self.resourceGroup)",message="cannot unset resourceGroup once set"
+type PowerVSPlatformStatus struct {
+	// region holds the default Power VS region for new Power VS resources created by the cluster.
+	Region string `json:"region"`
+
+	// zone holds the default zone for the new Power VS resources created by the cluster.
+	// Note: Currently only single-zone OCP clusters are supported
+	Zone string `json:"zone"`
+
+	// resourceGroup is the resource group name for new IBMCloud resources created for a cluster.
+	// The resource group specified here will be used by cluster-image-registry-operator to set up a COS Instance in IBMCloud for the cluster registry.
+	// More about resource groups can be found here: https://cloud.ibm.com/docs/account?topic=account-rgs.
+	// When omitted, the image registry operator won't be able to configure storage,
+	// which results in the image registry cluster operator not being in an available state.
+	//
+	// +kubebuilder:validation:Pattern=^[a-zA-Z0-9-_ ]+$
+	// +kubebuilder:validation:MaxLength=40
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="resourceGroup is immutable once set"
+	// +optional
+	ResourceGroup string `json:"resourceGroup"`
+
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of a Power VS service.
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	ServiceEndpoints []PowerVSServiceEndpoint `json:"serviceEndpoints,omitempty"`
+
+	// cisInstanceCRN is the CRN of the Cloud Internet Services instance managing
+	// the DNS zone for the cluster's base domain
+	CISInstanceCRN string `json:"cisInstanceCRN,omitempty"`
+
+	// dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone
+	// for the cluster's base domain
+	DNSInstanceCRN string `json:"dnsInstanceCRN,omitempty"`
+}
+
+// AlibabaCloudPlatformSpec holds the desired state of the Alibaba Cloud infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type AlibabaCloudPlatformSpec struct{}
+
+// AlibabaCloudPlatformStatus holds the current status of the Alibaba Cloud infrastructure provider.
+type AlibabaCloudPlatformStatus struct {
+	// region specifies the region for Alibaba Cloud resources created for the cluster.
+	// +kubebuilder:validation:Pattern=`^[0-9A-Za-z-]+$`
+	// +required
+	Region string `json:"region"`
+	// resourceGroupID is the ID of the resource group for the cluster.
+	// +kubebuilder:validation:Pattern=`^(rg-[0-9A-Za-z]+)?$`
+	// +optional
+	ResourceGroupID string `json:"resourceGroupID,omitempty"`
+	// resourceTags is a list of additional tags to apply to Alibaba Cloud resources created for the cluster.
+	// +kubebuilder:validation:MaxItems=20
+	// +listType=map
+	// +listMapKey=key
+	// +optional
+	ResourceTags []AlibabaCloudResourceTag `json:"resourceTags,omitempty"`
+}
+
+// AlibabaCloudResourceTag is the set of tags to add to apply to resources.
+type AlibabaCloudResourceTag struct {
+	// key is the key of the tag.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
+	Key string `json:"key"`
+	// value is the value of the tag.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
+	Value string `json:"value"`
+}
+
+// NutanixPlatformLoadBalancer defines the load balancer used by the cluster on Nutanix platform.
+// +union
+type NutanixPlatformLoadBalancer struct {
+	// type defines the type of load balancer used by the cluster on Nutanix platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
+	// +default="OpenShiftManagedDefault"
+	// +kubebuilder:default:="OpenShiftManagedDefault"
+	// +kubebuilder:validation:Enum:="OpenShiftManagedDefault";"UserManaged"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="type is immutable once set"
+	// +optional
+	// +unionDiscriminator
+	Type PlatformLoadBalancerType `json:"type,omitempty"`
+}
+
+// NutanixPlatformSpec holds the desired state of the Nutanix infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+type NutanixPlatformSpec struct {
+	// prismCentral holds the endpoint address and port to access the Nutanix Prism Central.
+	// When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy.
+	// Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the
+	// proxy spec.noProxy list.
+	// +required
+	PrismCentral NutanixPrismEndpoint `json:"prismCentral"`
+
+	// prismElements holds one or more endpoint address and port data to access the Nutanix
+	// Prism Elements (clusters) of the Nutanix Prism Central. Currently we only support one
+	// Prism Element (cluster) for an OpenShift cluster, where all the Nutanix resources (VMs, subnets, volumes, etc.)
+	// used in the OpenShift cluster are located. In the future, we may support Nutanix resources (VMs, etc.)
+	// spread over multiple Prism Elements (clusters) of the Prism Central.
+	// +required
+	// +listType=map
+	// +listMapKey=name
+	PrismElements []NutanixPrismElementEndpoint `json:"prismElements"`
+
+	// failureDomains configures failure domains information for the Nutanix platform.
+	// When set, the failure domains defined here may be used to spread Machines across
+	// prism element clusters to improve fault tolerance of the cluster.
+	// +openshift:validation:FeatureGateAwareMaxItems:featureGate=NutanixMultiSubnets,maxItems=32
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	FailureDomains []NutanixFailureDomain `json:"failureDomains"`
+}
+
+// NutanixFailureDomain configures failure domain information for the Nutanix platform.
+type NutanixFailureDomain struct {
+	// name defines the unique name of a failure domain.
+	// Name is required and must be at most 64 characters in length.
+	// It must consist of only lower case alphanumeric characters and hyphens (-).
+	// It must start and end with an alphanumeric character.
+	// This value is arbitrary and is used to identify the failure domain within the platform.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=64
+	// +kubebuilder:validation:Pattern=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name"`
+
+	// cluster is to identify the cluster (the Prism Element under management of the Prism Central),
+	// in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained
+	// from the Prism Central console or using the prism_central API.
+	// +required
+	Cluster NutanixResourceIdentifier `json:"cluster"`
+
+	// subnets holds a list of identifiers (one or more) of the cluster's network subnets
+	// If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured.
+	// for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be
+	// obtained from the Prism Central console or using the prism_central API.
+	// +required
+	// +kubebuilder:validation:MinItems=1
+	// +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1
+	// +openshift:validation:FeatureGateAwareMaxItems:featureGate=NutanixMultiSubnets,maxItems=32
+	// +openshift:validation:FeatureGateAwareXValidation:featureGate=NutanixMultiSubnets,rule="self.all(x, self.exists_one(y, x == y))",message="each subnet must be unique"
+	// +listType=atomic
+	Subnets []NutanixResourceIdentifier `json:"subnets"`
+}
+
+// NutanixIdentifierType is an enumeration of different resource identifier types.
+// +kubebuilder:validation:Enum:=UUID;Name
+type NutanixIdentifierType string
+
+const (
+	// NutanixIdentifierUUID is a resource identifier identifying the object by UUID.
+	NutanixIdentifierUUID NutanixIdentifierType = "UUID"
+
+	// NutanixIdentifierName is a resource identifier identifying the object by Name.
+	NutanixIdentifierName NutanixIdentifierType = "Name"
+)
+
+// NutanixResourceIdentifier holds the identity of a Nutanix PC resource (cluster, image, subnet, etc.)
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'UUID' ?  has(self.uuid) : !has(self.uuid)",message="uuid configuration is required when type is UUID, and forbidden otherwise"
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Name' ?  has(self.name) : !has(self.name)",message="name configuration is required when type is Name, and forbidden otherwise"
+// +union
+type NutanixResourceIdentifier struct {
+	// type is the identifier type to use for this resource.
+	// +unionDiscriminator
+	// +required
+	Type NutanixIdentifierType `json:"type"`
+
+	// uuid is the UUID of the resource in the PC. It cannot be empty if the type is UUID.
+	// +optional
+	UUID *string `json:"uuid,omitempty"`
+
+	// name is the resource name in the PC. It cannot be empty if the type is Name.
+	// +optional
+	Name *string `json:"name,omitempty"`
+}
+
+// NutanixPrismEndpoint holds the endpoint address and port to access the Nutanix Prism Central or Element (cluster)
+type NutanixPrismEndpoint struct {
+	// address is the endpoint address (DNS name or IP address) of the Nutanix Prism Central or Element (cluster)
+	// +required
+	// +kubebuilder:validation:MaxLength=256
+	Address string `json:"address"`
+
+	// port is the port number to access the Nutanix Prism Central or Element (cluster)
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	Port int32 `json:"port"`
+}
+
+// NutanixPrismElementEndpoint holds the name and endpoint data for a Prism Element (cluster)
+type NutanixPrismElementEndpoint struct {
+	// name is the name of the Prism Element (cluster). This value will correspond with
+	// the cluster field configured on other resources (eg Machines, PVCs, etc).
+	// +required
+	// +kubebuilder:validation:MaxLength=256
+	Name string `json:"name"`
+
+	// endpoint holds the endpoint address and port data of the Prism Element (cluster).
+	// When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy.
+	// Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the
+	// proxy spec.noProxy list.
+	// +required
+	Endpoint NutanixPrismEndpoint `json:"endpoint"`
+}
+
+// NutanixPlatformStatus holds the current status of the Nutanix infrastructure provider.
+type NutanixPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="apiServerInternalIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=set
+	APIServerInternalIPs []string `json:"apiServerInternalIPs"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	//
+	// +kubebuilder:validation:Format=ip
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || (size(self) == 2 && isIP(self[0]) && isIP(self[1]) ? ip(self[0]).family() != ip(self[1]).family() : true)",message="ingressIPs must contain at most one IPv4 address and at most one IPv6 address"
+	// +listType=set
+	IngressIPs []string `json:"ingressIPs"`
+
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	// +default={"type": "OpenShiftManagedDefault"}
+	// +kubebuilder:default={"type": "OpenShiftManagedDefault"}
+	// +optional
+	LoadBalancer *NutanixPlatformLoadBalancer `json:"loadBalancer,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// InfrastructureList is
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type InfrastructureList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Infrastructure `json:"items"`
+}
+
+// IP is an IP address (for example, "10.0.0.0" or "fd00::").
+// +kubebuilder:validation:XValidation:rule="isIP(self)",message="value must be a valid IP address"
+// +kubebuilder:validation:MaxLength:=39
+// +kubebuilder:validation:MinLength:=1
+type IP string
+
+// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
+// +kubebuilder:validation:XValidation:rule="isCIDR(self)",message="value must be a valid CIDR network address"
+// +kubebuilder:validation:MaxLength:=43
+// +kubebuilder:validation:MinLength:=1
+type CIDR string
diff --git a/vendor/github.com/openshift/api/config/v1/types_ingress.go b/vendor/github.com/openshift/api/config/v1/types_ingress.go
new file mode 100644
index 00000000..f70fe8f4
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_ingress.go
@@ -0,0 +1,332 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Ingress holds cluster-wide information about ingress, including the default ingress domain
+// used for routes. The canonical name is `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=ingresses,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Ingress struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec IngressSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status IngressStatus `json:"status"`
+}
+
+type IngressSpec struct {
+	// domain is used to generate a default host name for a route when the
+	// route's host name is empty. The generated host name will follow this
+	// pattern: "<route-name>.<route-namespace>.<domain>".
+	//
+	// It is also used as the default wildcard domain suffix for ingress. The
+	// default ingresscontroller domain will follow this pattern: "*.<domain>".
+	//
+	// Once set, changing domain is not currently supported.
+	Domain string `json:"domain"`
+
+	// appsDomain is an optional domain to use instead of the one specified
+	// in the domain field when a Route is created without specifying an explicit
+	// host. If appsDomain is nonempty, this value is used to generate default
+	// host values for Route. Unlike domain, appsDomain may be modified after
+	// installation.
+	// This assumes a new ingresscontroller has been setup with a wildcard
+	// certificate.
+	// +optional
+	AppsDomain string `json:"appsDomain,omitempty"`
+
+	// componentRoutes is an optional list of routes that are managed by OpenShift components
+	// that a cluster-admin is able to configure the hostname and serving certificate for.
+	// The namespace and name of each route in this list should match an existing entry in the
+	// status.componentRoutes list.
+	//
+	// To determine the set of configurable Routes, look at namespace and name of entries in the
+	// .status.componentRoutes list, where participating operators write the status of
+	// configurable routes.
+	// +optional
+	// +listType=map
+	// +listMapKey=namespace
+	// +listMapKey=name
+	ComponentRoutes []ComponentRouteSpec `json:"componentRoutes,omitempty"`
+
+	// requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created  or updated routes
+	// matching the domainPattern/s and namespaceSelector/s that are specified in the policy.
+	// Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route
+	// annotation, and affect route admission.
+	//
+	// A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation:
+	// "haproxy.router.openshift.io/hsts_header"
+	// E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains
+	//
+	// - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector,
+	// then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted.  Otherwise, the route
+	// is rejected.
+	// - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies
+	// determines the route's admission status.
+	// - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector,
+	// then it may use any HSTS Policy annotation.
+	//
+	// The HSTS policy configuration may be changed after routes have already been created. An update to a previously
+	// admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration.
+	// However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working.
+	//
+	// Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid.
+	// +optional
+	RequiredHSTSPolicies []RequiredHSTSPolicy `json:"requiredHSTSPolicies,omitempty"`
+
+	// loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure
+	// provider of the current cluster and are required for Ingress Controller to work on OpenShift.
+	// +optional
+	LoadBalancer LoadBalancer `json:"loadBalancer,omitempty"`
+}
+
+// IngressPlatformSpec holds the desired state of Ingress specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at spec-level for the underlying cluster, it
+// is supposed that only one of the spec structs is set.
+// +union
+type IngressPlatformSpec struct {
+	// type is the underlying infrastructure provider for the cluster.
+	// Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS",
+	// "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms,
+	// and must handle unrecognized platforms as None if they do not support that platform.
+	//
+	// +unionDiscriminator
+	Type PlatformType `json:"type"`
+
+	// aws contains settings specific to the Amazon Web Services infrastructure provider.
+	// +optional
+	AWS *AWSIngressSpec `json:"aws,omitempty"`
+}
+
+type LoadBalancer struct {
+	// platform holds configuration specific to the underlying
+	// infrastructure provider for the ingress load balancers.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// +optional
+	Platform IngressPlatformSpec `json:"platform,omitempty"`
+}
+
+// AWSIngressSpec holds the desired state of the Ingress for Amazon Web Services infrastructure provider.
+// This only includes fields that can be modified in the cluster.
+// +union
+type AWSIngressSpec struct {
+	// type allows user to set a load balancer type.
+	// When this field is set the default ingresscontroller will get created using the specified LBType.
+	// If this field is not set then the default ingress controller of LBType Classic will be created.
+	// Valid values are:
+	//
+	// * "Classic": A Classic Load Balancer that makes routing decisions at either
+	//   the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See
+	//   the following for additional details:
+	//
+	//     https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb
+	//
+	// * "NLB": A Network Load Balancer that makes routing decisions at the
+	//   transport layer (TCP/SSL). See the following for additional details:
+	//
+	//     https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb
+	// +unionDiscriminator
+	// +kubebuilder:validation:Enum:=NLB;Classic
+	// +required
+	Type AWSLBType `json:"type"`
+}
+
+type AWSLBType string
+
+const (
+	// NLB is the Network Load Balancer Type of AWS. Using NLB one can set NLB load balancer type for the default ingress controller.
+	NLB AWSLBType = "NLB"
+
+	// Classic is the Classic Load Balancer Type of AWS. Using CLassic one can set Classic load balancer type for the default ingress controller.
+	Classic AWSLBType = "Classic"
+)
+
+// ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported.
+// +kubebuilder:validation:Pattern="^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=512
+type ConsumingUser string
+
+// Hostname is a host name as defined by RFC-1123.
+// + ---
+// + The left operand of the | is the original kubebuilder hostname validation format, which is incorrect because it
+// + allows upper case letters, disallows hyphen or number in the TLD, and allows labels to start/end in non-alphanumeric
+// + characters.  See https://bugzilla.redhat.com/show_bug.cgi?id=2039256.
+// + ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$
+// +
+// + The right operand of the | is a new pattern that mimics the current API route admission validation on hostname,
+// + except that it allows hostnames longer than the maximum length:
+// + ^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
+// +
+// + Both operand patterns are made available so that modifications on ingress spec can still happen after an invalid hostname
+// + was saved via validation by the incorrect left operand of the | operator.
+// +
+// +kubebuilder:validation:Pattern=`^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$`
+type Hostname string
+
+type IngressStatus struct {
+	// componentRoutes is where participating operators place the current route status for routes whose
+	// hostnames and serving certificates can be customized by the cluster-admin.
+	// +optional
+	// +listType=map
+	// +listMapKey=namespace
+	// +listMapKey=name
+	ComponentRoutes []ComponentRouteStatus `json:"componentRoutes,omitempty"`
+
+	// defaultPlacement is set at installation time to control which
+	// nodes will host the ingress router pods by default. The options are
+	// control-plane nodes or worker nodes.
+	//
+	// This field works by dictating how the Cluster Ingress Operator will
+	// consider unset replicas and nodePlacement fields in IngressController
+	// resources when creating the corresponding Deployments.
+	//
+	// See the documentation for the IngressController replicas and nodePlacement
+	// fields for more information.
+	//
+	// When omitted, the default value is Workers
+	//
+	// +kubebuilder:validation:Enum:="ControlPlane";"Workers";""
+	// +optional
+	DefaultPlacement DefaultPlacement `json:"defaultPlacement"`
+}
+
+// ComponentRouteSpec allows for configuration of a route's hostname and serving certificate.
+type ComponentRouteSpec struct {
+	// namespace is the namespace of the route to customize.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of status.componentRoutes if the route is to be customized.
+	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +required
+	Namespace string `json:"namespace"`
+
+	// name is the logical name of the route to customize.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of status.componentRoutes if the route is to be customized.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +required
+	Name string `json:"name"`
+
+	// hostname is the hostname that should be used by the route.
+	// +required
+	Hostname Hostname `json:"hostname"`
+
+	// servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace.
+	// The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name.
+	// If the custom hostname uses the default routing suffix of the cluster,
+	// the Secret specification for a serving certificate will not be needed.
+	// +optional
+	ServingCertKeyPairSecret SecretNameReference `json:"servingCertKeyPairSecret"`
+}
+
+// ComponentRouteStatus contains information allowing configuration of a route's hostname and serving certificate.
+type ComponentRouteStatus struct {
+	// namespace is the namespace of the route to customize. It must be a real namespace. Using an actual namespace
+	// ensures that no two components will conflict and the same component can be installed multiple times.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of spec.componentRoutes if the route is to be customized.
+	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +required
+	Namespace string `json:"namespace"`
+
+	// name is the logical name of the route to customize. It does not have to be the actual name of a route resource
+	// but it cannot be renamed.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of spec.componentRoutes if the route is to be customized.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +required
+	Name string `json:"name"`
+
+	// defaultHostname is the hostname of this route prior to customization.
+	// +required
+	DefaultHostname Hostname `json:"defaultHostname"`
+
+	// consumingUsers is a slice of ServiceAccounts that need to have read permission on the servingCertKeyPairSecret secret.
+	// +kubebuilder:validation:MaxItems=5
+	// +optional
+	ConsumingUsers []ConsumingUser `json:"consumingUsers,omitempty"`
+
+	// currentHostnames is the list of current names used by the route. Typically, this list should consist of a single
+	// hostname, but if multiple hostnames are supported by the route the operator may write multiple entries to this list.
+	// +kubebuilder:validation:MinItems=1
+	// +optional
+	CurrentHostnames []Hostname `json:"currentHostnames,omitempty"`
+
+	// conditions are used to communicate the state of the componentRoutes entry.
+	//
+	// Supported conditions include Available, Degraded and Progressing.
+	//
+	// If available is true, the content served by the route can be accessed by users. This includes cases
+	// where a default may continue to serve content while the customized route specified by the cluster-admin
+	// is being configured.
+	//
+	// If Degraded is true, that means something has gone wrong trying to handle the componentRoutes entry.
+	// The currentHostnames field may or may not be in effect.
+	//
+	// If Progressing is true, that means the component is taking some action related to the componentRoutes entry.
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// relatedObjects is a list of resources which are useful when debugging or inspecting how spec.componentRoutes is applied.
+	// +kubebuilder:validation:MinItems=1
+	// +required
+	RelatedObjects []ObjectReference `json:"relatedObjects"`
+}
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +openshift:compatibility-gen:level=1
+type IngressList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Ingress `json:"items"`
+}
+
+// DefaultPlacement defines the default placement of ingress router pods.
+type DefaultPlacement string
+
+const (
+	// "Workers" is for having router pods placed on worker nodes by default.
+	DefaultPlacementWorkers DefaultPlacement = "Workers"
+
+	// "ControlPlane" is for having router pods placed on control-plane nodes by default.
+	DefaultPlacementControlPlane DefaultPlacement = "ControlPlane"
+)
diff --git a/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go b/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go
new file mode 100644
index 00000000..3293204f
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_kmsencryption.go
@@ -0,0 +1,55 @@
+package v1
+
+// KMSConfig defines the configuration for the KMS instance
+// that will be used with KMSEncryptionProvider encryption
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ?  has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise"
+// +union
+type KMSConfig struct {
+	// type defines the kind of platform for the KMS provider.
+	// Available provider types are AWS only.
+	//
+	// +unionDiscriminator
+	// +required
+	Type KMSProviderType `json:"type"`
+
+	// aws defines the key config for using an AWS KMS instance
+	// for the encryption. The AWS KMS instance is managed
+	// by the user outside the purview of the control plane.
+	//
+	// +unionMember
+	// +optional
+	AWS *AWSKMSConfig `json:"aws,omitempty"`
+}
+
+// AWSKMSConfig defines the KMS config specific to AWS KMS provider
+type AWSKMSConfig struct {
+	// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
+	// The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
+	// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
+	// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
+	// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
+	//
+	// +kubebuilder:validation:MaxLength=128
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
+	// +required
+	KeyARN string `json:"keyARN"`
+	// region specifies the AWS region where the KMS instance exists, and follows the format
+	// `<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
+	// Only lowercase letters and hyphens followed by numbers are allowed.
+	//
+	// +kubebuilder:validation:MaxLength=64
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only."
+	// +required
+	Region string `json:"region"`
+}
+
+// KMSProviderType is a specific supported KMS provider
+// +kubebuilder:validation:Enum=AWS
+type KMSProviderType string
+
+const (
+	// AWSKMSProvider represents a supported KMS provider for use with AWS KMS
+	AWSKMSProvider KMSProviderType = "AWS"
+)
diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go
new file mode 100644
index 00000000..c0d1602b
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_network.go
@@ -0,0 +1,308 @@
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Network holds cluster-wide information about Network. The canonical name is `cluster`. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc.
+// Please view network.spec for an explanation on what applies when configuring this resource.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:compatibility-gen:level=1
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=networks,scope=Cluster
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Network struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration.
+	// As a general rule, this SHOULD NOT be read directly. Instead, you should
+	// consume the NetworkStatus, as it indicates the currently deployed configuration.
+	// Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.
+	// +required
+	Spec NetworkSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status NetworkStatus `json:"status"`
+}
+
+// NetworkSpec is the desired network configuration.
+// As a general rule, this SHOULD NOT be read directly. Instead, you should
+// consume the NetworkStatus, as it indicates the currently deployed configuration.
+// Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkDiagnosticsConfig,rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled"
+type NetworkSpec struct {
+	// IP address pool to use for pod IPs.
+	// This field is immutable after installation.
+	// +listType=atomic
+	ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork"`
+
+	// IP address pool for services.
+	// Currently, we only support a single entry here.
+	// This field is immutable after installation.
+	// +listType=atomic
+	ServiceNetwork []string `json:"serviceNetwork"`
+
+	// networkType is the plugin that is to be deployed (e.g. OVNKubernetes).
+	// This should match a value that the cluster-network-operator understands,
+	// or else no networking will be installed.
+	// Currently supported values are:
+	// - OVNKubernetes
+	// This field is immutable after installation.
+	NetworkType string `json:"networkType"`
+
+	// externalIP defines configuration for controllers that
+	// affect Service.ExternalIP. If nil, then ExternalIP is
+	// not allowed to be set.
+	// +optional
+	ExternalIP *ExternalIPConfig `json:"externalIP,omitempty"`
+
+	// The port range allowed for Services of type NodePort.
+	// If not specified, the default of 30000-32767 will be used.
+	// Such Services without a NodePort specified will have one
+	// automatically allocated from this range.
+	// This parameter can be updated after the cluster is
+	// installed.
+	// +kubebuilder:validation:Pattern=`^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$`
+	ServiceNodePortRange string `json:"serviceNodePortRange,omitempty"`
+
+	// networkDiagnostics defines network diagnostics configuration.
+	//
+	// Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io.
+	// If networkDiagnostics is not specified or is empty,
+	// and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true,
+	// the network diagnostics feature will be disabled.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=NetworkDiagnosticsConfig
+	NetworkDiagnostics NetworkDiagnostics `json:"networkDiagnostics"`
+}
+
+// NetworkStatus is the current network configuration.
+type NetworkStatus struct {
+	// IP address pool to use for pod IPs.
+	// +listType=atomic
+	// +optional
+	ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork,omitempty"`
+
+	// IP address pool for services.
+	// Currently, we only support a single entry here.
+	// +listType=atomic
+	// +optional
+	ServiceNetwork []string `json:"serviceNetwork,omitempty"`
+
+	// networkType is the plugin that is deployed (e.g. OVNKubernetes).
+	// +optional
+	NetworkType string `json:"networkType,omitempty"`
+
+	// clusterNetworkMTU is the MTU for inter-pod networking.
+	// +optional
+	ClusterNetworkMTU int `json:"clusterNetworkMTU,omitempty"`
+
+	// migration contains the cluster network migration configuration.
+	// +optional
+	Migration *NetworkMigration `json:"migration,omitempty"`
+
+	// conditions represents the observations of a network.config current state.
+	// Known .status.conditions.type are: "NetworkDiagnosticsAvailable"
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	// +openshift:enable:FeatureGate=NetworkDiagnosticsConfig
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs
+// are allocated.
+type ClusterNetworkEntry struct {
+	// The complete block for pod IPs.
+	CIDR string `json:"cidr"`
+
+	// The size (prefix) of block to allocate to each node. If this
+	// field is not used by the plugin, it can be left unset.
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	HostPrefix uint32 `json:"hostPrefix,omitempty"`
+}
+
+// ExternalIPConfig specifies some IP blocks relevant for the ExternalIP field
+// of a Service resource.
+type ExternalIPConfig struct {
+	// policy is a set of restrictions applied to the ExternalIP field.
+	// If nil or empty, then ExternalIP is not allowed to be set.
+	// +optional
+	Policy *ExternalIPPolicy `json:"policy,omitempty"`
+
+	// autoAssignCIDRs is a list of CIDRs from which to automatically assign
+	// Service.ExternalIP. These are assigned when the service is of type
+	// LoadBalancer. In general, this is only useful for bare-metal clusters.
+	// In Openshift 3.x, this was misleadingly called "IngressIPs".
+	// Automatically assigned External IPs are not affected by any
+	// ExternalIPPolicy rules.
+	// Currently, only one entry may be provided.
+	// +optional
+	// +listType=atomic
+	AutoAssignCIDRs []string `json:"autoAssignCIDRs,omitempty"`
+}
+
+// ExternalIPPolicy configures exactly which IPs are allowed for the ExternalIP
+// field in a Service. If the zero struct is supplied, then none are permitted.
+// The policy controller always allows automatically assigned external IPs.
+type ExternalIPPolicy struct {
+	// allowedCIDRs is the list of allowed CIDRs.
+	// +listType=atomic
+	AllowedCIDRs []string `json:"allowedCIDRs,omitempty"`
+
+	// rejectedCIDRs is the list of disallowed CIDRs. These take precedence
+	// over allowedCIDRs.
+	// +optional
+	// +listType=atomic
+	RejectedCIDRs []string `json:"rejectedCIDRs,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type NetworkList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Network `json:"items"`
+}
+
+// NetworkMigration represents the network migration status.
+type NetworkMigration struct {
+	// networkType is the target plugin that is being deployed.
+	// DEPRECATED: network type migration is no longer supported,
+	// so this should always be unset.
+	// +optional
+	NetworkType string `json:"networkType,omitempty"`
+
+	// mtu is the MTU configuration that is being deployed.
+	// +optional
+	MTU *MTUMigration `json:"mtu,omitempty"`
+}
+
+// MTUMigration contains infomation about MTU migration.
+type MTUMigration struct {
+	// network contains MTU migration configuration for the default network.
+	// +optional
+	Network *MTUMigrationValues `json:"network,omitempty"`
+
+	// machine contains MTU migration configuration for the machine's uplink.
+	// +optional
+	Machine *MTUMigrationValues `json:"machine,omitempty"`
+}
+
+// MTUMigrationValues contains the values for a MTU migration.
+type MTUMigrationValues struct {
+	// to is the MTU to migrate to.
+	// +kubebuilder:validation:Minimum=0
+	To *uint32 `json:"to"`
+
+	// from is the MTU to migrate from.
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	From *uint32 `json:"from,omitempty"`
+}
+
+// NetworkDiagnosticsMode is an enumeration of the available network diagnostics modes
+// Valid values are "", "All", "Disabled".
+// +kubebuilder:validation:Enum:="";All;Disabled
+type NetworkDiagnosticsMode string
+
+const (
+	// NetworkDiagnosticsNoOpinion means that the user has no opinion and the platform is left
+	// to choose reasonable default. The current default is All and is a subject to change over time.
+	NetworkDiagnosticsNoOpinion NetworkDiagnosticsMode = ""
+	// NetworkDiagnosticsAll means that all network diagnostics checks are enabled
+	NetworkDiagnosticsAll NetworkDiagnosticsMode = "All"
+	// NetworkDiagnosticsDisabled means that network diagnostics is disabled
+	NetworkDiagnosticsDisabled NetworkDiagnosticsMode = "Disabled"
+)
+
+// NetworkDiagnostics defines network diagnostics configuration
+
+type NetworkDiagnostics struct {
+	// mode controls the network diagnostics mode
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is All.
+	//
+	// +optional
+	Mode NetworkDiagnosticsMode `json:"mode"`
+
+	// sourcePlacement controls the scheduling of network diagnostics source deployment
+	//
+	// See NetworkDiagnosticsSourcePlacement for more details about default values.
+	//
+	// +optional
+	SourcePlacement NetworkDiagnosticsSourcePlacement `json:"sourcePlacement"`
+
+	// targetPlacement controls the scheduling of network diagnostics target daemonset
+	//
+	// See NetworkDiagnosticsTargetPlacement for more details about default values.
+	//
+	// +optional
+	TargetPlacement NetworkDiagnosticsTargetPlacement `json:"targetPlacement"`
+}
+
+// NetworkDiagnosticsSourcePlacement defines node scheduling configuration network diagnostics source components
+type NetworkDiagnosticsSourcePlacement struct {
+	// nodeSelector is the node selector applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `kubernetes.io/os: linux`.
+	//
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector"`
+
+	// tolerations is a list of tolerations applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is an empty list.
+	//
+	// +optional
+	// +listType=atomic
+	Tolerations []corev1.Toleration `json:"tolerations"`
+}
+
+// NetworkDiagnosticsTargetPlacement defines node scheduling configuration network diagnostics target components
+type NetworkDiagnosticsTargetPlacement struct {
+	// nodeSelector is the node selector applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `kubernetes.io/os: linux`.
+	//
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector"`
+
+	// tolerations is a list of tolerations applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `- operator: "Exists"` which means that all taints are tolerated.
+	//
+	// +optional
+	// +listType=atomic
+	Tolerations []corev1.Toleration `json:"tolerations"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_node.go b/vendor/github.com/openshift/api/config/v1/types_node.go
new file mode 100644
index 00000000..1282f331
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_node.go
@@ -0,0 +1,142 @@
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Node holds cluster-wide information about node specific features.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1107
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=nodes,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Node struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec NodeSpec `json:"spec"`
+
+	// status holds observed values.
+	// +optional
+	Status NodeStatus `json:"status"`
+}
+
+type NodeSpec struct {
+	// cgroupMode determines the cgroups version on the node
+	// +optional
+	CgroupMode CgroupMode `json:"cgroupMode,omitempty"`
+
+	// workerLatencyProfile determins the how fast the kubelet is updating
+	// the status and corresponding reaction of the cluster
+	// +optional
+	WorkerLatencyProfile WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"`
+
+	// minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+	// Specifically, the apiserver will deny most authorization requests of kubelets that are older
+	// than the specified version, only allowing the kubelet to get and update its node object, and perform
+	// subjectaccessreviews.
+	// This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+	// and will eventually be marked as not ready.
+	// Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+	// Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+	// the underlying kubernetes version this version of Openshift is based off of.
+	// In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+	// they should set the minimumKubeletVersion to 1.30.0.
+	// When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+	// Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+	// +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty"
+	// +kubebuilder:validation:MaxLength:=8
+	// +openshift:enable:FeatureGate=MinimumKubeletVersion
+	// +optional
+	MinimumKubeletVersion string `json:"minimumKubeletVersion"`
+}
+
+type NodeStatus struct {
+	// conditions contain the details and the current state of the nodes.config object
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=v2;""
+type CgroupMode string
+
+const (
+	CgroupModeEmpty   CgroupMode = "" // Empty string indicates to honor user set value on the system that should not be overridden by OpenShift
+	CgroupModeV1      CgroupMode = "v1"
+	CgroupModeV2      CgroupMode = "v2"
+	CgroupModeDefault CgroupMode = CgroupModeV2
+)
+
+// +kubebuilder:validation:Enum=Default;MediumUpdateAverageReaction;LowUpdateSlowReaction
+type WorkerLatencyProfileType string
+
+const (
+	// Medium Kubelet Update Frequency (heart-beat) and Average Reaction Time to unresponsive Node
+	MediumUpdateAverageReaction WorkerLatencyProfileType = "MediumUpdateAverageReaction"
+
+	// Low Kubelet Update Frequency (heart-beat) and Slow Reaction Time to unresponsive Node
+	LowUpdateSlowReaction WorkerLatencyProfileType = "LowUpdateSlowReaction"
+
+	// Default values of relavent Kubelet, Kube Controller Manager and Kube API Server
+	DefaultUpdateDefaultReaction WorkerLatencyProfileType = "Default"
+)
+
+const (
+	// DefaultNodeStatusUpdateFrequency refers to the "--node-status-update-frequency" of the kubelet in case of DefaultUpdateDefaultReaction WorkerLatencyProfile type
+	DefaultNodeStatusUpdateFrequency = 10 * time.Second
+	// DefaultNodeMonitorGracePeriod refers to the "--node-monitor-grace-period" of the Kube Controller Manager in case of DefaultUpdateDefaultReaction WorkerLatencyProfile type
+	DefaultNodeMonitorGracePeriod = 40 * time.Second
+	// DefaultNotReadyTolerationSeconds refers to the "--default-not-ready-toleration-seconds" of the Kube API Server in case of DefaultUpdateDefaultReaction WorkerLatencyProfile type
+	DefaultNotReadyTolerationSeconds = 300
+	// DefaultUnreachableTolerationSeconds refers to the "--default-unreachable-toleration-seconds" of the Kube API Server in case of DefaultUpdateDefaultReaction WorkerLatencyProfile type
+	DefaultUnreachableTolerationSeconds = 300
+
+	// MediumNodeStatusUpdateFrequency refers to the "--node-status-update-frequency" of the kubelet in case of MediumUpdateAverageReaction WorkerLatencyProfile type
+	MediumNodeStatusUpdateFrequency = 20 * time.Second
+	// MediumNodeMonitorGracePeriod refers to the "--node-monitor-grace-period" of the Kube Controller Manager in case of MediumUpdateAverageReaction WorkerLatencyProfile type
+	MediumNodeMonitorGracePeriod = 2 * time.Minute
+	// MediumNotReadyTolerationSeconds refers to the "--default-not-ready-toleration-seconds" of the Kube API Server in case of MediumUpdateAverageReaction WorkerLatencyProfile type
+	MediumNotReadyTolerationSeconds = 60
+	// MediumUnreachableTolerationSeconds refers to the "--default-unreachable-toleration-seconds" of the Kube API Server in case of MediumUpdateAverageReaction WorkerLatencyProfile type
+	MediumUnreachableTolerationSeconds = 60
+
+	// LowNodeStatusUpdateFrequency refers to the "--node-status-update-frequency" of the kubelet in case of LowUpdateSlowReaction WorkerLatencyProfile type
+	LowNodeStatusUpdateFrequency = 1 * time.Minute
+	// LowNodeMonitorGracePeriod refers to the "--node-monitor-grace-period" of the Kube Controller Manager in case of LowUpdateSlowReaction WorkerLatencyProfile type
+	LowNodeMonitorGracePeriod = 5 * time.Minute
+	// LowNotReadyTolerationSeconds refers to the "--default-not-ready-toleration-seconds" of the Kube API Server in case of LowUpdateSlowReaction WorkerLatencyProfile type
+	LowNotReadyTolerationSeconds = 60
+	// LowUnreachableTolerationSeconds refers to the "--default-unreachable-toleration-seconds" of the Kube API Server in case of LowUpdateSlowReaction WorkerLatencyProfile type
+	LowUnreachableTolerationSeconds = 60
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type NodeList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Node `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_oauth.go b/vendor/github.com/openshift/api/config/v1/types_oauth.go
new file mode 100644
index 00000000..20845e4d
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_oauth.go
@@ -0,0 +1,597 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// OAuth Server and Identity Provider Config
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OAuth holds cluster-wide information about OAuth.  The canonical name is `cluster`.
+// It is used to configure the integrated OAuth server.
+// This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=oauths,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type OAuth struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+	// spec holds user settable values for configuration
+	// +required
+	Spec OAuthSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status OAuthStatus `json:"status"`
+}
+
+// OAuthSpec contains desired cluster auth configuration
+type OAuthSpec struct {
+	// identityProviders is an ordered list of ways for a user to identify themselves.
+	// When this list is empty, no identities are provisioned for users.
+	// +optional
+	// +listType=atomic
+	IdentityProviders []IdentityProvider `json:"identityProviders,omitempty"`
+
+	// tokenConfig contains options for authorization and access tokens
+	TokenConfig TokenConfig `json:"tokenConfig"`
+
+	// templates allow you to customize pages like the login page.
+	// +optional
+	Templates OAuthTemplates `json:"templates"`
+}
+
+// OAuthStatus shows current known state of OAuth server in the cluster
+type OAuthStatus struct {
+	// TODO Fill in with status of identityProviders and templates (and maybe tokenConfig)
+}
+
+// TokenConfig holds the necessary configuration options for authorization and access tokens
+type TokenConfig struct {
+	// accessTokenMaxAgeSeconds defines the maximum age of access tokens
+	AccessTokenMaxAgeSeconds int32 `json:"accessTokenMaxAgeSeconds,omitempty"`
+
+	// accessTokenInactivityTimeoutSeconds - DEPRECATED: setting this field has no effect.
+	// +optional
+	AccessTokenInactivityTimeoutSeconds int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"`
+
+	// accessTokenInactivityTimeout defines the token inactivity timeout
+	// for tokens granted by any client.
+	// The value represents the maximum amount of time that can occur between
+	// consecutive uses of the token. Tokens become invalid if they are not
+	// used within this temporal window. The user will need to acquire a new
+	// token to regain access once a token times out. Takes valid time
+	// duration string such as "5m", "1.5h" or "2h45m". The minimum allowed
+	// value for duration is 300s (5 minutes). If the timeout is configured
+	// per client, then that value takes precedence. If the timeout value is
+	// not specified and the client does not override the value, then tokens
+	// are valid until their lifetime.
+	//
+	// WARNING: existing tokens' timeout will not be affected (lowered) by changing this value
+	// +optional
+	AccessTokenInactivityTimeout *metav1.Duration `json:"accessTokenInactivityTimeout,omitempty"`
+}
+
+const (
+	// LoginTemplateKey is the key of the login template in a secret
+	LoginTemplateKey = "login.html"
+
+	// ProviderSelectionTemplateKey is the key for the provider selection template in a secret
+	ProviderSelectionTemplateKey = "providers.html"
+
+	// ErrorsTemplateKey is the key for the errors template in a secret
+	ErrorsTemplateKey = "errors.html"
+
+	// BindPasswordKey is the key for the LDAP bind password in a secret
+	BindPasswordKey = "bindPassword"
+
+	// ClientSecretKey is the key for the oauth client secret data in a secret
+	ClientSecretKey = "clientSecret"
+
+	// HTPasswdDataKey is the key for the htpasswd file data in a secret
+	HTPasswdDataKey = "htpasswd"
+)
+
+// OAuthTemplates allow for customization of pages like the login page
+type OAuthTemplates struct {
+	// login is the name of a secret that specifies a go template to use to render the login page.
+	// The key "login.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default login page is used.
+	// If the specified template is not valid, the default login page is used.
+	// If unspecified, the default login page is used.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	Login SecretNameReference `json:"login"`
+
+	// providerSelection is the name of a secret that specifies a go template to use to render
+	// the provider selection page.
+	// The key "providers.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default provider selection page is used.
+	// If the specified template is not valid, the default provider selection page is used.
+	// If unspecified, the default provider selection page is used.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	ProviderSelection SecretNameReference `json:"providerSelection"`
+
+	// error is the name of a secret that specifies a go template to use to render error pages
+	// during the authentication or grant flow.
+	// The key "errors.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default error page is used.
+	// If the specified template is not valid, the default error page is used.
+	// If unspecified, the default error page is used.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	Error SecretNameReference `json:"error"`
+}
+
+// IdentityProvider provides identities for users authenticating using credentials
+type IdentityProvider struct {
+	// name is used to qualify the identities returned by this provider.
+	// - It MUST be unique and not shared by any other identity provider used
+	// - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":"
+	//   Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName
+	Name string `json:"name"`
+
+	// mappingMethod determines how identities from this provider are mapped to users
+	// Defaults to "claim"
+	// +optional
+	MappingMethod MappingMethodType `json:"mappingMethod,omitempty"`
+
+	IdentityProviderConfig `json:",inline"`
+}
+
+// MappingMethodType specifies how new identities should be mapped to users when they log in
+type MappingMethodType string
+
+const (
+	// MappingMethodClaim provisions a user with the identity’s preferred user name. Fails if a user
+	// with that user name is already mapped to another identity.
+	// Default.
+	MappingMethodClaim MappingMethodType = "claim"
+
+	// MappingMethodLookup looks up existing users already mapped to an identity but does not
+	// automatically provision users or identities. Requires identities and users be set up
+	// manually or using an external process.
+	MappingMethodLookup MappingMethodType = "lookup"
+
+	// MappingMethodAdd provisions a user with the identity’s preferred user name. If a user with
+	// that user name already exists, the identity is mapped to the existing user, adding to any
+	// existing identity mappings for the user.
+	MappingMethodAdd MappingMethodType = "add"
+)
+
+type IdentityProviderType string
+
+const (
+	// IdentityProviderTypeBasicAuth provides identities for users authenticating with HTTP Basic Auth
+	IdentityProviderTypeBasicAuth IdentityProviderType = "BasicAuth"
+
+	// IdentityProviderTypeGitHub provides identities for users authenticating using GitHub credentials
+	IdentityProviderTypeGitHub IdentityProviderType = "GitHub"
+
+	// IdentityProviderTypeGitLab provides identities for users authenticating using GitLab credentials
+	IdentityProviderTypeGitLab IdentityProviderType = "GitLab"
+
+	// IdentityProviderTypeGoogle provides identities for users authenticating using Google credentials
+	IdentityProviderTypeGoogle IdentityProviderType = "Google"
+
+	// IdentityProviderTypeHTPasswd provides identities from an HTPasswd file
+	IdentityProviderTypeHTPasswd IdentityProviderType = "HTPasswd"
+
+	// IdentityProviderTypeKeystone provides identitities for users authenticating using keystone password credentials
+	IdentityProviderTypeKeystone IdentityProviderType = "Keystone"
+
+	// IdentityProviderTypeLDAP provides identities for users authenticating using LDAP credentials
+	IdentityProviderTypeLDAP IdentityProviderType = "LDAP"
+
+	// IdentityProviderTypeOpenID provides identities for users authenticating using OpenID credentials
+	IdentityProviderTypeOpenID IdentityProviderType = "OpenID"
+
+	// IdentityProviderTypeRequestHeader provides identities for users authenticating using request header credentials
+	IdentityProviderTypeRequestHeader IdentityProviderType = "RequestHeader"
+)
+
+// IdentityProviderConfig contains configuration for using a specific identity provider
+type IdentityProviderConfig struct {
+	// type identifies the identity provider type for this entry.
+	Type IdentityProviderType `json:"type"`
+
+	// Provider-specific configuration
+	// The json tag MUST match the `Type` specified above, case-insensitively
+	// e.g. For `Type: "LDAP"`, the `ldap` configuration should be provided
+
+	// basicAuth contains configuration options for the BasicAuth IdP
+	// +optional
+	BasicAuth *BasicAuthIdentityProvider `json:"basicAuth,omitempty"`
+
+	// github enables user authentication using GitHub credentials
+	// +optional
+	GitHub *GitHubIdentityProvider `json:"github,omitempty"`
+
+	// gitlab enables user authentication using GitLab credentials
+	// +optional
+	GitLab *GitLabIdentityProvider `json:"gitlab,omitempty"`
+
+	// google enables user authentication using Google credentials
+	// +optional
+	Google *GoogleIdentityProvider `json:"google,omitempty"`
+
+	// htpasswd enables user authentication using an HTPasswd file to validate credentials
+	// +optional
+	HTPasswd *HTPasswdIdentityProvider `json:"htpasswd,omitempty"`
+
+	// keystone enables user authentication using keystone password credentials
+	// +optional
+	Keystone *KeystoneIdentityProvider `json:"keystone,omitempty"`
+
+	// ldap enables user authentication using LDAP credentials
+	// +optional
+	LDAP *LDAPIdentityProvider `json:"ldap,omitempty"`
+
+	// openID enables user authentication using OpenID credentials
+	// +optional
+	OpenID *OpenIDIdentityProvider `json:"openID,omitempty"`
+
+	// requestHeader enables user authentication using request header credentials
+	// +optional
+	RequestHeader *RequestHeaderIdentityProvider `json:"requestHeader,omitempty"`
+}
+
+// BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials
+type BasicAuthIdentityProvider struct {
+	// OAuthRemoteConnectionInfo contains information about how to connect to the external basic auth server
+	OAuthRemoteConnectionInfo `json:",inline"`
+}
+
+// OAuthRemoteConnectionInfo holds information necessary for establishing a remote connection
+type OAuthRemoteConnectionInfo struct {
+	// url is the remote URL to connect to
+	URL string `json:"url"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+
+	// tlsClientCert is an optional reference to a secret by name that contains the
+	// PEM-encoded TLS client certificate to present when connecting to the server.
+	// The key "tls.crt" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// If the specified certificate data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	TLSClientCert SecretNameReference `json:"tlsClientCert"`
+
+	// tlsClientKey is an optional reference to a secret by name that contains the
+	// PEM-encoded TLS private key for the client certificate referenced in tlsClientCert.
+	// The key "tls.key" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// If the specified certificate data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	TLSClientKey SecretNameReference `json:"tlsClientKey"`
+}
+
+// HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials
+type HTPasswdIdentityProvider struct {
+	// fileData is a required reference to a secret by name containing the data to use as the htpasswd file.
+	// The key "htpasswd" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// If the specified htpasswd data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	FileData SecretNameReference `json:"fileData"`
+}
+
+// LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials
+type LDAPIdentityProvider struct {
+	// url is an RFC 2255 URL which specifies the LDAP search parameters to use.
+	// The syntax of the URL is:
+	// ldap://host:port/basedn?attribute?scope?filter
+	URL string `json:"url"`
+
+	// bindDN is an optional DN to bind with during the search phase.
+	// +optional
+	BindDN string `json:"bindDN"`
+
+	// bindPassword is an optional reference to a secret by name
+	// containing a password to bind with during the search phase.
+	// The key "bindPassword" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	BindPassword SecretNameReference `json:"bindPassword"`
+
+	// insecure, if true, indicates the connection should not use TLS
+	// WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always
+	//          attempt to connect using TLS, even when `insecure` is set to `true`
+	// When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to
+	// a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830.
+	Insecure bool `json:"insecure"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+
+	// attributes maps LDAP attributes to identities
+	Attributes LDAPAttributeMapping `json:"attributes"`
+}
+
+// LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields
+type LDAPAttributeMapping struct {
+	// id is the list of attributes whose values should be used as the user ID. Required.
+	// First non-empty attribute is used. At least one attribute is required. If none of the listed
+	// attribute have a value, authentication fails.
+	// LDAP standard identity attribute is "dn"
+	ID []string `json:"id"`
+
+	// preferredUsername is the list of attributes whose values should be used as the preferred username.
+	// LDAP standard login attribute is "uid"
+	// +optional
+	PreferredUsername []string `json:"preferredUsername,omitempty"`
+
+	// name is the list of attributes whose values should be used as the display name. Optional.
+	// If unspecified, no display name is set for the identity
+	// LDAP standard display name attribute is "cn"
+	// +optional
+	Name []string `json:"name,omitempty"`
+
+	// email is the list of attributes whose values should be used as the email address. Optional.
+	// If unspecified, no email is set for the identity
+	// +optional
+	Email []string `json:"email,omitempty"`
+}
+
+// KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials
+type KeystoneIdentityProvider struct {
+	// OAuthRemoteConnectionInfo contains information about how to connect to the keystone server
+	OAuthRemoteConnectionInfo `json:",inline"`
+
+	// domainName is required for keystone v3
+	DomainName string `json:"domainName"`
+
+	// TODO if we ever add support for 3.11 to 4.0 upgrades, add this configuration
+	// useUsernameIdentity indicates that users should be authenticated by username, not keystone ID
+	// DEPRECATED - only use this option for legacy systems to ensure backwards compatibility
+	// +optional
+	// UseUsernameIdentity bool `json:"useUsernameIdentity"`
+}
+
+// RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials
+type RequestHeaderIdentityProvider struct {
+	// loginURL is a URL to redirect unauthenticated /authorize requests to
+	// Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here
+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter
+	//   https://www.example.com/sso-login?then=${url}
+	// ${query} is replaced with the current query string
+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}
+	// Required when login is set to true.
+	LoginURL string `json:"loginURL"`
+
+	// challengeURL is a URL to redirect unauthenticated /authorize requests to
+	// Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be
+	// redirected here.
+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter
+	//   https://www.example.com/sso-login?then=${url}
+	// ${query} is replaced with the current query string
+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}
+	// Required when challenge is set to true.
+	ChallengeURL string `json:"challengeURL"`
+
+	// ca is a required reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// Specifically, it allows verification of incoming requests to prevent header spoofing.
+	// The key "ca.crt" is used to locate the data.
+	// If the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// The namespace for this config map is openshift-config.
+	ClientCA ConfigMapNameReference `json:"ca"`
+
+	// clientCommonNames is an optional list of common names to require a match from. If empty, any
+	// client certificate validated against the clientCA bundle is considered authoritative.
+	// +optional
+	ClientCommonNames []string `json:"clientCommonNames,omitempty"`
+
+	// headers is the set of headers to check for identity information
+	Headers []string `json:"headers"`
+
+	// preferredUsernameHeaders is the set of headers to check for the preferred username
+	PreferredUsernameHeaders []string `json:"preferredUsernameHeaders"`
+
+	// nameHeaders is the set of headers to check for the display name
+	NameHeaders []string `json:"nameHeaders"`
+
+	// emailHeaders is the set of headers to check for the email address
+	EmailHeaders []string `json:"emailHeaders"`
+}
+
+// GitHubIdentityProvider provides identities for users authenticating using GitHub credentials
+type GitHubIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// organizations optionally restricts which organizations are allowed to log in
+	// +optional
+	Organizations []string `json:"organizations,omitempty"`
+
+	// teams optionally restricts which teams are allowed to log in. Format is <org>/<team>.
+	// +optional
+	Teams []string `json:"teams,omitempty"`
+
+	// hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of
+	// GitHub Enterprise.
+	// It must match the GitHub Enterprise settings value configured at /setup/settings#hostname.
+	// +optional
+	Hostname string `json:"hostname"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// This can only be configured when hostname is set to a non-empty value.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+}
+
+// GitLabIdentityProvider provides identities for users authenticating using GitLab credentials
+type GitLabIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// url is the oauth server base URL
+	URL string `json:"url"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+}
+
+// GoogleIdentityProvider provides identities for users authenticating using Google credentials
+type GoogleIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to
+	// +optional
+	HostedDomain string `json:"hostedDomain"`
+}
+
+// OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials
+type OpenIDIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+
+	// extraScopes are any scopes to request in addition to the standard "openid" scope.
+	// +optional
+	ExtraScopes []string `json:"extraScopes,omitempty"`
+
+	// extraAuthorizeParameters are any custom parameters to add to the authorize request.
+	// +optional
+	ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters,omitempty"`
+
+	// issuer is the URL that the OpenID Provider asserts as its Issuer Identifier.
+	// It must use the https scheme with no query or fragment component.
+	Issuer string `json:"issuer"`
+
+	// claims mappings
+	Claims OpenIDClaims `json:"claims"`
+}
+
+// UserIDClaim is the claim used to provide a stable identifier for OIDC identities.
+// Per http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
+//
+//	"The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can
+//	 rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique
+//	 and never reassigned within the Issuer for a particular End-User, as described in Section 2.
+//	 Therefore, the only guaranteed unique identifier for a given End-User is the combination of the
+//	 iss Claim and the sub Claim."
+const UserIDClaim = "sub"
+
+// OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo
+// responses
+// +kubebuilder:validation:MinLength=1
+type OpenIDClaim string
+
+// OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider
+type OpenIDClaims struct {
+	// preferredUsername is the list of claims whose values should be used as the preferred username.
+	// If unspecified, the preferred username is determined from the value of the sub claim
+	// +listType=atomic
+	// +optional
+	PreferredUsername []string `json:"preferredUsername,omitempty"`
+
+	// name is the list of claims whose values should be used as the display name. Optional.
+	// If unspecified, no display name is set for the identity
+	// +listType=atomic
+	// +optional
+	Name []string `json:"name,omitempty"`
+
+	// email is the list of claims whose values should be used as the email address. Optional.
+	// If unspecified, no email is set for the identity
+	// +listType=atomic
+	// +optional
+	Email []string `json:"email,omitempty"`
+
+	// groups is the list of claims value of which should be used to synchronize groups
+	// from the OIDC provider to OpenShift for the user.
+	// If multiple claims are specified, the first one with a non-empty value is used.
+	// +listType=atomic
+	// +optional
+	Groups []OpenIDClaim `json:"groups,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type OAuthList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []OAuth `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_operatorhub.go b/vendor/github.com/openshift/api/config/v1/types_operatorhub.go
new file mode 100644
index 00000000..a4971a20
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_operatorhub.go
@@ -0,0 +1,97 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OperatorHubSpec defines the desired state of OperatorHub
+type OperatorHubSpec struct {
+	// disableAllDefaultSources allows you to disable all the default hub
+	// sources. If this is true, a specific entry in sources can be used to
+	// enable a default source. If this is false, a specific entry in
+	// sources can be used to disable or enable a default source.
+	// +optional
+	DisableAllDefaultSources bool `json:"disableAllDefaultSources,omitempty"`
+	// sources is the list of default hub sources and their configuration.
+	// If the list is empty, it implies that the default hub sources are
+	// enabled on the cluster unless disableAllDefaultSources is true.
+	// If disableAllDefaultSources is true and sources is not empty,
+	// the configuration present in sources will take precedence. The list of
+	// default hub sources and their current state will always be reflected in
+	// the status block.
+	// +optional
+	Sources []HubSource `json:"sources,omitempty"`
+}
+
+// OperatorHubStatus defines the observed state of OperatorHub. The current
+// state of the default hub sources will always be reflected here.
+type OperatorHubStatus struct {
+	// sources encapsulates the result of applying the configuration for each
+	// hub source
+	// +optional
+	Sources []HubSourceStatus `json:"sources,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OperatorHub is the Schema for the operatorhubs API. It can be used to change
+// the state of the default hub sources for OperatorHub on the cluster from
+// enabled to disabled and vice versa.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=operatorhubs,scope=Cluster
+// +kubebuilder:subresource:status
+// +genclient
+// +genclient:nonNamespaced
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_03,operatorName=marketplace,operatorOrdering=01
+// +openshift:capability=marketplace
+// +openshift:compatibility-gen:level=1
+type OperatorHub struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec   OperatorHubSpec   `json:"spec"`
+	Status OperatorHubStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OperatorHubList contains a list of OperatorHub
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type OperatorHubList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+	Items           []OperatorHub `json:"items"`
+}
+
+// HubSource is used to specify the hub source and its configuration
+type HubSource struct {
+	// name is the name of one of the default hub sources
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:Required
+	Name string `json:"name"`
+	// disabled is used to disable a default hub source on cluster
+	// +kubebuilder:Required
+	Disabled bool `json:"disabled"`
+}
+
+// HubSourceStatus is used to reflect the current state of applying the
+// configuration to a default source
+type HubSourceStatus struct {
+	HubSource `json:",omitempty"`
+	// status indicates success or failure in applying the configuration
+	Status string `json:"status,omitempty"`
+	// message provides more information regarding failures
+	Message string `json:"message,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_project.go b/vendor/github.com/openshift/api/config/v1/types_project.go
new file mode 100644
index 00000000..3d219862
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_project.go
@@ -0,0 +1,70 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Project holds cluster-wide information about Project.  The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=projects,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Project struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec ProjectSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ProjectStatus `json:"status"`
+}
+
+// TemplateReference references a template in a specific namespace.
+// The namespace must be specified at the point of use.
+type TemplateReference struct {
+	// name is the metadata.name of the referenced project request template
+	Name string `json:"name"`
+}
+
+// ProjectSpec holds the project creation configuration.
+type ProjectSpec struct {
+	// projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint
+	// +optional
+	ProjectRequestMessage string `json:"projectRequestMessage"`
+
+	// projectRequestTemplate is the template to use for creating projects in response to projectrequest.
+	// This must point to a template in 'openshift-config' namespace. It is optional.
+	// If it is not specified, a default template is used.
+	//
+	// +optional
+	ProjectRequestTemplate TemplateReference `json:"projectRequestTemplate"`
+}
+
+type ProjectStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ProjectList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Project `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_proxy.go b/vendor/github.com/openshift/api/config/v1/types_proxy.go
new file mode 100644
index 00000000..ed40176c
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_proxy.go
@@ -0,0 +1,110 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Proxy holds cluster-wide information on how to configure default proxies for the cluster. The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_03,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=proxies,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Proxy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user-settable values for the proxy configuration
+	// +required
+	Spec ProxySpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ProxyStatus `json:"status"`
+}
+
+// ProxySpec contains cluster proxy creation configuration.
+type ProxySpec struct {
+	// httpProxy is the URL of the proxy for HTTP requests.  Empty means unset and will not result in an env var.
+	// +optional
+	HTTPProxy string `json:"httpProxy,omitempty"`
+
+	// httpsProxy is the URL of the proxy for HTTPS requests.  Empty means unset and will not result in an env var.
+	// +optional
+	HTTPSProxy string `json:"httpsProxy,omitempty"`
+
+	// noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.
+	// Empty means unset and will not result in an env var.
+	// +optional
+	NoProxy string `json:"noProxy,omitempty"`
+
+	// readinessEndpoints is a list of endpoints used to verify readiness of the proxy.
+	// +optional
+	ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"`
+
+	// trustedCA is a reference to a ConfigMap containing a CA certificate bundle.
+	// The trustedCA field should only be consumed by a proxy validator. The
+	// validator is responsible for reading the certificate bundle from the required
+	// key "ca-bundle.crt", merging it with the system default trust bundle,
+	// and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle"
+	// in the "openshift-config-managed" namespace. Clients that expect to make
+	// proxy connections must use the trusted-ca-bundle for all HTTPS requests to
+	// the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as
+	// well.
+	//
+	// The namespace for the ConfigMap referenced by trustedCA is
+	// "openshift-config". Here is an example ConfigMap (in yaml):
+	//
+	// apiVersion: v1
+	// kind: ConfigMap
+	// metadata:
+	//  name: user-ca-bundle
+	//  namespace: openshift-config
+	//  data:
+	//    ca-bundle.crt: |
+	//      -----BEGIN CERTIFICATE-----
+	//      Custom CA certificate bundle.
+	//      -----END CERTIFICATE-----
+	//
+	// +optional
+	TrustedCA ConfigMapNameReference `json:"trustedCA,omitempty"`
+}
+
+// ProxyStatus shows current known state of the cluster proxy.
+type ProxyStatus struct {
+	// httpProxy is the URL of the proxy for HTTP requests.
+	// +optional
+	HTTPProxy string `json:"httpProxy,omitempty"`
+
+	// httpsProxy is the URL of the proxy for HTTPS requests.
+	// +optional
+	HTTPSProxy string `json:"httpsProxy,omitempty"`
+
+	// noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used.
+	// +optional
+	NoProxy string `json:"noProxy,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type ProxyList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Proxy `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_scheduling.go b/vendor/github.com/openshift/api/config/v1/types_scheduling.go
new file mode 100644
index 00000000..c90d5633
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_scheduling.go
@@ -0,0 +1,144 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Scheduler holds cluster-wide config information to run the Kubernetes Scheduler
+// and influence its placement decisions. The canonical name for this config is `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=schedulers,scope=Cluster
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true
+type Scheduler struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +required
+	Spec SchedulerSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status SchedulerStatus `json:"status"`
+}
+
+type SchedulerSpec struct {
+	// DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release.
+	// policy is a reference to a ConfigMap containing scheduler policy which has
+	// user specified predicates and priorities. If this ConfigMap is not available
+	// scheduler will default to use DefaultAlgorithmProvider.
+	// The namespace for this configmap is openshift-config.
+	// +optional
+	Policy ConfigMapNameReference `json:"policy,omitempty"`
+	// profile sets which scheduling profile should be set in order to configure scheduling
+	// decisions for new pods.
+	//
+	// Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring"
+	// Defaults to "LowNodeUtilization"
+	// +optional
+	Profile SchedulerProfile `json:"profile,omitempty"`
+	// profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles.
+	// +openshift:enable:FeatureGate=DynamicResourceAllocation
+	// +optional
+	ProfileCustomizations ProfileCustomizations `json:"profileCustomizations"`
+	// defaultNodeSelector helps set the cluster-wide default node selector to
+	// restrict pod placement to specific nodes. This is applied to the pods
+	// created in all namespaces and creates an intersection with any existing
+	// nodeSelectors already set on a pod, additionally constraining that pod's selector.
+	// For example,
+	// defaultNodeSelector: "type=user-node,region=east" would set nodeSelector
+	// field in pod spec to "type=user-node,region=east" to all pods created
+	// in all namespaces. Namespaces having project-wide node selectors won't be
+	// impacted even if this field is set. This adds an annotation section to
+	// the namespace.
+	// For example, if a new namespace is created with
+	// node-selector='type=user-node,region=east',
+	// the annotation openshift.io/node-selector: type=user-node,region=east
+	// gets added to the project. When the openshift.io/node-selector annotation
+	// is set on the project the value is used in preference to the value we are setting
+	// for defaultNodeSelector field.
+	// For instance,
+	// openshift.io/node-selector: "type=user-node,region=west" means
+	// that the default of "type=user-node,region=east" set in defaultNodeSelector
+	// would not be applied.
+	// +optional
+	DefaultNodeSelector string `json:"defaultNodeSelector,omitempty"`
+	// mastersSchedulable allows masters nodes to be schedulable. When this flag is
+	// turned on, all the master nodes in the cluster will be made schedulable,
+	// so that workload pods can run on them. The default value for this field is false,
+	// meaning none of the master nodes are schedulable.
+	// Important Note: Once the workload pods start running on the master nodes,
+	// extreme care must be taken to ensure that cluster-critical control plane components
+	// are not impacted.
+	// Please turn on this field after doing due diligence.
+	// +optional
+	MastersSchedulable bool `json:"mastersSchedulable"`
+}
+
+// +kubebuilder:validation:Enum="";LowNodeUtilization;HighNodeUtilization;NoScoring
+type SchedulerProfile string
+
+var (
+	// LowNodeUtililization is the default, and defines a scheduling profile which prefers to
+	// spread pods evenly among nodes targeting low resource consumption on each node.
+	LowNodeUtilization SchedulerProfile = "LowNodeUtilization"
+
+	// HighNodeUtilization defines a scheduling profile which packs as many pods as possible onto
+	// as few nodes as possible targeting a small node count but high resource usage on each node.
+	HighNodeUtilization SchedulerProfile = "HighNodeUtilization"
+
+	// NoScoring defines a scheduling profile which tries to provide lower-latency scheduling
+	// at the expense of potentially less optimal pod placement decisions.
+	NoScoring SchedulerProfile = "NoScoring"
+)
+
+// ProfileCustomizations contains various parameters for modifying the default behavior of certain profiles
+type ProfileCustomizations struct {
+	// dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler.
+	// Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod.
+	// Third-party resource drivers are responsible for tracking and allocating resources.
+	// Different kinds of resources support arbitrary parameters for defining requirements and initialization.
+	// Valid values are Enabled, Disabled and omitted.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default,
+	// which is subject to change over time.
+	// The current default is Disabled.
+	// +optional
+	DynamicResourceAllocation DRAEnablement `json:"dynamicResourceAllocation"`
+}
+
+// +kubebuilder:validation:Enum:="";"Enabled";"Disabled"
+type DRAEnablement string
+
+var (
+	// DRAEnablementEnabled enables dynamic resource allocation feature
+	DRAEnablementEnabled DRAEnablement = "Enabled"
+	// DRAEnablementDisabled disables dynamic resource allocation feature
+	DRAEnablementDisabled DRAEnablement = "Disabled"
+)
+
+type SchedulerStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type SchedulerList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Scheduler `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_testreporting.go b/vendor/github.com/openshift/api/config/v1/types_testreporting.go
new file mode 100644
index 00000000..00953957
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_testreporting.go
@@ -0,0 +1,45 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// TestReporting is used for origin (and potentially others) to report the test names for a given FeatureGate into
+// the payload for later analysis on a per-payload basis.
+// This doesn't need any CRD because it's never stored in the cluster.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:internal
+type TestReporting struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// +required
+	Spec TestReportingSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status TestReportingStatus `json:"status"`
+}
+
+type TestReportingSpec struct {
+	// testsForFeatureGates is a list, indexed by FeatureGate and includes information about testing.
+	TestsForFeatureGates []FeatureGateTests `json:"testsForFeatureGates"`
+}
+
+type FeatureGateTests struct {
+	// featureGate is the name of the FeatureGate as it appears in The FeatureGate CR instance.
+	FeatureGate string `json:"featureGate"`
+
+	// tests contains an item for every TestName
+	Tests []TestDetails `json:"tests"`
+}
+
+type TestDetails struct {
+	// testName is the name of the test as it appears in junit XMLs.
+	// It does not include the suite name since the same test can be executed in many suites.
+	TestName string `json:"testName"`
+}
+
+type TestReportingStatus struct {
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
new file mode 100644
index 00000000..b18ef647
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
@@ -0,0 +1,312 @@
+package v1
+
+// TLSSecurityProfile defines the schema for a TLS security profile. This object
+// is used by operators to apply TLS security settings to operands.
+// +union
+type TLSSecurityProfile struct {
+	// type is one of Old, Intermediate, Modern or Custom. Custom provides
+	// the ability to specify individual TLS security profile parameters.
+	// Old, Intermediate and Modern are TLS security profiles based on:
+	//
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+	//
+	// The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
+	// are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be
+	// reduced.
+	//
+	// Note that the Modern profile is currently not supported because it is not
+	// yet well adopted by common software libraries.
+	//
+	// +unionDiscriminator
+	// +optional
+	Type TLSProfileType `json:"type"`
+	// old is a TLS security profile based on:
+	//
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+	//
+	// and looks like this (yaml):
+	//
+	//   ciphers:
+	//
+	//     - TLS_AES_128_GCM_SHA256
+	//
+	//     - TLS_AES_256_GCM_SHA384
+	//
+	//     - TLS_CHACHA20_POLY1305_SHA256
+	//
+	//     - ECDHE-ECDSA-AES128-GCM-SHA256
+	//
+	//     - ECDHE-RSA-AES128-GCM-SHA256
+	//
+	//     - ECDHE-ECDSA-AES256-GCM-SHA384
+	//
+	//     - ECDHE-RSA-AES256-GCM-SHA384
+	//
+	//     - ECDHE-ECDSA-CHACHA20-POLY1305
+	//
+	//     - ECDHE-RSA-CHACHA20-POLY1305
+	//
+	//     - DHE-RSA-AES128-GCM-SHA256
+	//
+	//     - DHE-RSA-AES256-GCM-SHA384
+	//
+	//     - DHE-RSA-CHACHA20-POLY1305
+	//
+	//     - ECDHE-ECDSA-AES128-SHA256
+	//
+	//     - ECDHE-RSA-AES128-SHA256
+	//
+	//     - ECDHE-ECDSA-AES128-SHA
+	//
+	//     - ECDHE-RSA-AES128-SHA
+	//
+	//     - ECDHE-ECDSA-AES256-SHA384
+	//
+	//     - ECDHE-RSA-AES256-SHA384
+	//
+	//     - ECDHE-ECDSA-AES256-SHA
+	//
+	//     - ECDHE-RSA-AES256-SHA
+	//
+	//     - DHE-RSA-AES128-SHA256
+	//
+	//     - DHE-RSA-AES256-SHA256
+	//
+	//     - AES128-GCM-SHA256
+	//
+	//     - AES256-GCM-SHA384
+	//
+	//     - AES128-SHA256
+	//
+	//     - AES256-SHA256
+	//
+	//     - AES128-SHA
+	//
+	//     - AES256-SHA
+	//
+	//     - DES-CBC3-SHA
+	//
+	//   minTLSVersion: VersionTLS10
+	//
+	// +optional
+	// +nullable
+	Old *OldTLSProfile `json:"old,omitempty"`
+	// intermediate is a TLS security profile based on:
+	//
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
+	//
+	// and looks like this (yaml):
+	//
+	//   ciphers:
+	//
+	//     - TLS_AES_128_GCM_SHA256
+	//
+	//     - TLS_AES_256_GCM_SHA384
+	//
+	//     - TLS_CHACHA20_POLY1305_SHA256
+	//
+	//     - ECDHE-ECDSA-AES128-GCM-SHA256
+	//
+	//     - ECDHE-RSA-AES128-GCM-SHA256
+	//
+	//     - ECDHE-ECDSA-AES256-GCM-SHA384
+	//
+	//     - ECDHE-RSA-AES256-GCM-SHA384
+	//
+	//     - ECDHE-ECDSA-CHACHA20-POLY1305
+	//
+	//     - ECDHE-RSA-CHACHA20-POLY1305
+	//
+	//     - DHE-RSA-AES128-GCM-SHA256
+	//
+	//     - DHE-RSA-AES256-GCM-SHA384
+	//
+	//   minTLSVersion: VersionTLS12
+	//
+	// +optional
+	// +nullable
+	Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"`
+	// modern is a TLS security profile based on:
+	//
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+	//
+	// and looks like this (yaml):
+	//
+	//   ciphers:
+	//
+	//     - TLS_AES_128_GCM_SHA256
+	//
+	//     - TLS_AES_256_GCM_SHA384
+	//
+	//     - TLS_CHACHA20_POLY1305_SHA256
+	//
+	//   minTLSVersion: VersionTLS13
+	//
+	// +optional
+	// +nullable
+	Modern *ModernTLSProfile `json:"modern,omitempty"`
+	// custom is a user-defined TLS security profile. Be extremely careful using a custom
+	// profile as invalid configurations can be catastrophic. An example custom profile
+	// looks like this:
+	//
+	//   ciphers:
+	//
+	//     - ECDHE-ECDSA-CHACHA20-POLY1305
+	//
+	//     - ECDHE-RSA-CHACHA20-POLY1305
+	//
+	//     - ECDHE-RSA-AES128-GCM-SHA256
+	//
+	//     - ECDHE-ECDSA-AES128-GCM-SHA256
+	//
+	//   minTLSVersion: VersionTLS11
+	//
+	// +optional
+	// +nullable
+	Custom *CustomTLSProfile `json:"custom,omitempty"`
+}
+
+// OldTLSProfile is a TLS security profile based on:
+// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+type OldTLSProfile struct{}
+
+// IntermediateTLSProfile is a TLS security profile based on:
+// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+type IntermediateTLSProfile struct{}
+
+// ModernTLSProfile is a TLS security profile based on:
+// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+type ModernTLSProfile struct{}
+
+// CustomTLSProfile is a user-defined TLS security profile. Be extremely careful
+// using a custom TLS profile as invalid configurations can be catastrophic.
+type CustomTLSProfile struct {
+	TLSProfileSpec `json:",inline"`
+}
+
+// TLSProfileType defines a TLS security profile type.
+// +kubebuilder:validation:Enum=Old;Intermediate;Modern;Custom
+type TLSProfileType string
+
+const (
+	// Old is a TLS security profile based on:
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+	TLSProfileOldType TLSProfileType = "Old"
+	// Intermediate is a TLS security profile based on:
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+	TLSProfileIntermediateType TLSProfileType = "Intermediate"
+	// Modern is a TLS security profile based on:
+	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+	TLSProfileModernType TLSProfileType = "Modern"
+	// Custom is a TLS security profile that allows for user-defined parameters.
+	TLSProfileCustomType TLSProfileType = "Custom"
+)
+
+// TLSProfileSpec is the desired behavior of a TLSSecurityProfile.
+type TLSProfileSpec struct {
+	// ciphers is used to specify the cipher algorithms that are negotiated
+	// during the TLS handshake.  Operators may remove entries their operands
+	// do not support.  For example, to use DES-CBC3-SHA  (yaml):
+	//
+	//   ciphers:
+	//     - DES-CBC3-SHA
+	//
+	// +listType=atomic
+	Ciphers []string `json:"ciphers"`
+	// minTLSVersion is used to specify the minimal version of the TLS protocol
+	// that is negotiated during the TLS handshake. For example, to use TLS
+	// versions 1.1, 1.2 and 1.3 (yaml):
+	//
+	//   minTLSVersion: VersionTLS11
+	//
+	// NOTE: currently the highest minTLSVersion allowed is VersionTLS12
+	//
+	MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"`
+}
+
+// TLSProtocolVersion is a way to specify the protocol version used for TLS connections.
+// Protocol versions are based on the following most common TLS configurations:
+//
+//	https://ssl-config.mozilla.org/
+//
+// Note that SSLv3.0 is not a supported protocol version due to well known
+// vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE
+// +kubebuilder:validation:Enum=VersionTLS10;VersionTLS11;VersionTLS12;VersionTLS13
+type TLSProtocolVersion string
+
+const (
+	// VersionTLSv10 is version 1.0 of the TLS security protocol.
+	VersionTLS10 TLSProtocolVersion = "VersionTLS10"
+	// VersionTLSv11 is version 1.1 of the TLS security protocol.
+	VersionTLS11 TLSProtocolVersion = "VersionTLS11"
+	// VersionTLSv12 is version 1.2 of the TLS security protocol.
+	VersionTLS12 TLSProtocolVersion = "VersionTLS12"
+	// VersionTLSv13 is version 1.3 of the TLS security protocol.
+	VersionTLS13 TLSProtocolVersion = "VersionTLS13"
+)
+
+// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec.
+//
+// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all
+// entries map to values for all binaries.  In the case of ties, the kube-apiserver wins.  Do not fail,
+// just be sure to whitelist only and everything will be ok.
+var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
+	TLSProfileOldType: {
+		Ciphers: []string{
+			"TLS_AES_128_GCM_SHA256",
+			"TLS_AES_256_GCM_SHA384",
+			"TLS_CHACHA20_POLY1305_SHA256",
+			"ECDHE-ECDSA-AES128-GCM-SHA256",
+			"ECDHE-RSA-AES128-GCM-SHA256",
+			"ECDHE-ECDSA-AES256-GCM-SHA384",
+			"ECDHE-RSA-AES256-GCM-SHA384",
+			"ECDHE-ECDSA-CHACHA20-POLY1305",
+			"ECDHE-RSA-CHACHA20-POLY1305",
+			"DHE-RSA-AES128-GCM-SHA256",
+			"DHE-RSA-AES256-GCM-SHA384",
+			"DHE-RSA-CHACHA20-POLY1305",
+			"ECDHE-ECDSA-AES128-SHA256",
+			"ECDHE-RSA-AES128-SHA256",
+			"ECDHE-ECDSA-AES128-SHA",
+			"ECDHE-RSA-AES128-SHA",
+			"ECDHE-ECDSA-AES256-SHA384",
+			"ECDHE-RSA-AES256-SHA384",
+			"ECDHE-ECDSA-AES256-SHA",
+			"ECDHE-RSA-AES256-SHA",
+			"DHE-RSA-AES128-SHA256",
+			"DHE-RSA-AES256-SHA256",
+			"AES128-GCM-SHA256",
+			"AES256-GCM-SHA384",
+			"AES128-SHA256",
+			"AES256-SHA256",
+			"AES128-SHA",
+			"AES256-SHA",
+			"DES-CBC3-SHA",
+		},
+		MinTLSVersion: VersionTLS10,
+	},
+	TLSProfileIntermediateType: {
+		Ciphers: []string{
+			"TLS_AES_128_GCM_SHA256",
+			"TLS_AES_256_GCM_SHA384",
+			"TLS_CHACHA20_POLY1305_SHA256",
+			"ECDHE-ECDSA-AES128-GCM-SHA256",
+			"ECDHE-RSA-AES128-GCM-SHA256",
+			"ECDHE-ECDSA-AES256-GCM-SHA384",
+			"ECDHE-RSA-AES256-GCM-SHA384",
+			"ECDHE-ECDSA-CHACHA20-POLY1305",
+			"ECDHE-RSA-CHACHA20-POLY1305",
+			"DHE-RSA-AES128-GCM-SHA256",
+			"DHE-RSA-AES256-GCM-SHA384",
+		},
+		MinTLSVersion: VersionTLS12,
+	},
+	TLSProfileModernType: {
+		Ciphers: []string{
+			"TLS_AES_128_GCM_SHA256",
+			"TLS_AES_256_GCM_SHA384",
+			"TLS_CHACHA20_POLY1305_SHA256",
+		},
+		MinTLSVersion: VersionTLS13,
+	},
+}
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..70edc176
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
@@ -0,0 +1,6653 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Code generated by codegen. DO NOT EDIT.
+
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServer) DeepCopyInto(out *APIServer) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServer.
+func (in *APIServer) DeepCopy() *APIServer {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *APIServer) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) {
+	*out = *in
+	if in.KMS != nil {
+		in, out := &in.KMS, &out.KMS
+		*out = new(KMSConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerEncryption.
+func (in *APIServerEncryption) DeepCopy() *APIServerEncryption {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServerEncryption)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServerList) DeepCopyInto(out *APIServerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]APIServer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerList.
+func (in *APIServerList) DeepCopy() *APIServerList {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *APIServerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServerNamedServingCert) DeepCopyInto(out *APIServerNamedServingCert) {
+	*out = *in
+	if in.Names != nil {
+		in, out := &in.Names, &out.Names
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	out.ServingCertificate = in.ServingCertificate
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerNamedServingCert.
+func (in *APIServerNamedServingCert) DeepCopy() *APIServerNamedServingCert {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServerNamedServingCert)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServerServingCerts) DeepCopyInto(out *APIServerServingCerts) {
+	*out = *in
+	if in.NamedCertificates != nil {
+		in, out := &in.NamedCertificates, &out.NamedCertificates
+		*out = make([]APIServerNamedServingCert, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerServingCerts.
+func (in *APIServerServingCerts) DeepCopy() *APIServerServingCerts {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServerServingCerts)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) {
+	*out = *in
+	in.ServingCerts.DeepCopyInto(&out.ServingCerts)
+	out.ClientCA = in.ClientCA
+	if in.AdditionalCORSAllowedOrigins != nil {
+		in, out := &in.AdditionalCORSAllowedOrigins, &out.AdditionalCORSAllowedOrigins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.Encryption.DeepCopyInto(&out.Encryption)
+	if in.TLSSecurityProfile != nil {
+		in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile
+		*out = new(TLSSecurityProfile)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Audit.DeepCopyInto(&out.Audit)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerSpec.
+func (in *APIServerSpec) DeepCopy() *APIServerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIServerStatus) DeepCopyInto(out *APIServerStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerStatus.
+func (in *APIServerStatus) DeepCopy() *APIServerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(APIServerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSDNSSpec) DeepCopyInto(out *AWSDNSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSDNSSpec.
+func (in *AWSDNSSpec) DeepCopy() *AWSDNSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSDNSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSIngressSpec) DeepCopyInto(out *AWSIngressSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSIngressSpec.
+func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSIngressSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig.
+func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSKMSConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) {
+	*out = *in
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]AWSServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSPlatformSpec.
+func (in *AWSPlatformSpec) DeepCopy() *AWSPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSPlatformStatus) DeepCopyInto(out *AWSPlatformStatus) {
+	*out = *in
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]AWSServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceTags != nil {
+		in, out := &in.ResourceTags, &out.ResourceTags
+		*out = make([]AWSResourceTag, len(*in))
+		copy(*out, *in)
+	}
+	if in.CloudLoadBalancerConfig != nil {
+		in, out := &in.CloudLoadBalancerConfig, &out.CloudLoadBalancerConfig
+		*out = new(CloudLoadBalancerConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSPlatformStatus.
+func (in *AWSPlatformStatus) DeepCopy() *AWSPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSResourceTag) DeepCopyInto(out *AWSResourceTag) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSResourceTag.
+func (in *AWSResourceTag) DeepCopy() *AWSResourceTag {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSResourceTag)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSServiceEndpoint) DeepCopyInto(out *AWSServiceEndpoint) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSServiceEndpoint.
+func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSServiceEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) {
+	*out = *in
+	if in.PluginConfig != nil {
+		in, out := &in.PluginConfig, &out.PluginConfig
+		*out = make(map[string]AdmissionPluginConfig, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.EnabledAdmissionPlugins != nil {
+		in, out := &in.EnabledAdmissionPlugins, &out.EnabledAdmissionPlugins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.DisabledAdmissionPlugins != nil {
+		in, out := &in.DisabledAdmissionPlugins, &out.DisabledAdmissionPlugins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfig.
+func (in *AdmissionConfig) DeepCopy() *AdmissionConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionPluginConfig) DeepCopyInto(out *AdmissionPluginConfig) {
+	*out = *in
+	in.Configuration.DeepCopyInto(&out.Configuration)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPluginConfig.
+func (in *AdmissionPluginConfig) DeepCopy() *AdmissionPluginConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionPluginConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaCloudPlatformSpec) DeepCopyInto(out *AlibabaCloudPlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaCloudPlatformSpec.
+func (in *AlibabaCloudPlatformSpec) DeepCopy() *AlibabaCloudPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaCloudPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaCloudPlatformStatus) DeepCopyInto(out *AlibabaCloudPlatformStatus) {
+	*out = *in
+	if in.ResourceTags != nil {
+		in, out := &in.ResourceTags, &out.ResourceTags
+		*out = make([]AlibabaCloudResourceTag, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaCloudPlatformStatus.
+func (in *AlibabaCloudPlatformStatus) DeepCopy() *AlibabaCloudPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaCloudPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaCloudResourceTag) DeepCopyInto(out *AlibabaCloudResourceTag) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaCloudResourceTag.
+func (in *AlibabaCloudResourceTag) DeepCopy() *AlibabaCloudResourceTag {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaCloudResourceTag)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Audit) DeepCopyInto(out *Audit) {
+	*out = *in
+	if in.CustomRules != nil {
+		in, out := &in.CustomRules, &out.CustomRules
+		*out = make([]AuditCustomRule, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Audit.
+func (in *Audit) DeepCopy() *Audit {
+	if in == nil {
+		return nil
+	}
+	out := new(Audit)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuditConfig) DeepCopyInto(out *AuditConfig) {
+	*out = *in
+	in.PolicyConfiguration.DeepCopyInto(&out.PolicyConfiguration)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditConfig.
+func (in *AuditConfig) DeepCopy() *AuditConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AuditConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuditCustomRule) DeepCopyInto(out *AuditCustomRule) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditCustomRule.
+func (in *AuditCustomRule) DeepCopy() *AuditCustomRule {
+	if in == nil {
+		return nil
+	}
+	out := new(AuditCustomRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Authentication) DeepCopyInto(out *Authentication) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authentication.
+func (in *Authentication) DeepCopy() *Authentication {
+	if in == nil {
+		return nil
+	}
+	out := new(Authentication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Authentication) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationList) DeepCopyInto(out *AuthenticationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Authentication, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationList.
+func (in *AuthenticationList) DeepCopy() *AuthenticationList {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthenticationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AuthenticationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec) {
+	*out = *in
+	out.OAuthMetadata = in.OAuthMetadata
+	if in.WebhookTokenAuthenticators != nil {
+		in, out := &in.WebhookTokenAuthenticators, &out.WebhookTokenAuthenticators
+		*out = make([]DeprecatedWebhookTokenAuthenticator, len(*in))
+		copy(*out, *in)
+	}
+	if in.WebhookTokenAuthenticator != nil {
+		in, out := &in.WebhookTokenAuthenticator, &out.WebhookTokenAuthenticator
+		*out = new(WebhookTokenAuthenticator)
+		**out = **in
+	}
+	if in.OIDCProviders != nil {
+		in, out := &in.OIDCProviders, &out.OIDCProviders
+		*out = make([]OIDCProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationSpec.
+func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthenticationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationStatus) DeepCopyInto(out *AuthenticationStatus) {
+	*out = *in
+	out.IntegratedOAuthMetadata = in.IntegratedOAuthMetadata
+	if in.OIDCClients != nil {
+		in, out := &in.OIDCClients, &out.OIDCClients
+		*out = make([]OIDCClientStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationStatus.
+func (in *AuthenticationStatus) DeepCopy() *AuthenticationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthenticationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzurePlatformSpec) DeepCopyInto(out *AzurePlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePlatformSpec.
+func (in *AzurePlatformSpec) DeepCopy() *AzurePlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AzurePlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzurePlatformStatus) DeepCopyInto(out *AzurePlatformStatus) {
+	*out = *in
+	if in.ResourceTags != nil {
+		in, out := &in.ResourceTags, &out.ResourceTags
+		*out = make([]AzureResourceTag, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePlatformStatus.
+func (in *AzurePlatformStatus) DeepCopy() *AzurePlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AzurePlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureResourceTag) DeepCopyInto(out *AzureResourceTag) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureResourceTag.
+func (in *AzureResourceTag) DeepCopy() *AzureResourceTag {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureResourceTag)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BareMetalPlatformLoadBalancer) DeepCopyInto(out *BareMetalPlatformLoadBalancer) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BareMetalPlatformLoadBalancer.
+func (in *BareMetalPlatformLoadBalancer) DeepCopy() *BareMetalPlatformLoadBalancer {
+	if in == nil {
+		return nil
+	}
+	out := new(BareMetalPlatformLoadBalancer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BareMetalPlatformSpec) DeepCopyInto(out *BareMetalPlatformSpec) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.MachineNetworks != nil {
+		in, out := &in.MachineNetworks, &out.MachineNetworks
+		*out = make([]CIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BareMetalPlatformSpec.
+func (in *BareMetalPlatformSpec) DeepCopy() *BareMetalPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BareMetalPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BareMetalPlatformStatus) DeepCopyInto(out *BareMetalPlatformStatus) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(BareMetalPlatformLoadBalancer)
+		**out = **in
+	}
+	if in.MachineNetworks != nil {
+		in, out := &in.MachineNetworks, &out.MachineNetworks
+		*out = make([]CIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BareMetalPlatformStatus.
+func (in *BareMetalPlatformStatus) DeepCopy() *BareMetalPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BareMetalPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BasicAuthIdentityProvider) DeepCopyInto(out *BasicAuthIdentityProvider) {
+	*out = *in
+	out.OAuthRemoteConnectionInfo = in.OAuthRemoteConnectionInfo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicAuthIdentityProvider.
+func (in *BasicAuthIdentityProvider) DeepCopy() *BasicAuthIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(BasicAuthIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Build) DeepCopyInto(out *Build) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Build.
+func (in *Build) DeepCopy() *Build {
+	if in == nil {
+		return nil
+	}
+	out := new(Build)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Build) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BuildDefaults) DeepCopyInto(out *BuildDefaults) {
+	*out = *in
+	if in.DefaultProxy != nil {
+		in, out := &in.DefaultProxy, &out.DefaultProxy
+		*out = new(ProxySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.GitProxy != nil {
+		in, out := &in.GitProxy, &out.GitProxy
+		*out = new(ProxySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]corev1.EnvVar, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ImageLabels != nil {
+		in, out := &in.ImageLabels, &out.ImageLabels
+		*out = make([]ImageLabel, len(*in))
+		copy(*out, *in)
+	}
+	in.Resources.DeepCopyInto(&out.Resources)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildDefaults.
+func (in *BuildDefaults) DeepCopy() *BuildDefaults {
+	if in == nil {
+		return nil
+	}
+	out := new(BuildDefaults)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BuildList) DeepCopyInto(out *BuildList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Build, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildList.
+func (in *BuildList) DeepCopy() *BuildList {
+	if in == nil {
+		return nil
+	}
+	out := new(BuildList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BuildList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BuildOverrides) DeepCopyInto(out *BuildOverrides) {
+	*out = *in
+	if in.ImageLabels != nil {
+		in, out := &in.ImageLabels, &out.ImageLabels
+		*out = make([]ImageLabel, len(*in))
+		copy(*out, *in)
+	}
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]corev1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ForcePull != nil {
+		in, out := &in.ForcePull, &out.ForcePull
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildOverrides.
+func (in *BuildOverrides) DeepCopy() *BuildOverrides {
+	if in == nil {
+		return nil
+	}
+	out := new(BuildOverrides)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BuildSpec) DeepCopyInto(out *BuildSpec) {
+	*out = *in
+	out.AdditionalTrustedCA = in.AdditionalTrustedCA
+	in.BuildDefaults.DeepCopyInto(&out.BuildDefaults)
+	in.BuildOverrides.DeepCopyInto(&out.BuildOverrides)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildSpec.
+func (in *BuildSpec) DeepCopy() *BuildSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BuildSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertInfo) DeepCopyInto(out *CertInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertInfo.
+func (in *CertInfo) DeepCopy() *CertInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CertInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClientConnectionOverrides) DeepCopyInto(out *ClientConnectionOverrides) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientConnectionOverrides.
+func (in *ClientConnectionOverrides) DeepCopy() *ClientConnectionOverrides {
+	if in == nil {
+		return nil
+	}
+	out := new(ClientConnectionOverrides)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudControllerManagerStatus) DeepCopyInto(out *CloudControllerManagerStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudControllerManagerStatus.
+func (in *CloudControllerManagerStatus) DeepCopy() *CloudControllerManagerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudControllerManagerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudLoadBalancerConfig) DeepCopyInto(out *CloudLoadBalancerConfig) {
+	*out = *in
+	if in.ClusterHosted != nil {
+		in, out := &in.ClusterHosted, &out.ClusterHosted
+		*out = new(CloudLoadBalancerIPs)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudLoadBalancerConfig.
+func (in *CloudLoadBalancerConfig) DeepCopy() *CloudLoadBalancerConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudLoadBalancerConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudLoadBalancerIPs) DeepCopyInto(out *CloudLoadBalancerIPs) {
+	*out = *in
+	if in.APIIntLoadBalancerIPs != nil {
+		in, out := &in.APIIntLoadBalancerIPs, &out.APIIntLoadBalancerIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.APILoadBalancerIPs != nil {
+		in, out := &in.APILoadBalancerIPs, &out.APILoadBalancerIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressLoadBalancerIPs != nil {
+		in, out := &in.IngressLoadBalancerIPs, &out.IngressLoadBalancerIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudLoadBalancerIPs.
+func (in *CloudLoadBalancerIPs) DeepCopy() *CloudLoadBalancerIPs {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudLoadBalancerIPs)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCondition) DeepCopyInto(out *ClusterCondition) {
+	*out = *in
+	if in.PromQL != nil {
+		in, out := &in.PromQL, &out.PromQL
+		*out = new(PromQLClusterCondition)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCondition.
+func (in *ClusterCondition) DeepCopy() *ClusterCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.
+func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterImagePolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterImagePolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.
+func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterImagePolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]ImageScope, len(*in))
+		copy(*out, *in)
+	}
+	in.Policy.DeepCopyInto(&out.Policy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.
+func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterImagePolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus.
+func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterImagePolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterNetworkEntry) DeepCopyInto(out *ClusterNetworkEntry) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterNetworkEntry.
+func (in *ClusterNetworkEntry) DeepCopy() *ClusterNetworkEntry {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterNetworkEntry)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterOperator) DeepCopyInto(out *ClusterOperator) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterOperator.
+func (in *ClusterOperator) DeepCopy() *ClusterOperator {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterOperator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterOperator) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterOperatorList) DeepCopyInto(out *ClusterOperatorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterOperator, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterOperatorList.
+func (in *ClusterOperatorList) DeepCopy() *ClusterOperatorList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterOperatorList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterOperatorList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterOperatorSpec) DeepCopyInto(out *ClusterOperatorSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterOperatorSpec.
+func (in *ClusterOperatorSpec) DeepCopy() *ClusterOperatorSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterOperatorSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterOperatorStatus) DeepCopyInto(out *ClusterOperatorStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ClusterOperatorStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Versions != nil {
+		in, out := &in.Versions, &out.Versions
+		*out = make([]OperandVersion, len(*in))
+		copy(*out, *in)
+	}
+	if in.RelatedObjects != nil {
+		in, out := &in.RelatedObjects, &out.RelatedObjects
+		*out = make([]ObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	in.Extension.DeepCopyInto(&out.Extension)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterOperatorStatus.
+func (in *ClusterOperatorStatus) DeepCopy() *ClusterOperatorStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterOperatorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterOperatorStatusCondition) DeepCopyInto(out *ClusterOperatorStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterOperatorStatusCondition.
+func (in *ClusterOperatorStatusCondition) DeepCopy() *ClusterOperatorStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterOperatorStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterVersion) DeepCopyInto(out *ClusterVersion) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterVersion.
+func (in *ClusterVersion) DeepCopy() *ClusterVersion {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterVersion)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterVersion) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterVersionCapabilitiesSpec) DeepCopyInto(out *ClusterVersionCapabilitiesSpec) {
+	*out = *in
+	if in.AdditionalEnabledCapabilities != nil {
+		in, out := &in.AdditionalEnabledCapabilities, &out.AdditionalEnabledCapabilities
+		*out = make([]ClusterVersionCapability, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterVersionCapabilitiesSpec.
+func (in *ClusterVersionCapabilitiesSpec) DeepCopy() *ClusterVersionCapabilitiesSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterVersionCapabilitiesSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterVersionCapabilitiesStatus) DeepCopyInto(out *ClusterVersionCapabilitiesStatus) {
+	*out = *in
+	if in.EnabledCapabilities != nil {
+		in, out := &in.EnabledCapabilities, &out.EnabledCapabilities
+		*out = make([]ClusterVersionCapability, len(*in))
+		copy(*out, *in)
+	}
+	if in.KnownCapabilities != nil {
+		in, out := &in.KnownCapabilities, &out.KnownCapabilities
+		*out = make([]ClusterVersionCapability, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterVersionCapabilitiesStatus.
+func (in *ClusterVersionCapabilitiesStatus) DeepCopy() *ClusterVersionCapabilitiesStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterVersionCapabilitiesStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterVersionList) DeepCopyInto(out *ClusterVersionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterVersion, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterVersionList.
+func (in *ClusterVersionList) DeepCopy() *ClusterVersionList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterVersionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterVersionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) {
+	*out = *in
+	if in.DesiredUpdate != nil {
+		in, out := &in.DesiredUpdate, &out.DesiredUpdate
+		*out = new(Update)
+		**out = **in
+	}
+	if in.Capabilities != nil {
+		in, out := &in.Capabilities, &out.Capabilities
+		*out = new(ClusterVersionCapabilitiesSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SignatureStores != nil {
+		in, out := &in.SignatureStores, &out.SignatureStores
+		*out = make([]SignatureStore, len(*in))
+		copy(*out, *in)
+	}
+	if in.Overrides != nil {
+		in, out := &in.Overrides, &out.Overrides
+		*out = make([]ComponentOverride, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterVersionSpec.
+func (in *ClusterVersionSpec) DeepCopy() *ClusterVersionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterVersionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) {
+	*out = *in
+	in.Desired.DeepCopyInto(&out.Desired)
+	if in.History != nil {
+		in, out := &in.History, &out.History
+		*out = make([]UpdateHistory, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.Capabilities.DeepCopyInto(&out.Capabilities)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ClusterOperatorStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AvailableUpdates != nil {
+		in, out := &in.AvailableUpdates, &out.AvailableUpdates
+		*out = make([]Release, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ConditionalUpdates != nil {
+		in, out := &in.ConditionalUpdates, &out.ConditionalUpdates
+		*out = make([]ConditionalUpdate, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterVersionStatus.
+func (in *ClusterVersionStatus) DeepCopy() *ClusterVersionStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterVersionStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentOverride) DeepCopyInto(out *ComponentOverride) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentOverride.
+func (in *ComponentOverride) DeepCopy() *ComponentOverride {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentOverride)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentRouteSpec) DeepCopyInto(out *ComponentRouteSpec) {
+	*out = *in
+	out.ServingCertKeyPairSecret = in.ServingCertKeyPairSecret
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentRouteSpec.
+func (in *ComponentRouteSpec) DeepCopy() *ComponentRouteSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentRouteSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentRouteStatus) DeepCopyInto(out *ComponentRouteStatus) {
+	*out = *in
+	if in.ConsumingUsers != nil {
+		in, out := &in.ConsumingUsers, &out.ConsumingUsers
+		*out = make([]ConsumingUser, len(*in))
+		copy(*out, *in)
+	}
+	if in.CurrentHostnames != nil {
+		in, out := &in.CurrentHostnames, &out.CurrentHostnames
+		*out = make([]Hostname, len(*in))
+		copy(*out, *in)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RelatedObjects != nil {
+		in, out := &in.RelatedObjects, &out.RelatedObjects
+		*out = make([]ObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentRouteStatus.
+func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentRouteStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) {
+	*out = *in
+	in.Release.DeepCopyInto(&out.Release)
+	if in.Risks != nil {
+		in, out := &in.Risks, &out.Risks
+		*out = make([]ConditionalUpdateRisk, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionalUpdate.
+func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate {
+	if in == nil {
+		return nil
+	}
+	out := new(ConditionalUpdate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) {
+	*out = *in
+	if in.MatchingRules != nil {
+		in, out := &in.MatchingRules, &out.MatchingRules
+		*out = make([]ClusterCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionalUpdateRisk.
+func (in *ConditionalUpdateRisk) DeepCopy() *ConditionalUpdateRisk {
+	if in == nil {
+		return nil
+	}
+	out := new(ConditionalUpdateRisk)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapFileReference) DeepCopyInto(out *ConfigMapFileReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapFileReference.
+func (in *ConfigMapFileReference) DeepCopy() *ConfigMapFileReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapFileReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapNameReference) DeepCopyInto(out *ConfigMapNameReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapNameReference.
+func (in *ConfigMapNameReference) DeepCopy() *ConfigMapNameReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapNameReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Console) DeepCopyInto(out *Console) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Console.
+func (in *Console) DeepCopy() *Console {
+	if in == nil {
+		return nil
+	}
+	out := new(Console)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Console) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConsoleAuthentication) DeepCopyInto(out *ConsoleAuthentication) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsoleAuthentication.
+func (in *ConsoleAuthentication) DeepCopy() *ConsoleAuthentication {
+	if in == nil {
+		return nil
+	}
+	out := new(ConsoleAuthentication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConsoleList) DeepCopyInto(out *ConsoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Console, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsoleList.
+func (in *ConsoleList) DeepCopy() *ConsoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(ConsoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ConsoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConsoleSpec) DeepCopyInto(out *ConsoleSpec) {
+	*out = *in
+	out.Authentication = in.Authentication
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsoleSpec.
+func (in *ConsoleSpec) DeepCopy() *ConsoleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ConsoleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConsoleStatus) DeepCopyInto(out *ConsoleStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsoleStatus.
+func (in *ConsoleStatus) DeepCopy() *ConsoleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ConsoleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomFeatureGates) DeepCopyInto(out *CustomFeatureGates) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = make([]FeatureGateName, len(*in))
+		copy(*out, *in)
+	}
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = make([]FeatureGateName, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomFeatureGates.
+func (in *CustomFeatureGates) DeepCopy() *CustomFeatureGates {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomFeatureGates)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomTLSProfile) DeepCopyInto(out *CustomTLSProfile) {
+	*out = *in
+	in.TLSProfileSpec.DeepCopyInto(&out.TLSProfileSpec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomTLSProfile.
+func (in *CustomTLSProfile) DeepCopy() *CustomTLSProfile {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomTLSProfile)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNS) DeepCopyInto(out *DNS) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNS.
+func (in *DNS) DeepCopy() *DNS {
+	if in == nil {
+		return nil
+	}
+	out := new(DNS)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DNS) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSList) DeepCopyInto(out *DNSList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DNS, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSList.
+func (in *DNSList) DeepCopy() *DNSList {
+	if in == nil {
+		return nil
+	}
+	out := new(DNSList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DNSList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSPlatformSpec) DeepCopyInto(out *DNSPlatformSpec) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSDNSSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSPlatformSpec.
+func (in *DNSPlatformSpec) DeepCopy() *DNSPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DNSPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSSpec) DeepCopyInto(out *DNSSpec) {
+	*out = *in
+	if in.PublicZone != nil {
+		in, out := &in.PublicZone, &out.PublicZone
+		*out = new(DNSZone)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PrivateZone != nil {
+		in, out := &in.PrivateZone, &out.PrivateZone
+		*out = new(DNSZone)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Platform.DeepCopyInto(&out.Platform)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSSpec.
+func (in *DNSSpec) DeepCopy() *DNSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DNSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSStatus) DeepCopyInto(out *DNSStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSStatus.
+func (in *DNSStatus) DeepCopy() *DNSStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DNSStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNSZone) DeepCopyInto(out *DNSZone) {
+	*out = *in
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSZone.
+func (in *DNSZone) DeepCopy() *DNSZone {
+	if in == nil {
+		return nil
+	}
+	out := new(DNSZone)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DelegatedAuthentication) DeepCopyInto(out *DelegatedAuthentication) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelegatedAuthentication.
+func (in *DelegatedAuthentication) DeepCopy() *DelegatedAuthentication {
+	if in == nil {
+		return nil
+	}
+	out := new(DelegatedAuthentication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DelegatedAuthorization) DeepCopyInto(out *DelegatedAuthorization) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelegatedAuthorization.
+func (in *DelegatedAuthorization) DeepCopy() *DelegatedAuthorization {
+	if in == nil {
+		return nil
+	}
+	out := new(DelegatedAuthorization)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeprecatedWebhookTokenAuthenticator) DeepCopyInto(out *DeprecatedWebhookTokenAuthenticator) {
+	*out = *in
+	out.KubeConfig = in.KubeConfig
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeprecatedWebhookTokenAuthenticator.
+func (in *DeprecatedWebhookTokenAuthenticator) DeepCopy() *DeprecatedWebhookTokenAuthenticator {
+	if in == nil {
+		return nil
+	}
+	out := new(DeprecatedWebhookTokenAuthenticator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EquinixMetalPlatformSpec) DeepCopyInto(out *EquinixMetalPlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EquinixMetalPlatformSpec.
+func (in *EquinixMetalPlatformSpec) DeepCopy() *EquinixMetalPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(EquinixMetalPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EquinixMetalPlatformStatus) DeepCopyInto(out *EquinixMetalPlatformStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EquinixMetalPlatformStatus.
+func (in *EquinixMetalPlatformStatus) DeepCopy() *EquinixMetalPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(EquinixMetalPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EtcdConnectionInfo) DeepCopyInto(out *EtcdConnectionInfo) {
+	*out = *in
+	if in.URLs != nil {
+		in, out := &in.URLs, &out.URLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	out.CertInfo = in.CertInfo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdConnectionInfo.
+func (in *EtcdConnectionInfo) DeepCopy() *EtcdConnectionInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(EtcdConnectionInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EtcdStorageConfig) DeepCopyInto(out *EtcdStorageConfig) {
+	*out = *in
+	in.EtcdConnectionInfo.DeepCopyInto(&out.EtcdConnectionInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdStorageConfig.
+func (in *EtcdStorageConfig) DeepCopy() *EtcdStorageConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(EtcdStorageConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalIPConfig) DeepCopyInto(out *ExternalIPConfig) {
+	*out = *in
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(ExternalIPPolicy)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AutoAssignCIDRs != nil {
+		in, out := &in.AutoAssignCIDRs, &out.AutoAssignCIDRs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalIPConfig.
+func (in *ExternalIPConfig) DeepCopy() *ExternalIPConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalIPConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalIPPolicy) DeepCopyInto(out *ExternalIPPolicy) {
+	*out = *in
+	if in.AllowedCIDRs != nil {
+		in, out := &in.AllowedCIDRs, &out.AllowedCIDRs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.RejectedCIDRs != nil {
+		in, out := &in.RejectedCIDRs, &out.RejectedCIDRs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalIPPolicy.
+func (in *ExternalIPPolicy) DeepCopy() *ExternalIPPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalIPPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalPlatformSpec) DeepCopyInto(out *ExternalPlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalPlatformSpec.
+func (in *ExternalPlatformSpec) DeepCopy() *ExternalPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalPlatformStatus) DeepCopyInto(out *ExternalPlatformStatus) {
+	*out = *in
+	out.CloudControllerManager = in.CloudControllerManager
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalPlatformStatus.
+func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping.
+func (in *ExtraMapping) DeepCopy() *ExtraMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(ExtraMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGate) DeepCopyInto(out *FeatureGate) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGate.
+func (in *FeatureGate) DeepCopy() *FeatureGate {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FeatureGate) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateAttributes) DeepCopyInto(out *FeatureGateAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateAttributes.
+func (in *FeatureGateAttributes) DeepCopy() *FeatureGateAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateDetails) DeepCopyInto(out *FeatureGateDetails) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = make([]FeatureGateAttributes, len(*in))
+		copy(*out, *in)
+	}
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = make([]FeatureGateAttributes, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateDetails.
+func (in *FeatureGateDetails) DeepCopy() *FeatureGateDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateList) DeepCopyInto(out *FeatureGateList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]FeatureGate, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateList.
+func (in *FeatureGateList) DeepCopy() *FeatureGateList {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FeatureGateList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateSelection) DeepCopyInto(out *FeatureGateSelection) {
+	*out = *in
+	if in.CustomNoUpgrade != nil {
+		in, out := &in.CustomNoUpgrade, &out.CustomNoUpgrade
+		*out = new(CustomFeatureGates)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateSelection.
+func (in *FeatureGateSelection) DeepCopy() *FeatureGateSelection {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateSelection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateSpec) DeepCopyInto(out *FeatureGateSpec) {
+	*out = *in
+	in.FeatureGateSelection.DeepCopyInto(&out.FeatureGateSelection)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateSpec.
+func (in *FeatureGateSpec) DeepCopy() *FeatureGateSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateStatus) DeepCopyInto(out *FeatureGateStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FeatureGates != nil {
+		in, out := &in.FeatureGates, &out.FeatureGates
+		*out = make([]FeatureGateDetails, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateStatus.
+func (in *FeatureGateStatus) DeepCopy() *FeatureGateStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FeatureGateTests) DeepCopyInto(out *FeatureGateTests) {
+	*out = *in
+	if in.Tests != nil {
+		in, out := &in.Tests, &out.Tests
+		*out = make([]TestDetails, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureGateTests.
+func (in *FeatureGateTests) DeepCopy() *FeatureGateTests {
+	if in == nil {
+		return nil
+	}
+	out := new(FeatureGateTests)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) {
+	*out = *in
+	if in.FulcioCAData != nil {
+		in, out := &in.FulcioCAData, &out.FulcioCAData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.FulcioSubject = in.FulcioSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor.
+func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor {
+	if in == nil {
+		return nil
+	}
+	out := new(FulcioCAWithRekor)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPPlatformSpec.
+func (in *GCPPlatformSpec) DeepCopy() *GCPPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPPlatformStatus) DeepCopyInto(out *GCPPlatformStatus) {
+	*out = *in
+	if in.ResourceLabels != nil {
+		in, out := &in.ResourceLabels, &out.ResourceLabels
+		*out = make([]GCPResourceLabel, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceTags != nil {
+		in, out := &in.ResourceTags, &out.ResourceTags
+		*out = make([]GCPResourceTag, len(*in))
+		copy(*out, *in)
+	}
+	if in.CloudLoadBalancerConfig != nil {
+		in, out := &in.CloudLoadBalancerConfig, &out.CloudLoadBalancerConfig
+		*out = new(CloudLoadBalancerConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]GCPServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPPlatformStatus.
+func (in *GCPPlatformStatus) DeepCopy() *GCPPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPResourceLabel) DeepCopyInto(out *GCPResourceLabel) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPResourceLabel.
+func (in *GCPResourceLabel) DeepCopy() *GCPResourceLabel {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPResourceLabel)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPResourceTag) DeepCopyInto(out *GCPResourceTag) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPResourceTag.
+func (in *GCPResourceTag) DeepCopy() *GCPResourceTag {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPResourceTag)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPServiceEndpoint) DeepCopyInto(out *GCPServiceEndpoint) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPServiceEndpoint.
+func (in *GCPServiceEndpoint) DeepCopy() *GCPServiceEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPServiceEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) {
+	*out = *in
+	in.ServingInfo.DeepCopyInto(&out.ServingInfo)
+	if in.CORSAllowedOrigins != nil {
+		in, out := &in.CORSAllowedOrigins, &out.CORSAllowedOrigins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.AuditConfig.DeepCopyInto(&out.AuditConfig)
+	in.StorageConfig.DeepCopyInto(&out.StorageConfig)
+	in.AdmissionConfig.DeepCopyInto(&out.AdmissionConfig)
+	out.KubeClientConfig = in.KubeClientConfig
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericAPIServerConfig.
+func (in *GenericAPIServerConfig) DeepCopy() *GenericAPIServerConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericAPIServerConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericControllerConfig) DeepCopyInto(out *GenericControllerConfig) {
+	*out = *in
+	in.ServingInfo.DeepCopyInto(&out.ServingInfo)
+	out.LeaderElection = in.LeaderElection
+	out.Authentication = in.Authentication
+	out.Authorization = in.Authorization
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericControllerConfig.
+func (in *GenericControllerConfig) DeepCopy() *GenericControllerConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericControllerConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
+	*out = *in
+	out.ClientSecret = in.ClientSecret
+	if in.Organizations != nil {
+		in, out := &in.Organizations, &out.Organizations
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Teams != nil {
+		in, out := &in.Teams, &out.Teams
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	out.CA = in.CA
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
+func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GitHubIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitLabIdentityProvider) DeepCopyInto(out *GitLabIdentityProvider) {
+	*out = *in
+	out.ClientSecret = in.ClientSecret
+	out.CA = in.CA
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitLabIdentityProvider.
+func (in *GitLabIdentityProvider) DeepCopy() *GitLabIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GitLabIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GoogleIdentityProvider) DeepCopyInto(out *GoogleIdentityProvider) {
+	*out = *in
+	out.ClientSecret = in.ClientSecret
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleIdentityProvider.
+func (in *GoogleIdentityProvider) DeepCopy() *GoogleIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GoogleIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTPasswdIdentityProvider) DeepCopyInto(out *HTPasswdIdentityProvider) {
+	*out = *in
+	out.FileData = in.FileData
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTPasswdIdentityProvider.
+func (in *HTPasswdIdentityProvider) DeepCopy() *HTPasswdIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(HTPasswdIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPServingInfo) DeepCopyInto(out *HTTPServingInfo) {
+	*out = *in
+	in.ServingInfo.DeepCopyInto(&out.ServingInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPServingInfo.
+func (in *HTTPServingInfo) DeepCopy() *HTTPServingInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPServingInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HubSource) DeepCopyInto(out *HubSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HubSource.
+func (in *HubSource) DeepCopy() *HubSource {
+	if in == nil {
+		return nil
+	}
+	out := new(HubSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HubSourceStatus) DeepCopyInto(out *HubSourceStatus) {
+	*out = *in
+	out.HubSource = in.HubSource
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HubSourceStatus.
+func (in *HubSourceStatus) DeepCopy() *HubSourceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HubSourceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMCloudPlatformSpec) DeepCopyInto(out *IBMCloudPlatformSpec) {
+	*out = *in
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]IBMCloudServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMCloudPlatformSpec.
+func (in *IBMCloudPlatformSpec) DeepCopy() *IBMCloudPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMCloudPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMCloudPlatformStatus) DeepCopyInto(out *IBMCloudPlatformStatus) {
+	*out = *in
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]IBMCloudServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMCloudPlatformStatus.
+func (in *IBMCloudPlatformStatus) DeepCopy() *IBMCloudPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMCloudPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMCloudServiceEndpoint) DeepCopyInto(out *IBMCloudServiceEndpoint) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMCloudServiceEndpoint.
+func (in *IBMCloudServiceEndpoint) DeepCopy() *IBMCloudServiceEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMCloudServiceEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider) {
+	*out = *in
+	in.IdentityProviderConfig.DeepCopyInto(&out.IdentityProviderConfig)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProvider.
+func (in *IdentityProvider) DeepCopy() *IdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(IdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IdentityProviderConfig) DeepCopyInto(out *IdentityProviderConfig) {
+	*out = *in
+	if in.BasicAuth != nil {
+		in, out := &in.BasicAuth, &out.BasicAuth
+		*out = new(BasicAuthIdentityProvider)
+		**out = **in
+	}
+	if in.GitHub != nil {
+		in, out := &in.GitHub, &out.GitHub
+		*out = new(GitHubIdentityProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.GitLab != nil {
+		in, out := &in.GitLab, &out.GitLab
+		*out = new(GitLabIdentityProvider)
+		**out = **in
+	}
+	if in.Google != nil {
+		in, out := &in.Google, &out.Google
+		*out = new(GoogleIdentityProvider)
+		**out = **in
+	}
+	if in.HTPasswd != nil {
+		in, out := &in.HTPasswd, &out.HTPasswd
+		*out = new(HTPasswdIdentityProvider)
+		**out = **in
+	}
+	if in.Keystone != nil {
+		in, out := &in.Keystone, &out.Keystone
+		*out = new(KeystoneIdentityProvider)
+		**out = **in
+	}
+	if in.LDAP != nil {
+		in, out := &in.LDAP, &out.LDAP
+		*out = new(LDAPIdentityProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.OpenID != nil {
+		in, out := &in.OpenID, &out.OpenID
+		*out = new(OpenIDIdentityProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.RequestHeader != nil {
+		in, out := &in.RequestHeader, &out.RequestHeader
+		*out = new(RequestHeaderIdentityProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderConfig.
+func (in *IdentityProviderConfig) DeepCopy() *IdentityProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(IdentityProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Image) DeepCopyInto(out *Image) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Image.
+func (in *Image) DeepCopy() *Image {
+	if in == nil {
+		return nil
+	}
+	out := new(Image)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Image) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageContentPolicy) DeepCopyInto(out *ImageContentPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageContentPolicy.
+func (in *ImageContentPolicy) DeepCopy() *ImageContentPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageContentPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageContentPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageContentPolicyList) DeepCopyInto(out *ImageContentPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ImageContentPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageContentPolicyList.
+func (in *ImageContentPolicyList) DeepCopy() *ImageContentPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageContentPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageContentPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageContentPolicySpec) DeepCopyInto(out *ImageContentPolicySpec) {
+	*out = *in
+	if in.RepositoryDigestMirrors != nil {
+		in, out := &in.RepositoryDigestMirrors, &out.RepositoryDigestMirrors
+		*out = make([]RepositoryDigestMirrors, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageContentPolicySpec.
+func (in *ImageContentPolicySpec) DeepCopy() *ImageContentPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageContentPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageDigestMirrorSet) DeepCopyInto(out *ImageDigestMirrorSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageDigestMirrorSet.
+func (in *ImageDigestMirrorSet) DeepCopy() *ImageDigestMirrorSet {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageDigestMirrorSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageDigestMirrorSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageDigestMirrorSetList) DeepCopyInto(out *ImageDigestMirrorSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ImageDigestMirrorSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageDigestMirrorSetList.
+func (in *ImageDigestMirrorSetList) DeepCopy() *ImageDigestMirrorSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageDigestMirrorSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageDigestMirrorSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageDigestMirrorSetSpec) DeepCopyInto(out *ImageDigestMirrorSetSpec) {
+	*out = *in
+	if in.ImageDigestMirrors != nil {
+		in, out := &in.ImageDigestMirrors, &out.ImageDigestMirrors
+		*out = make([]ImageDigestMirrors, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageDigestMirrorSetSpec.
+func (in *ImageDigestMirrorSetSpec) DeepCopy() *ImageDigestMirrorSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageDigestMirrorSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageDigestMirrorSetStatus) DeepCopyInto(out *ImageDigestMirrorSetStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageDigestMirrorSetStatus.
+func (in *ImageDigestMirrorSetStatus) DeepCopy() *ImageDigestMirrorSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageDigestMirrorSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageDigestMirrors) DeepCopyInto(out *ImageDigestMirrors) {
+	*out = *in
+	if in.Mirrors != nil {
+		in, out := &in.Mirrors, &out.Mirrors
+		*out = make([]ImageMirror, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageDigestMirrors.
+func (in *ImageDigestMirrors) DeepCopy() *ImageDigestMirrors {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageDigestMirrors)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageLabel) DeepCopyInto(out *ImageLabel) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageLabel.
+func (in *ImageLabel) DeepCopy() *ImageLabel {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageLabel)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageList) DeepCopyInto(out *ImageList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Image, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageList.
+func (in *ImageList) DeepCopy() *ImageList {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy.
+func (in *ImagePolicy) DeepCopy() *ImagePolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImagePolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ImagePolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList.
+func (in *ImagePolicyList) DeepCopy() *ImagePolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImagePolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]ImageScope, len(*in))
+		copy(*out, *in)
+	}
+	in.Policy.DeepCopyInto(&out.Policy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec.
+func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus.
+func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageSpec) DeepCopyInto(out *ImageSpec) {
+	*out = *in
+	if in.AllowedRegistriesForImport != nil {
+		in, out := &in.AllowedRegistriesForImport, &out.AllowedRegistriesForImport
+		*out = make([]RegistryLocation, len(*in))
+		copy(*out, *in)
+	}
+	if in.ExternalRegistryHostnames != nil {
+		in, out := &in.ExternalRegistryHostnames, &out.ExternalRegistryHostnames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	out.AdditionalTrustedCA = in.AdditionalTrustedCA
+	in.RegistrySources.DeepCopyInto(&out.RegistrySources)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSpec.
+func (in *ImageSpec) DeepCopy() *ImageSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageStatus) DeepCopyInto(out *ImageStatus) {
+	*out = *in
+	if in.ExternalRegistryHostnames != nil {
+		in, out := &in.ExternalRegistryHostnames, &out.ExternalRegistryHostnames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageStatus.
+func (in *ImageStatus) DeepCopy() *ImageStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageTagMirrorSet) DeepCopyInto(out *ImageTagMirrorSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageTagMirrorSet.
+func (in *ImageTagMirrorSet) DeepCopy() *ImageTagMirrorSet {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageTagMirrorSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageTagMirrorSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageTagMirrorSetList) DeepCopyInto(out *ImageTagMirrorSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ImageTagMirrorSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageTagMirrorSetList.
+func (in *ImageTagMirrorSetList) DeepCopy() *ImageTagMirrorSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageTagMirrorSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImageTagMirrorSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageTagMirrorSetSpec) DeepCopyInto(out *ImageTagMirrorSetSpec) {
+	*out = *in
+	if in.ImageTagMirrors != nil {
+		in, out := &in.ImageTagMirrors, &out.ImageTagMirrors
+		*out = make([]ImageTagMirrors, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageTagMirrorSetSpec.
+func (in *ImageTagMirrorSetSpec) DeepCopy() *ImageTagMirrorSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageTagMirrorSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageTagMirrorSetStatus) DeepCopyInto(out *ImageTagMirrorSetStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageTagMirrorSetStatus.
+func (in *ImageTagMirrorSetStatus) DeepCopy() *ImageTagMirrorSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageTagMirrorSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageTagMirrors) DeepCopyInto(out *ImageTagMirrors) {
+	*out = *in
+	if in.Mirrors != nil {
+		in, out := &in.Mirrors, &out.Mirrors
+		*out = make([]ImageMirror, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageTagMirrors.
+func (in *ImageTagMirrors) DeepCopy() *ImageTagMirrors {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageTagMirrors)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Infrastructure) DeepCopyInto(out *Infrastructure) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Infrastructure.
+func (in *Infrastructure) DeepCopy() *Infrastructure {
+	if in == nil {
+		return nil
+	}
+	out := new(Infrastructure)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Infrastructure) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfrastructureList) DeepCopyInto(out *InfrastructureList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Infrastructure, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfrastructureList.
+func (in *InfrastructureList) DeepCopy() *InfrastructureList {
+	if in == nil {
+		return nil
+	}
+	out := new(InfrastructureList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InfrastructureList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfrastructureSpec) DeepCopyInto(out *InfrastructureSpec) {
+	*out = *in
+	out.CloudConfig = in.CloudConfig
+	in.PlatformSpec.DeepCopyInto(&out.PlatformSpec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfrastructureSpec.
+func (in *InfrastructureSpec) DeepCopy() *InfrastructureSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(InfrastructureSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfrastructureStatus) DeepCopyInto(out *InfrastructureStatus) {
+	*out = *in
+	if in.PlatformStatus != nil {
+		in, out := &in.PlatformStatus, &out.PlatformStatus
+		*out = new(PlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfrastructureStatus.
+func (in *InfrastructureStatus) DeepCopy() *InfrastructureStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(InfrastructureStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Ingress) DeepCopyInto(out *Ingress) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ingress.
+func (in *Ingress) DeepCopy() *Ingress {
+	if in == nil {
+		return nil
+	}
+	out := new(Ingress)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Ingress) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressList) DeepCopyInto(out *IngressList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Ingress, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressList.
+func (in *IngressList) DeepCopy() *IngressList {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *IngressList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressPlatformSpec) DeepCopyInto(out *IngressPlatformSpec) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSIngressSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressPlatformSpec.
+func (in *IngressPlatformSpec) DeepCopy() *IngressPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressSpec) DeepCopyInto(out *IngressSpec) {
+	*out = *in
+	if in.ComponentRoutes != nil {
+		in, out := &in.ComponentRoutes, &out.ComponentRoutes
+		*out = make([]ComponentRouteSpec, len(*in))
+		copy(*out, *in)
+	}
+	if in.RequiredHSTSPolicies != nil {
+		in, out := &in.RequiredHSTSPolicies, &out.RequiredHSTSPolicies
+		*out = make([]RequiredHSTSPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.LoadBalancer.DeepCopyInto(&out.LoadBalancer)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressSpec.
+func (in *IngressSpec) DeepCopy() *IngressSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressStatus) DeepCopyInto(out *IngressStatus) {
+	*out = *in
+	if in.ComponentRoutes != nil {
+		in, out := &in.ComponentRoutes, &out.ComponentRoutes
+		*out = make([]ComponentRouteStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressStatus.
+func (in *IngressStatus) DeepCopy() *IngressStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntermediateTLSProfile.
+func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile {
+	if in == nil {
+		return nil
+	}
+	out := new(IntermediateTLSProfile)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KMSConfig) DeepCopyInto(out *KMSConfig) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSKMSConfig)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfig.
+func (in *KMSConfig) DeepCopy() *KMSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(KMSConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) {
+	*out = *in
+	out.OAuthRemoteConnectionInfo = in.OAuthRemoteConnectionInfo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeystoneIdentityProvider.
+func (in *KeystoneIdentityProvider) DeepCopy() *KeystoneIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(KeystoneIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubeClientConfig) DeepCopyInto(out *KubeClientConfig) {
+	*out = *in
+	out.ConnectionOverrides = in.ConnectionOverrides
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeClientConfig.
+func (in *KubeClientConfig) DeepCopy() *KubeClientConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(KubeClientConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubevirtPlatformSpec) DeepCopyInto(out *KubevirtPlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubevirtPlatformSpec.
+func (in *KubevirtPlatformSpec) DeepCopy() *KubevirtPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(KubevirtPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubevirtPlatformStatus) DeepCopyInto(out *KubevirtPlatformStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubevirtPlatformStatus.
+func (in *KubevirtPlatformStatus) DeepCopy() *KubevirtPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(KubevirtPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPAttributeMapping) DeepCopyInto(out *LDAPAttributeMapping) {
+	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.PreferredUsername != nil {
+		in, out := &in.PreferredUsername, &out.PreferredUsername
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPAttributeMapping.
+func (in *LDAPAttributeMapping) DeepCopy() *LDAPAttributeMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPAttributeMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
+	*out = *in
+	out.BindPassword = in.BindPassword
+	out.CA = in.CA
+	in.Attributes.DeepCopyInto(&out.Attributes)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.
+func (in *LDAPIdentityProvider) DeepCopy() *LDAPIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LeaderElection) DeepCopyInto(out *LeaderElection) {
+	*out = *in
+	out.LeaseDuration = in.LeaseDuration
+	out.RenewDeadline = in.RenewDeadline
+	out.RetryPeriod = in.RetryPeriod
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaderElection.
+func (in *LeaderElection) DeepCopy() *LeaderElection {
+	if in == nil {
+		return nil
+	}
+	out := new(LeaderElection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LoadBalancer) DeepCopyInto(out *LoadBalancer) {
+	*out = *in
+	in.Platform.DeepCopyInto(&out.Platform)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBalancer.
+func (in *LoadBalancer) DeepCopy() *LoadBalancer {
+	if in == nil {
+		return nil
+	}
+	out := new(LoadBalancer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MTUMigration) DeepCopyInto(out *MTUMigration) {
+	*out = *in
+	if in.Network != nil {
+		in, out := &in.Network, &out.Network
+		*out = new(MTUMigrationValues)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Machine != nil {
+		in, out := &in.Machine, &out.Machine
+		*out = new(MTUMigrationValues)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MTUMigration.
+func (in *MTUMigration) DeepCopy() *MTUMigration {
+	if in == nil {
+		return nil
+	}
+	out := new(MTUMigration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MTUMigrationValues) DeepCopyInto(out *MTUMigrationValues) {
+	*out = *in
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = new(uint32)
+		**out = **in
+	}
+	if in.From != nil {
+		in, out := &in.From, &out.From
+		*out = new(uint32)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MTUMigrationValues.
+func (in *MTUMigrationValues) DeepCopy() *MTUMigrationValues {
+	if in == nil {
+		return nil
+	}
+	out := new(MTUMigrationValues)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MaxAgePolicy) DeepCopyInto(out *MaxAgePolicy) {
+	*out = *in
+	if in.LargestMaxAge != nil {
+		in, out := &in.LargestMaxAge, &out.LargestMaxAge
+		*out = new(int32)
+		**out = **in
+	}
+	if in.SmallestMaxAge != nil {
+		in, out := &in.SmallestMaxAge, &out.SmallestMaxAge
+		*out = new(int32)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaxAgePolicy.
+func (in *MaxAgePolicy) DeepCopy() *MaxAgePolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(MaxAgePolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ModernTLSProfile) DeepCopyInto(out *ModernTLSProfile) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModernTLSProfile.
+func (in *ModernTLSProfile) DeepCopy() *ModernTLSProfile {
+	if in == nil {
+		return nil
+	}
+	out := new(ModernTLSProfile)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamedCertificate) DeepCopyInto(out *NamedCertificate) {
+	*out = *in
+	if in.Names != nil {
+		in, out := &in.Names, &out.Names
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	out.CertInfo = in.CertInfo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedCertificate.
+func (in *NamedCertificate) DeepCopy() *NamedCertificate {
+	if in == nil {
+		return nil
+	}
+	out := new(NamedCertificate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Network) DeepCopyInto(out *Network) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Network.
+func (in *Network) DeepCopy() *Network {
+	if in == nil {
+		return nil
+	}
+	out := new(Network)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Network) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkDiagnostics) DeepCopyInto(out *NetworkDiagnostics) {
+	*out = *in
+	in.SourcePlacement.DeepCopyInto(&out.SourcePlacement)
+	in.TargetPlacement.DeepCopyInto(&out.TargetPlacement)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDiagnostics.
+func (in *NetworkDiagnostics) DeepCopy() *NetworkDiagnostics {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkDiagnostics)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkDiagnosticsSourcePlacement) DeepCopyInto(out *NetworkDiagnosticsSourcePlacement) {
+	*out = *in
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]corev1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDiagnosticsSourcePlacement.
+func (in *NetworkDiagnosticsSourcePlacement) DeepCopy() *NetworkDiagnosticsSourcePlacement {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkDiagnosticsSourcePlacement)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkDiagnosticsTargetPlacement) DeepCopyInto(out *NetworkDiagnosticsTargetPlacement) {
+	*out = *in
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]corev1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDiagnosticsTargetPlacement.
+func (in *NetworkDiagnosticsTargetPlacement) DeepCopy() *NetworkDiagnosticsTargetPlacement {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkDiagnosticsTargetPlacement)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkList) DeepCopyInto(out *NetworkList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Network, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkList.
+func (in *NetworkList) DeepCopy() *NetworkList {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NetworkList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkMigration) DeepCopyInto(out *NetworkMigration) {
+	*out = *in
+	if in.MTU != nil {
+		in, out := &in.MTU, &out.MTU
+		*out = new(MTUMigration)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkMigration.
+func (in *NetworkMigration) DeepCopy() *NetworkMigration {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkMigration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) {
+	*out = *in
+	if in.ClusterNetwork != nil {
+		in, out := &in.ClusterNetwork, &out.ClusterNetwork
+		*out = make([]ClusterNetworkEntry, len(*in))
+		copy(*out, *in)
+	}
+	if in.ServiceNetwork != nil {
+		in, out := &in.ServiceNetwork, &out.ServiceNetwork
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ExternalIP != nil {
+		in, out := &in.ExternalIP, &out.ExternalIP
+		*out = new(ExternalIPConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	in.NetworkDiagnostics.DeepCopyInto(&out.NetworkDiagnostics)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec.
+func (in *NetworkSpec) DeepCopy() *NetworkSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkStatus) DeepCopyInto(out *NetworkStatus) {
+	*out = *in
+	if in.ClusterNetwork != nil {
+		in, out := &in.ClusterNetwork, &out.ClusterNetwork
+		*out = make([]ClusterNetworkEntry, len(*in))
+		copy(*out, *in)
+	}
+	if in.ServiceNetwork != nil {
+		in, out := &in.ServiceNetwork, &out.ServiceNetwork
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Migration != nil {
+		in, out := &in.Migration, &out.Migration
+		*out = new(NetworkMigration)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkStatus.
+func (in *NetworkStatus) DeepCopy() *NetworkStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Node) DeepCopyInto(out *Node) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Node.
+func (in *Node) DeepCopy() *Node {
+	if in == nil {
+		return nil
+	}
+	out := new(Node)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Node) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeList) DeepCopyInto(out *NodeList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Node, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeList.
+func (in *NodeList) DeepCopy() *NodeList {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NodeList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeSpec) DeepCopyInto(out *NodeSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSpec.
+func (in *NodeSpec) DeepCopy() *NodeSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeStatus) DeepCopyInto(out *NodeStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeStatus.
+func (in *NodeStatus) DeepCopy() *NodeStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixFailureDomain) DeepCopyInto(out *NutanixFailureDomain) {
+	*out = *in
+	in.Cluster.DeepCopyInto(&out.Cluster)
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]NutanixResourceIdentifier, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixFailureDomain.
+func (in *NutanixFailureDomain) DeepCopy() *NutanixFailureDomain {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixFailureDomain)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixPlatformLoadBalancer) DeepCopyInto(out *NutanixPlatformLoadBalancer) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixPlatformLoadBalancer.
+func (in *NutanixPlatformLoadBalancer) DeepCopy() *NutanixPlatformLoadBalancer {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixPlatformLoadBalancer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixPlatformSpec) DeepCopyInto(out *NutanixPlatformSpec) {
+	*out = *in
+	out.PrismCentral = in.PrismCentral
+	if in.PrismElements != nil {
+		in, out := &in.PrismElements, &out.PrismElements
+		*out = make([]NutanixPrismElementEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	if in.FailureDomains != nil {
+		in, out := &in.FailureDomains, &out.FailureDomains
+		*out = make([]NutanixFailureDomain, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixPlatformSpec.
+func (in *NutanixPlatformSpec) DeepCopy() *NutanixPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixPlatformStatus) DeepCopyInto(out *NutanixPlatformStatus) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(NutanixPlatformLoadBalancer)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixPlatformStatus.
+func (in *NutanixPlatformStatus) DeepCopy() *NutanixPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixPrismElementEndpoint) DeepCopyInto(out *NutanixPrismElementEndpoint) {
+	*out = *in
+	out.Endpoint = in.Endpoint
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixPrismElementEndpoint.
+func (in *NutanixPrismElementEndpoint) DeepCopy() *NutanixPrismElementEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixPrismElementEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixPrismEndpoint) DeepCopyInto(out *NutanixPrismEndpoint) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixPrismEndpoint.
+func (in *NutanixPrismEndpoint) DeepCopy() *NutanixPrismEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixPrismEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NutanixResourceIdentifier) DeepCopyInto(out *NutanixResourceIdentifier) {
+	*out = *in
+	if in.UUID != nil {
+		in, out := &in.UUID, &out.UUID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NutanixResourceIdentifier.
+func (in *NutanixResourceIdentifier) DeepCopy() *NutanixResourceIdentifier {
+	if in == nil {
+		return nil
+	}
+	out := new(NutanixResourceIdentifier)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OAuth) DeepCopyInto(out *OAuth) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth.
+func (in *OAuth) DeepCopy() *OAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(OAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OAuth) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OAuthList) DeepCopyInto(out *OAuthList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OAuth, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthList.
+func (in *OAuthList) DeepCopy() *OAuthList {
+	if in == nil {
+		return nil
+	}
+	out := new(OAuthList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OAuthList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OAuthRemoteConnectionInfo) DeepCopyInto(out *OAuthRemoteConnectionInfo) {
+	*out = *in
+	out.CA = in.CA
+	out.TLSClientCert = in.TLSClientCert
+	out.TLSClientKey = in.TLSClientKey
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthRemoteConnectionInfo.
+func (in *OAuthRemoteConnectionInfo) DeepCopy() *OAuthRemoteConnectionInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(OAuthRemoteConnectionInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OAuthSpec) DeepCopyInto(out *OAuthSpec) {
+	*out = *in
+	if in.IdentityProviders != nil {
+		in, out := &in.IdentityProviders, &out.IdentityProviders
+		*out = make([]IdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.TokenConfig.DeepCopyInto(&out.TokenConfig)
+	out.Templates = in.Templates
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthSpec.
+func (in *OAuthSpec) DeepCopy() *OAuthSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OAuthSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OAuthStatus) DeepCopyInto(out *OAuthStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthStatus.
+func (in *OAuthStatus) DeepCopy() *OAuthStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OAuthStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OAuthTemplates) DeepCopyInto(out *OAuthTemplates) {
+	*out = *in
+	out.Login = in.Login
+	out.ProviderSelection = in.ProviderSelection
+	out.Error = in.Error
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthTemplates.
+func (in *OAuthTemplates) DeepCopy() *OAuthTemplates {
+	if in == nil {
+		return nil
+	}
+	out := new(OAuthTemplates)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientConfig) DeepCopyInto(out *OIDCClientConfig) {
+	*out = *in
+	out.ClientSecret = in.ClientSecret
+	if in.ExtraScopes != nil {
+		in, out := &in.ExtraScopes, &out.ExtraScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientConfig.
+func (in *OIDCClientConfig) DeepCopy() *OIDCClientConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientReference) DeepCopyInto(out *OIDCClientReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientReference.
+func (in *OIDCClientReference) DeepCopy() *OIDCClientReference {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) {
+	*out = *in
+	if in.CurrentOIDCClients != nil {
+		in, out := &in.CurrentOIDCClients, &out.CurrentOIDCClients
+		*out = make([]OIDCClientReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.ConsumingUsers != nil {
+		in, out := &in.ConsumingUsers, &out.ConsumingUsers
+		*out = make([]ConsumingUser, len(*in))
+		copy(*out, *in)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus.
+func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
+	*out = *in
+	in.Issuer.DeepCopyInto(&out.Issuer)
+	if in.OIDCClients != nil {
+		in, out := &in.OIDCClients, &out.OIDCClients
+		*out = make([]OIDCClientConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.ClaimMappings.DeepCopyInto(&out.ClaimMappings)
+	if in.ClaimValidationRules != nil {
+		in, out := &in.ClaimValidationRules, &out.ClaimValidationRules
+		*out = make([]TokenClaimValidationRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider.
+func (in *OIDCProvider) DeepCopy() *OIDCProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectReference) DeepCopyInto(out *ObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference.
+func (in *ObjectReference) DeepCopy() *ObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OldTLSProfile) DeepCopyInto(out *OldTLSProfile) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OldTLSProfile.
+func (in *OldTLSProfile) DeepCopy() *OldTLSProfile {
+	if in == nil {
+		return nil
+	}
+	out := new(OldTLSProfile)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDClaims) DeepCopyInto(out *OpenIDClaims) {
+	*out = *in
+	if in.PreferredUsername != nil {
+		in, out := &in.PreferredUsername, &out.PreferredUsername
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]OpenIDClaim, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDClaims.
+func (in *OpenIDClaims) DeepCopy() *OpenIDClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDIdentityProvider) DeepCopyInto(out *OpenIDIdentityProvider) {
+	*out = *in
+	out.ClientSecret = in.ClientSecret
+	out.CA = in.CA
+	if in.ExtraScopes != nil {
+		in, out := &in.ExtraScopes, &out.ExtraScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ExtraAuthorizeParameters != nil {
+		in, out := &in.ExtraAuthorizeParameters, &out.ExtraAuthorizeParameters
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	in.Claims.DeepCopyInto(&out.Claims)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDIdentityProvider.
+func (in *OpenIDIdentityProvider) DeepCopy() *OpenIDIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenStackPlatformLoadBalancer) DeepCopyInto(out *OpenStackPlatformLoadBalancer) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenStackPlatformLoadBalancer.
+func (in *OpenStackPlatformLoadBalancer) DeepCopy() *OpenStackPlatformLoadBalancer {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenStackPlatformLoadBalancer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenStackPlatformSpec) DeepCopyInto(out *OpenStackPlatformSpec) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.MachineNetworks != nil {
+		in, out := &in.MachineNetworks, &out.MachineNetworks
+		*out = make([]CIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenStackPlatformSpec.
+func (in *OpenStackPlatformSpec) DeepCopy() *OpenStackPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenStackPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenStackPlatformStatus) DeepCopyInto(out *OpenStackPlatformStatus) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(OpenStackPlatformLoadBalancer)
+		**out = **in
+	}
+	if in.MachineNetworks != nil {
+		in, out := &in.MachineNetworks, &out.MachineNetworks
+		*out = make([]CIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenStackPlatformStatus.
+func (in *OpenStackPlatformStatus) DeepCopy() *OpenStackPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenStackPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperandVersion) DeepCopyInto(out *OperandVersion) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperandVersion.
+func (in *OperandVersion) DeepCopy() *OperandVersion {
+	if in == nil {
+		return nil
+	}
+	out := new(OperandVersion)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHub) DeepCopyInto(out *OperatorHub) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHub.
+func (in *OperatorHub) DeepCopy() *OperatorHub {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHub)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OperatorHub) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHubList) DeepCopyInto(out *OperatorHubList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OperatorHub, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHubList.
+func (in *OperatorHubList) DeepCopy() *OperatorHubList {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHubList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OperatorHubList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHubSpec) DeepCopyInto(out *OperatorHubSpec) {
+	*out = *in
+	if in.Sources != nil {
+		in, out := &in.Sources, &out.Sources
+		*out = make([]HubSource, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHubSpec.
+func (in *OperatorHubSpec) DeepCopy() *OperatorHubSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHubSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHubStatus) DeepCopyInto(out *OperatorHubStatus) {
+	*out = *in
+	if in.Sources != nil {
+		in, out := &in.Sources, &out.Sources
+		*out = make([]HubSourceStatus, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHubStatus.
+func (in *OperatorHubStatus) DeepCopy() *OperatorHubStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHubStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OvirtPlatformLoadBalancer) DeepCopyInto(out *OvirtPlatformLoadBalancer) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OvirtPlatformLoadBalancer.
+func (in *OvirtPlatformLoadBalancer) DeepCopy() *OvirtPlatformLoadBalancer {
+	if in == nil {
+		return nil
+	}
+	out := new(OvirtPlatformLoadBalancer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OvirtPlatformSpec) DeepCopyInto(out *OvirtPlatformSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OvirtPlatformSpec.
+func (in *OvirtPlatformSpec) DeepCopy() *OvirtPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OvirtPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OvirtPlatformStatus) DeepCopyInto(out *OvirtPlatformStatus) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(OvirtPlatformLoadBalancer)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OvirtPlatformStatus.
+func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OvirtPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PKI) DeepCopyInto(out *PKI) {
+	*out = *in
+	if in.CertificateAuthorityRootsData != nil {
+		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CertificateAuthorityIntermediatesData != nil {
+		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.PKICertificateSubject = in.PKICertificateSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI.
+func (in *PKI) DeepCopy() *PKI {
+	if in == nil {
+		return nil
+	}
+	out := new(PKI)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject.
+func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject {
+	if in == nil {
+		return nil
+	}
+	out := new(PKICertificateSubject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSPlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Azure != nil {
+		in, out := &in.Azure, &out.Azure
+		*out = new(AzurePlatformSpec)
+		**out = **in
+	}
+	if in.GCP != nil {
+		in, out := &in.GCP, &out.GCP
+		*out = new(GCPPlatformSpec)
+		**out = **in
+	}
+	if in.BareMetal != nil {
+		in, out := &in.BareMetal, &out.BareMetal
+		*out = new(BareMetalPlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.OpenStack != nil {
+		in, out := &in.OpenStack, &out.OpenStack
+		*out = new(OpenStackPlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Ovirt != nil {
+		in, out := &in.Ovirt, &out.Ovirt
+		*out = new(OvirtPlatformSpec)
+		**out = **in
+	}
+	if in.VSphere != nil {
+		in, out := &in.VSphere, &out.VSphere
+		*out = new(VSpherePlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IBMCloud != nil {
+		in, out := &in.IBMCloud, &out.IBMCloud
+		*out = new(IBMCloudPlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubevirt != nil {
+		in, out := &in.Kubevirt, &out.Kubevirt
+		*out = new(KubevirtPlatformSpec)
+		**out = **in
+	}
+	if in.EquinixMetal != nil {
+		in, out := &in.EquinixMetal, &out.EquinixMetal
+		*out = new(EquinixMetalPlatformSpec)
+		**out = **in
+	}
+	if in.PowerVS != nil {
+		in, out := &in.PowerVS, &out.PowerVS
+		*out = new(PowerVSPlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AlibabaCloud != nil {
+		in, out := &in.AlibabaCloud, &out.AlibabaCloud
+		*out = new(AlibabaCloudPlatformSpec)
+		**out = **in
+	}
+	if in.Nutanix != nil {
+		in, out := &in.Nutanix, &out.Nutanix
+		*out = new(NutanixPlatformSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.External != nil {
+		in, out := &in.External, &out.External
+		*out = new(ExternalPlatformSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlatformSpec.
+func (in *PlatformSpec) DeepCopy() *PlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlatformStatus) DeepCopyInto(out *PlatformStatus) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Azure != nil {
+		in, out := &in.Azure, &out.Azure
+		*out = new(AzurePlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.GCP != nil {
+		in, out := &in.GCP, &out.GCP
+		*out = new(GCPPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.BareMetal != nil {
+		in, out := &in.BareMetal, &out.BareMetal
+		*out = new(BareMetalPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.OpenStack != nil {
+		in, out := &in.OpenStack, &out.OpenStack
+		*out = new(OpenStackPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Ovirt != nil {
+		in, out := &in.Ovirt, &out.Ovirt
+		*out = new(OvirtPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.VSphere != nil {
+		in, out := &in.VSphere, &out.VSphere
+		*out = new(VSpherePlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IBMCloud != nil {
+		in, out := &in.IBMCloud, &out.IBMCloud
+		*out = new(IBMCloudPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubevirt != nil {
+		in, out := &in.Kubevirt, &out.Kubevirt
+		*out = new(KubevirtPlatformStatus)
+		**out = **in
+	}
+	if in.EquinixMetal != nil {
+		in, out := &in.EquinixMetal, &out.EquinixMetal
+		*out = new(EquinixMetalPlatformStatus)
+		**out = **in
+	}
+	if in.PowerVS != nil {
+		in, out := &in.PowerVS, &out.PowerVS
+		*out = new(PowerVSPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AlibabaCloud != nil {
+		in, out := &in.AlibabaCloud, &out.AlibabaCloud
+		*out = new(AlibabaCloudPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Nutanix != nil {
+		in, out := &in.Nutanix, &out.Nutanix
+		*out = new(NutanixPlatformStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.External != nil {
+		in, out := &in.External, &out.External
+		*out = new(ExternalPlatformStatus)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlatformStatus.
+func (in *PlatformStatus) DeepCopy() *PlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Policy) DeepCopyInto(out *Policy) {
+	*out = *in
+	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
+	if in.SignedIdentity != nil {
+		in, out := &in.SignedIdentity, &out.SignedIdentity
+		*out = new(PolicyIdentity)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
+func (in *Policy) DeepCopy() *Policy {
+	if in == nil {
+		return nil
+	}
+	out := new(Policy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyFulcioSubject.
+func (in *PolicyFulcioSubject) DeepCopy() *PolicyFulcioSubject {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyFulcioSubject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyIdentity) DeepCopyInto(out *PolicyIdentity) {
+	*out = *in
+	if in.PolicyMatchExactRepository != nil {
+		in, out := &in.PolicyMatchExactRepository, &out.PolicyMatchExactRepository
+		*out = new(PolicyMatchExactRepository)
+		**out = **in
+	}
+	if in.PolicyMatchRemapIdentity != nil {
+		in, out := &in.PolicyMatchRemapIdentity, &out.PolicyMatchRemapIdentity
+		*out = new(PolicyMatchRemapIdentity)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentity.
+func (in *PolicyIdentity) DeepCopy() *PolicyIdentity {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyIdentity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyMatchExactRepository) DeepCopyInto(out *PolicyMatchExactRepository) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchExactRepository.
+func (in *PolicyMatchExactRepository) DeepCopy() *PolicyMatchExactRepository {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyMatchExactRepository)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyMatchRemapIdentity) DeepCopyInto(out *PolicyMatchRemapIdentity) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchRemapIdentity.
+func (in *PolicyMatchRemapIdentity) DeepCopy() *PolicyMatchRemapIdentity {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyMatchRemapIdentity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) {
+	*out = *in
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(PublicKey)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.FulcioCAWithRekor != nil {
+		in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor
+		*out = new(FulcioCAWithRekor)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PKI != nil {
+		in, out := &in.PKI, &out.PKI
+		*out = new(PKI)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRootOfTrust.
+func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PowerVSPlatformSpec) DeepCopyInto(out *PowerVSPlatformSpec) {
+	*out = *in
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]PowerVSServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PowerVSPlatformSpec.
+func (in *PowerVSPlatformSpec) DeepCopy() *PowerVSPlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PowerVSPlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PowerVSPlatformStatus) DeepCopyInto(out *PowerVSPlatformStatus) {
+	*out = *in
+	if in.ServiceEndpoints != nil {
+		in, out := &in.ServiceEndpoints, &out.ServiceEndpoints
+		*out = make([]PowerVSServiceEndpoint, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PowerVSPlatformStatus.
+func (in *PowerVSPlatformStatus) DeepCopy() *PowerVSPlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PowerVSPlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PowerVSServiceEndpoint) DeepCopyInto(out *PowerVSServiceEndpoint) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PowerVSServiceEndpoint.
+func (in *PowerVSServiceEndpoint) DeepCopy() *PowerVSServiceEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(PowerVSServiceEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PrefixedClaimMapping) DeepCopyInto(out *PrefixedClaimMapping) {
+	*out = *in
+	out.TokenClaimMapping = in.TokenClaimMapping
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixedClaimMapping.
+func (in *PrefixedClaimMapping) DeepCopy() *PrefixedClaimMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(PrefixedClaimMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProfileCustomizations) DeepCopyInto(out *ProfileCustomizations) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProfileCustomizations.
+func (in *ProfileCustomizations) DeepCopy() *ProfileCustomizations {
+	if in == nil {
+		return nil
+	}
+	out := new(ProfileCustomizations)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Project) DeepCopyInto(out *Project) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Project.
+func (in *Project) DeepCopy() *Project {
+	if in == nil {
+		return nil
+	}
+	out := new(Project)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Project) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProjectList) DeepCopyInto(out *ProjectList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Project, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectList.
+func (in *ProjectList) DeepCopy() *ProjectList {
+	if in == nil {
+		return nil
+	}
+	out := new(ProjectList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ProjectList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProjectSpec) DeepCopyInto(out *ProjectSpec) {
+	*out = *in
+	out.ProjectRequestTemplate = in.ProjectRequestTemplate
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectSpec.
+func (in *ProjectSpec) DeepCopy() *ProjectSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ProjectSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProjectStatus) DeepCopyInto(out *ProjectStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectStatus.
+func (in *ProjectStatus) DeepCopy() *ProjectStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ProjectStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PromQLClusterCondition) DeepCopyInto(out *PromQLClusterCondition) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PromQLClusterCondition.
+func (in *PromQLClusterCondition) DeepCopy() *PromQLClusterCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(PromQLClusterCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Proxy) DeepCopyInto(out *Proxy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Proxy.
+func (in *Proxy) DeepCopy() *Proxy {
+	if in == nil {
+		return nil
+	}
+	out := new(Proxy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Proxy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyList) DeepCopyInto(out *ProxyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Proxy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyList.
+func (in *ProxyList) DeepCopy() *ProxyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ProxyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxySpec) DeepCopyInto(out *ProxySpec) {
+	*out = *in
+	if in.ReadinessEndpoints != nil {
+		in, out := &in.ReadinessEndpoints, &out.ReadinessEndpoints
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	out.TrustedCA = in.TrustedCA
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxySpec.
+func (in *ProxySpec) DeepCopy() *ProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyStatus) DeepCopyInto(out *ProxyStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyStatus.
+func (in *ProxyStatus) DeepCopy() *ProxyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PublicKey) DeepCopyInto(out *PublicKey) {
+	*out = *in
+	if in.KeyData != nil {
+		in, out := &in.KeyData, &out.KeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey.
+func (in *PublicKey) DeepCopy() *PublicKey {
+	if in == nil {
+		return nil
+	}
+	out := new(PublicKey)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegistryLocation.
+func (in *RegistryLocation) DeepCopy() *RegistryLocation {
+	if in == nil {
+		return nil
+	}
+	out := new(RegistryLocation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RegistrySources) DeepCopyInto(out *RegistrySources) {
+	*out = *in
+	if in.InsecureRegistries != nil {
+		in, out := &in.InsecureRegistries, &out.InsecureRegistries
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.BlockedRegistries != nil {
+		in, out := &in.BlockedRegistries, &out.BlockedRegistries
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.AllowedRegistries != nil {
+		in, out := &in.AllowedRegistries, &out.AllowedRegistries
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ContainerRuntimeSearchRegistries != nil {
+		in, out := &in.ContainerRuntimeSearchRegistries, &out.ContainerRuntimeSearchRegistries
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegistrySources.
+func (in *RegistrySources) DeepCopy() *RegistrySources {
+	if in == nil {
+		return nil
+	}
+	out := new(RegistrySources)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Release) DeepCopyInto(out *Release) {
+	*out = *in
+	if in.Channels != nil {
+		in, out := &in.Channels, &out.Channels
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Release.
+func (in *Release) DeepCopy() *Release {
+	if in == nil {
+		return nil
+	}
+	out := new(Release)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RemoteConnectionInfo) DeepCopyInto(out *RemoteConnectionInfo) {
+	*out = *in
+	out.CertInfo = in.CertInfo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteConnectionInfo.
+func (in *RemoteConnectionInfo) DeepCopy() *RemoteConnectionInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(RemoteConnectionInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RepositoryDigestMirrors) DeepCopyInto(out *RepositoryDigestMirrors) {
+	*out = *in
+	if in.Mirrors != nil {
+		in, out := &in.Mirrors, &out.Mirrors
+		*out = make([]Mirror, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RepositoryDigestMirrors.
+func (in *RepositoryDigestMirrors) DeepCopy() *RepositoryDigestMirrors {
+	if in == nil {
+		return nil
+	}
+	out := new(RepositoryDigestMirrors)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestHeaderIdentityProvider) DeepCopyInto(out *RequestHeaderIdentityProvider) {
+	*out = *in
+	out.ClientCA = in.ClientCA
+	if in.ClientCommonNames != nil {
+		in, out := &in.ClientCommonNames, &out.ClientCommonNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.PreferredUsernameHeaders != nil {
+		in, out := &in.PreferredUsernameHeaders, &out.PreferredUsernameHeaders
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NameHeaders != nil {
+		in, out := &in.NameHeaders, &out.NameHeaders
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.EmailHeaders != nil {
+		in, out := &in.EmailHeaders, &out.EmailHeaders
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestHeaderIdentityProvider.
+func (in *RequestHeaderIdentityProvider) DeepCopy() *RequestHeaderIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestHeaderIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequiredHSTSPolicy) DeepCopyInto(out *RequiredHSTSPolicy) {
+	*out = *in
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DomainPatterns != nil {
+		in, out := &in.DomainPatterns, &out.DomainPatterns
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.MaxAge.DeepCopyInto(&out.MaxAge)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequiredHSTSPolicy.
+func (in *RequiredHSTSPolicy) DeepCopy() *RequiredHSTSPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(RequiredHSTSPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Scheduler) DeepCopyInto(out *Scheduler) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scheduler.
+func (in *Scheduler) DeepCopy() *Scheduler {
+	if in == nil {
+		return nil
+	}
+	out := new(Scheduler)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Scheduler) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SchedulerList) DeepCopyInto(out *SchedulerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Scheduler, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchedulerList.
+func (in *SchedulerList) DeepCopy() *SchedulerList {
+	if in == nil {
+		return nil
+	}
+	out := new(SchedulerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SchedulerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SchedulerSpec) DeepCopyInto(out *SchedulerSpec) {
+	*out = *in
+	out.Policy = in.Policy
+	out.ProfileCustomizations = in.ProfileCustomizations
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchedulerSpec.
+func (in *SchedulerSpec) DeepCopy() *SchedulerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SchedulerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SchedulerStatus) DeepCopyInto(out *SchedulerStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchedulerStatus.
+func (in *SchedulerStatus) DeepCopy() *SchedulerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SchedulerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretNameReference) DeepCopyInto(out *SecretNameReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretNameReference.
+func (in *SecretNameReference) DeepCopy() *SecretNameReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretNameReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServingInfo) DeepCopyInto(out *ServingInfo) {
+	*out = *in
+	out.CertInfo = in.CertInfo
+	if in.NamedCertificates != nil {
+		in, out := &in.NamedCertificates, &out.NamedCertificates
+		*out = make([]NamedCertificate, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CipherSuites != nil {
+		in, out := &in.CipherSuites, &out.CipherSuites
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServingInfo.
+func (in *ServingInfo) DeepCopy() *ServingInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(ServingInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SignatureStore) DeepCopyInto(out *SignatureStore) {
+	*out = *in
+	out.CA = in.CA
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SignatureStore.
+func (in *SignatureStore) DeepCopy() *SignatureStore {
+	if in == nil {
+		return nil
+	}
+	out := new(SignatureStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StringSource) DeepCopyInto(out *StringSource) {
+	*out = *in
+	out.StringSourceSpec = in.StringSourceSpec
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringSource.
+func (in *StringSource) DeepCopy() *StringSource {
+	if in == nil {
+		return nil
+	}
+	out := new(StringSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StringSourceSpec) DeepCopyInto(out *StringSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringSourceSpec.
+func (in *StringSourceSpec) DeepCopy() *StringSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(StringSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) {
+	*out = *in
+	if in.Ciphers != nil {
+		in, out := &in.Ciphers, &out.Ciphers
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSProfileSpec.
+func (in *TLSProfileSpec) DeepCopy() *TLSProfileSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSProfileSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSSecurityProfile) DeepCopyInto(out *TLSSecurityProfile) {
+	*out = *in
+	if in.Old != nil {
+		in, out := &in.Old, &out.Old
+		*out = new(OldTLSProfile)
+		**out = **in
+	}
+	if in.Intermediate != nil {
+		in, out := &in.Intermediate, &out.Intermediate
+		*out = new(IntermediateTLSProfile)
+		**out = **in
+	}
+	if in.Modern != nil {
+		in, out := &in.Modern, &out.Modern
+		*out = new(ModernTLSProfile)
+		**out = **in
+	}
+	if in.Custom != nil {
+		in, out := &in.Custom, &out.Custom
+		*out = new(CustomTLSProfile)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSecurityProfile.
+func (in *TLSSecurityProfile) DeepCopy() *TLSSecurityProfile {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSSecurityProfile)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateReference) DeepCopyInto(out *TemplateReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateReference.
+func (in *TemplateReference) DeepCopy() *TemplateReference {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TestDetails) DeepCopyInto(out *TestDetails) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestDetails.
+func (in *TestDetails) DeepCopy() *TestDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(TestDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TestReporting) DeepCopyInto(out *TestReporting) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestReporting.
+func (in *TestReporting) DeepCopy() *TestReporting {
+	if in == nil {
+		return nil
+	}
+	out := new(TestReporting)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TestReportingSpec) DeepCopyInto(out *TestReportingSpec) {
+	*out = *in
+	if in.TestsForFeatureGates != nil {
+		in, out := &in.TestsForFeatureGates, &out.TestsForFeatureGates
+		*out = make([]FeatureGateTests, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestReportingSpec.
+func (in *TestReportingSpec) DeepCopy() *TestReportingSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TestReportingSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TestReportingStatus) DeepCopyInto(out *TestReportingStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestReportingStatus.
+func (in *TestReportingStatus) DeepCopy() *TestReportingStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TestReportingStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimMapping) DeepCopyInto(out *TokenClaimMapping) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimMapping.
+func (in *TokenClaimMapping) DeepCopy() *TokenClaimMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenClaimMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings) {
+	*out = *in
+	in.Username.DeepCopyInto(&out.Username)
+	out.Groups = in.Groups
+	if in.UID != nil {
+		in, out := &in.UID, &out.UID
+		*out = new(TokenClaimOrExpressionMapping)
+		**out = **in
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make([]ExtraMapping, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimMappings.
+func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenClaimMappings)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimOrExpressionMapping) DeepCopyInto(out *TokenClaimOrExpressionMapping) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimOrExpressionMapping.
+func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenClaimOrExpressionMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) {
+	*out = *in
+	if in.RequiredClaim != nil {
+		in, out := &in.RequiredClaim, &out.RequiredClaim
+		*out = new(TokenRequiredClaim)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationRule.
+func (in *TokenClaimValidationRule) DeepCopy() *TokenClaimValidationRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenClaimValidationRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenConfig) DeepCopyInto(out *TokenConfig) {
+	*out = *in
+	if in.AccessTokenInactivityTimeout != nil {
+		in, out := &in.AccessTokenInactivityTimeout, &out.AccessTokenInactivityTimeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenConfig.
+func (in *TokenConfig) DeepCopy() *TokenConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer) {
+	*out = *in
+	if in.Audiences != nil {
+		in, out := &in.Audiences, &out.Audiences
+		*out = make([]TokenAudience, len(*in))
+		copy(*out, *in)
+	}
+	out.CertificateAuthority = in.CertificateAuthority
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenIssuer.
+func (in *TokenIssuer) DeepCopy() *TokenIssuer {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenIssuer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenRequiredClaim) DeepCopyInto(out *TokenRequiredClaim) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenRequiredClaim.
+func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenRequiredClaim)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Update) DeepCopyInto(out *Update) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Update.
+func (in *Update) DeepCopy() *Update {
+	if in == nil {
+		return nil
+	}
+	out := new(Update)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpdateHistory) DeepCopyInto(out *UpdateHistory) {
+	*out = *in
+	in.StartedTime.DeepCopyInto(&out.StartedTime)
+	if in.CompletionTime != nil {
+		in, out := &in.CompletionTime, &out.CompletionTime
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateHistory.
+func (in *UpdateHistory) DeepCopy() *UpdateHistory {
+	if in == nil {
+		return nil
+	}
+	out := new(UpdateHistory)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UsernameClaimMapping) DeepCopyInto(out *UsernameClaimMapping) {
+	*out = *in
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(UsernamePrefix)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsernameClaimMapping.
+func (in *UsernameClaimMapping) DeepCopy() *UsernameClaimMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(UsernameClaimMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UsernamePrefix) DeepCopyInto(out *UsernamePrefix) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsernamePrefix.
+func (in *UsernamePrefix) DeepCopy() *UsernamePrefix {
+	if in == nil {
+		return nil
+	}
+	out := new(UsernamePrefix)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSphereFailureDomainHostGroup) DeepCopyInto(out *VSphereFailureDomainHostGroup) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSphereFailureDomainHostGroup.
+func (in *VSphereFailureDomainHostGroup) DeepCopy() *VSphereFailureDomainHostGroup {
+	if in == nil {
+		return nil
+	}
+	out := new(VSphereFailureDomainHostGroup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSphereFailureDomainRegionAffinity) DeepCopyInto(out *VSphereFailureDomainRegionAffinity) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSphereFailureDomainRegionAffinity.
+func (in *VSphereFailureDomainRegionAffinity) DeepCopy() *VSphereFailureDomainRegionAffinity {
+	if in == nil {
+		return nil
+	}
+	out := new(VSphereFailureDomainRegionAffinity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSphereFailureDomainZoneAffinity) DeepCopyInto(out *VSphereFailureDomainZoneAffinity) {
+	*out = *in
+	if in.HostGroup != nil {
+		in, out := &in.HostGroup, &out.HostGroup
+		*out = new(VSphereFailureDomainHostGroup)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSphereFailureDomainZoneAffinity.
+func (in *VSphereFailureDomainZoneAffinity) DeepCopy() *VSphereFailureDomainZoneAffinity {
+	if in == nil {
+		return nil
+	}
+	out := new(VSphereFailureDomainZoneAffinity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformFailureDomainSpec) DeepCopyInto(out *VSpherePlatformFailureDomainSpec) {
+	*out = *in
+	if in.RegionAffinity != nil {
+		in, out := &in.RegionAffinity, &out.RegionAffinity
+		*out = new(VSphereFailureDomainRegionAffinity)
+		**out = **in
+	}
+	if in.ZoneAffinity != nil {
+		in, out := &in.ZoneAffinity, &out.ZoneAffinity
+		*out = new(VSphereFailureDomainZoneAffinity)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Topology.DeepCopyInto(&out.Topology)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformFailureDomainSpec.
+func (in *VSpherePlatformFailureDomainSpec) DeepCopy() *VSpherePlatformFailureDomainSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformFailureDomainSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformLoadBalancer) DeepCopyInto(out *VSpherePlatformLoadBalancer) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformLoadBalancer.
+func (in *VSpherePlatformLoadBalancer) DeepCopy() *VSpherePlatformLoadBalancer {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformLoadBalancer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformNodeNetworking) DeepCopyInto(out *VSpherePlatformNodeNetworking) {
+	*out = *in
+	in.External.DeepCopyInto(&out.External)
+	in.Internal.DeepCopyInto(&out.Internal)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformNodeNetworking.
+func (in *VSpherePlatformNodeNetworking) DeepCopy() *VSpherePlatformNodeNetworking {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformNodeNetworking)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformNodeNetworkingSpec) DeepCopyInto(out *VSpherePlatformNodeNetworkingSpec) {
+	*out = *in
+	if in.NetworkSubnetCIDR != nil {
+		in, out := &in.NetworkSubnetCIDR, &out.NetworkSubnetCIDR
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ExcludeNetworkSubnetCIDR != nil {
+		in, out := &in.ExcludeNetworkSubnetCIDR, &out.ExcludeNetworkSubnetCIDR
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformNodeNetworkingSpec.
+func (in *VSpherePlatformNodeNetworkingSpec) DeepCopy() *VSpherePlatformNodeNetworkingSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformNodeNetworkingSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformSpec) DeepCopyInto(out *VSpherePlatformSpec) {
+	*out = *in
+	if in.VCenters != nil {
+		in, out := &in.VCenters, &out.VCenters
+		*out = make([]VSpherePlatformVCenterSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FailureDomains != nil {
+		in, out := &in.FailureDomains, &out.FailureDomains
+		*out = make([]VSpherePlatformFailureDomainSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.NodeNetworking.DeepCopyInto(&out.NodeNetworking)
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]IP, len(*in))
+		copy(*out, *in)
+	}
+	if in.MachineNetworks != nil {
+		in, out := &in.MachineNetworks, &out.MachineNetworks
+		*out = make([]CIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformSpec.
+func (in *VSpherePlatformSpec) DeepCopy() *VSpherePlatformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformStatus) DeepCopyInto(out *VSpherePlatformStatus) {
+	*out = *in
+	if in.APIServerInternalIPs != nil {
+		in, out := &in.APIServerInternalIPs, &out.APIServerInternalIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.IngressIPs != nil {
+		in, out := &in.IngressIPs, &out.IngressIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(VSpherePlatformLoadBalancer)
+		**out = **in
+	}
+	if in.MachineNetworks != nil {
+		in, out := &in.MachineNetworks, &out.MachineNetworks
+		*out = make([]CIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformStatus.
+func (in *VSpherePlatformStatus) DeepCopy() *VSpherePlatformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformTopology) DeepCopyInto(out *VSpherePlatformTopology) {
+	*out = *in
+	if in.Networks != nil {
+		in, out := &in.Networks, &out.Networks
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformTopology.
+func (in *VSpherePlatformTopology) DeepCopy() *VSpherePlatformTopology {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformTopology)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VSpherePlatformVCenterSpec) DeepCopyInto(out *VSpherePlatformVCenterSpec) {
+	*out = *in
+	if in.Datacenters != nil {
+		in, out := &in.Datacenters, &out.Datacenters
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VSpherePlatformVCenterSpec.
+func (in *VSpherePlatformVCenterSpec) DeepCopy() *VSpherePlatformVCenterSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(VSpherePlatformVCenterSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookTokenAuthenticator) DeepCopyInto(out *WebhookTokenAuthenticator) {
+	*out = *in
+	out.KubeConfig = in.KubeConfig
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookTokenAuthenticator.
+func (in *WebhookTokenAuthenticator) DeepCopy() *WebhookTokenAuthenticator {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookTokenAuthenticator)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
new file mode 100644
index 00000000..91881630
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -0,0 +1,565 @@
+apiservers.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: apiservers.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - KMSEncryptionProvider
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: APIServer
+  Labels: {}
+  PluralName: apiservers
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+authentications.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: authentications.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - ExternalOIDC
+  - ExternalOIDCWithUIDAndExtraClaimMappings
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Authentication
+  Labels: {}
+  PluralName: authentications
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+builds.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: builds.config.openshift.io
+  Capability: Build
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: openshift-controller-manager
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Build
+  Labels: {}
+  PluralName: builds
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+clusterimagepolicies.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2310
+  CRDName: clusterimagepolicies.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - SigstoreImageVerification
+  - SigstoreImageVerificationPKI
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ClusterImagePolicy
+  Labels: {}
+  PluralName: clusterimagepolicies
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - SigstoreImageVerification
+  Version: v1
+
+clusteroperators.config.openshift.io:
+  Annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/497
+  CRDName: clusteroperators.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: cluster-version-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_00"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ClusterOperator
+  Labels: {}
+  PluralName: clusteroperators
+  PrinterColumns:
+  - description: The version the operator is at.
+    jsonPath: .status.versions[?(@.name=="operator")].version
+    name: Version
+    type: string
+  - description: Whether the operator is running and stable.
+    jsonPath: .status.conditions[?(@.type=="Available")].status
+    name: Available
+    type: string
+  - description: Whether the operator is processing changes.
+    jsonPath: .status.conditions[?(@.type=="Progressing")].status
+    name: Progressing
+    type: string
+  - description: Whether the operator is degraded.
+    jsonPath: .status.conditions[?(@.type=="Degraded")].status
+    name: Degraded
+    type: string
+  - description: The time the operator's Available status last changed.
+    jsonPath: .status.conditions[?(@.type=="Available")].lastTransitionTime
+    name: Since
+    type: date
+  Scope: Cluster
+  ShortNames:
+  - co
+  TopLevelFeatureGates: []
+  Version: v1
+
+clusterversions.config.openshift.io:
+  Annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/495
+  CRDName: clusterversions.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - ImageStreamImportMode
+  - SignatureStores
+  FilenameOperatorName: cluster-version-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_00"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ClusterVersion
+  Labels: {}
+  PluralName: clusterversions
+  PrinterColumns:
+  - jsonPath: .status.history[?(@.state=="Completed")].version
+    name: Version
+    type: string
+  - jsonPath: .status.conditions[?(@.type=="Available")].status
+    name: Available
+    type: string
+  - jsonPath: .status.conditions[?(@.type=="Progressing")].status
+    name: Progressing
+    type: string
+  - jsonPath: .status.conditions[?(@.type=="Progressing")].lastTransitionTime
+    name: Since
+    type: date
+  - jsonPath: .status.conditions[?(@.type=="Progressing")].message
+    name: Status
+    type: string
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+consoles.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: consoles.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Console
+  Labels: {}
+  PluralName: consoles
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+dnses.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: dnses.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: DNS
+  Labels: {}
+  PluralName: dnses
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+featuregates.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: featuregates.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: FeatureGate
+  Labels: {}
+  PluralName: featuregates
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+images.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: images.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - ImageStreamImportMode
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Image
+  Labels: {}
+  PluralName: images
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+imagecontentpolicies.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/874
+  CRDName: imagecontentpolicies.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ImageContentPolicy
+  Labels: {}
+  PluralName: imagecontentpolicies
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+imagedigestmirrorsets.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/1126
+  CRDName: imagedigestmirrorsets.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ImageDigestMirrorSet
+  Labels: {}
+  PluralName: imagedigestmirrorsets
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames:
+  - idms
+  TopLevelFeatureGates: []
+  Version: v1
+
+imagepolicies.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2310
+  CRDName: imagepolicies.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - SigstoreImageVerification
+  - SigstoreImageVerificationPKI
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ImagePolicy
+  Labels: {}
+  PluralName: imagepolicies
+  PrinterColumns: []
+  Scope: Namespaced
+  ShortNames: null
+  TopLevelFeatureGates:
+  - SigstoreImageVerification
+  Version: v1
+
+imagetagmirrorsets.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/1126
+  CRDName: imagetagmirrorsets.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: ImageTagMirrorSet
+  Labels: {}
+  PluralName: imagetagmirrorsets
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames:
+  - itms
+  TopLevelFeatureGates: []
+  Version: v1
+
+infrastructures.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: infrastructures.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - AWSClusterHostedDNS
+  - DualReplica
+  - DyanmicServiceEndpointIBMCloud
+  - GCPClusterHostedDNS
+  - GCPCustomAPIEndpoints
+  - HighlyAvailableArbiter
+  - HighlyAvailableArbiter+DualReplica
+  - NutanixMultiSubnets
+  - VSphereHostVMGroupZonal
+  - VSphereMultiNetworks
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Infrastructure
+  Labels: {}
+  PluralName: infrastructures
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+ingresses.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: ingresses.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Ingress
+  Labels: {}
+  PluralName: ingresses
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+networks.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: networks.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - NetworkDiagnosticsConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: false
+  KindName: Network
+  Labels: {}
+  PluralName: networks
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+nodes.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/1107
+  CRDName: nodes.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - MinimumKubeletVersion
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Node
+  Labels: {}
+  PluralName: nodes
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+oauths.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: oauths.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: OAuth
+  Labels: {}
+  PluralName: oauths
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+operatorhubs.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: operatorhubs.config.openshift.io
+  Capability: marketplace
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: marketplace
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_03"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: OperatorHub
+  Labels: {}
+  PluralName: operatorhubs
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+projects.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: projects.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Project
+  Labels: {}
+  PluralName: projects
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+proxies.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: proxies.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates: []
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_03"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Proxy
+  Labels: {}
+  PluralName: proxies
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
+schedulers.config.openshift.io:
+  Annotations:
+    release.openshift.io/bootstrap-required: "true"
+  ApprovedPRNumber: https://github.com/openshift/api/pull/470
+  CRDName: schedulers.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - DynamicResourceAllocation
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: Scheduler
+  Labels: {}
+  PluralName: schedulers
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates: []
+  Version: v1
+
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
new file mode 100644
index 00000000..eb78ad7c
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
@@ -0,0 +1,2897 @@
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_AdmissionConfig = map[string]string{
+	"enabledPlugins":  "enabledPlugins is a list of admission plugins that must be on in addition to the default list. Some admission plugins are disabled by default, but certain configurations require them.  This is fairly uncommon and can result in performance penalties and unexpected behavior.",
+	"disabledPlugins": "disabledPlugins is a list of admission plugins that must be off.  Putting something in this list is almost always a mistake and likely to result in cluster instability.",
+}
+
+func (AdmissionConfig) SwaggerDoc() map[string]string {
+	return map_AdmissionConfig
+}
+
+var map_AdmissionPluginConfig = map[string]string{
+	"":              "AdmissionPluginConfig holds the necessary configuration options for admission plugins",
+	"location":      "location is the path to a configuration file that contains the plugin's configuration",
+	"configuration": "configuration is an embedded configuration object to be used as the plugin's configuration. If present, it will be used instead of the path to the configuration file.",
+}
+
+func (AdmissionPluginConfig) SwaggerDoc() map[string]string {
+	return map_AdmissionPluginConfig
+}
+
+var map_AuditConfig = map[string]string{
+	"":                         "AuditConfig holds configuration for the audit capabilities",
+	"enabled":                  "If this flag is set, audit log will be printed in the logs. The logs contains, method, user and a requested URL.",
+	"auditFilePath":            "All requests coming to the apiserver will be logged to this file.",
+	"maximumFileRetentionDays": "Maximum number of days to retain old log files based on the timestamp encoded in their filename.",
+	"maximumRetainedFiles":     "Maximum number of old log files to retain.",
+	"maximumFileSizeMegabytes": "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.",
+	"policyFile":               "policyFile is a path to the file that defines the audit policy configuration.",
+	"policyConfiguration":      "policyConfiguration is an embedded policy configuration object to be used as the audit policy configuration. If present, it will be used instead of the path to the policy file.",
+	"logFormat":                "Format of saved audits (legacy or json).",
+	"webHookKubeConfig":        "Path to a .kubeconfig formatted file that defines the audit webhook configuration.",
+	"webHookMode":              "Strategy for sending audit events (block or batch).",
+}
+
+func (AuditConfig) SwaggerDoc() map[string]string {
+	return map_AuditConfig
+}
+
+var map_CertInfo = map[string]string{
+	"":         "CertInfo relates a certificate with a private key",
+	"certFile": "certFile is a file containing a PEM-encoded certificate",
+	"keyFile":  "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile",
+}
+
+func (CertInfo) SwaggerDoc() map[string]string {
+	return map_CertInfo
+}
+
+var map_ClientConnectionOverrides = map[string]string{
+	"acceptContentTypes": "acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.",
+	"contentType":        "contentType is the content type used when sending data to the server from this client.",
+	"qps":                "qps controls the number of queries per second allowed for this connection.",
+	"burst":              "burst allows extra queries to accumulate when a client is exceeding its rate.",
+}
+
+func (ClientConnectionOverrides) SwaggerDoc() map[string]string {
+	return map_ClientConnectionOverrides
+}
+
+var map_ConfigMapFileReference = map[string]string{
+	"":    "ConfigMapFileReference references a config map in a specific namespace. The namespace must be specified at the point of use.",
+	"key": "key allows pointing to a specific key/value inside of the configmap.  This is useful for logical file references.",
+}
+
+func (ConfigMapFileReference) SwaggerDoc() map[string]string {
+	return map_ConfigMapFileReference
+}
+
+var map_ConfigMapNameReference = map[string]string{
+	"":     "ConfigMapNameReference references a config map in a specific namespace. The namespace must be specified at the point of use.",
+	"name": "name is the metadata.name of the referenced config map",
+}
+
+func (ConfigMapNameReference) SwaggerDoc() map[string]string {
+	return map_ConfigMapNameReference
+}
+
+var map_DelegatedAuthentication = map[string]string{
+	"":         "DelegatedAuthentication allows authentication to be disabled.",
+	"disabled": "disabled indicates that authentication should be disabled.  By default it will use delegated authentication.",
+}
+
+func (DelegatedAuthentication) SwaggerDoc() map[string]string {
+	return map_DelegatedAuthentication
+}
+
+var map_DelegatedAuthorization = map[string]string{
+	"":         "DelegatedAuthorization allows authorization to be disabled.",
+	"disabled": "disabled indicates that authorization should be disabled.  By default it will use delegated authorization.",
+}
+
+func (DelegatedAuthorization) SwaggerDoc() map[string]string {
+	return map_DelegatedAuthorization
+}
+
+var map_EtcdConnectionInfo = map[string]string{
+	"":     "EtcdConnectionInfo holds information necessary for connecting to an etcd server",
+	"urls": "urls are the URLs for etcd",
+	"ca":   "ca is a file containing trusted roots for the etcd server certificates",
+}
+
+func (EtcdConnectionInfo) SwaggerDoc() map[string]string {
+	return map_EtcdConnectionInfo
+}
+
+var map_EtcdStorageConfig = map[string]string{
+	"storagePrefix": "storagePrefix is the path within etcd that the OpenShift resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located.",
+}
+
+func (EtcdStorageConfig) SwaggerDoc() map[string]string {
+	return map_EtcdStorageConfig
+}
+
+var map_GenericAPIServerConfig = map[string]string{
+	"":                   "GenericAPIServerConfig is an inline-able struct for aggregated apiservers that need to store data in etcd",
+	"servingInfo":        "servingInfo describes how to start serving",
+	"corsAllowedOrigins": "corsAllowedOrigins",
+	"auditConfig":        "auditConfig describes how to configure audit information",
+	"storageConfig":      "storageConfig contains information about how to use",
+	"admission":          "admissionConfig holds information about how to configure admission.",
+}
+
+func (GenericAPIServerConfig) SwaggerDoc() map[string]string {
+	return map_GenericAPIServerConfig
+}
+
+var map_GenericControllerConfig = map[string]string{
+	"":               "GenericControllerConfig provides information to configure a controller",
+	"servingInfo":    "servingInfo is the HTTP serving information for the controller's endpoints",
+	"leaderElection": "leaderElection provides information to elect a leader. Only override this if you have a specific need",
+	"authentication": "authentication allows configuration of authentication for the endpoints",
+	"authorization":  "authorization allows configuration of authentication for the endpoints",
+}
+
+func (GenericControllerConfig) SwaggerDoc() map[string]string {
+	return map_GenericControllerConfig
+}
+
+var map_HTTPServingInfo = map[string]string{
+	"":                      "HTTPServingInfo holds configuration for serving HTTP",
+	"maxRequestsInFlight":   "maxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.",
+	"requestTimeoutSeconds": "requestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if -1 there is no limit on requests.",
+}
+
+func (HTTPServingInfo) SwaggerDoc() map[string]string {
+	return map_HTTPServingInfo
+}
+
+var map_KubeClientConfig = map[string]string{
+	"kubeConfig":          "kubeConfig is a .kubeconfig filename for going to the owning kube-apiserver.  Empty uses an in-cluster-config",
+	"connectionOverrides": "connectionOverrides specifies client overrides for system components to loop back to this master.",
+}
+
+func (KubeClientConfig) SwaggerDoc() map[string]string {
+	return map_KubeClientConfig
+}
+
+var map_LeaderElection = map[string]string{
+	"":              "LeaderElection provides information to elect a leader",
+	"disable":       "disable allows leader election to be suspended while allowing a fully defaulted \"normal\" startup case.",
+	"namespace":     "namespace indicates which namespace the resource is in",
+	"name":          "name indicates what name to use for the resource",
+	"leaseDuration": "leaseDuration is the duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.",
+	"renewDeadline": "renewDeadline is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.",
+	"retryPeriod":   "retryPeriod is the duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.",
+}
+
+func (LeaderElection) SwaggerDoc() map[string]string {
+	return map_LeaderElection
+}
+
+var map_MaxAgePolicy = map[string]string{
+	"":               "MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy",
+	"largestMaxAge":  "The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age This value can be left unspecified, in which case no upper limit is enforced.",
+	"smallestMaxAge": "The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age Setting max-age=0 allows the deletion of an existing HSTS header from a host.  This is a necessary tool for administrators to quickly correct mistakes. This value can be left unspecified, in which case no lower limit is enforced.",
+}
+
+func (MaxAgePolicy) SwaggerDoc() map[string]string {
+	return map_MaxAgePolicy
+}
+
+var map_NamedCertificate = map[string]string{
+	"":      "NamedCertificate specifies a certificate/key, and the names it should be served for",
+	"names": "names is a list of DNS names this certificate should be used to secure A name can be a normal DNS name, or can contain leading wildcard segments.",
+}
+
+func (NamedCertificate) SwaggerDoc() map[string]string {
+	return map_NamedCertificate
+}
+
+var map_RemoteConnectionInfo = map[string]string{
+	"":    "RemoteConnectionInfo holds information necessary for establishing a remote connection",
+	"url": "url is the remote URL to connect to",
+	"ca":  "ca is the CA for verifying TLS connections",
+}
+
+func (RemoteConnectionInfo) SwaggerDoc() map[string]string {
+	return map_RemoteConnectionInfo
+}
+
+var map_RequiredHSTSPolicy = map[string]string{
+	"namespaceSelector":       "namespaceSelector specifies a label selector such that the policy applies only to those routes that are in namespaces with labels that match the selector, and are in one of the DomainPatterns. Defaults to the empty LabelSelector, which matches everything.",
+	"domainPatterns":          "domainPatterns is a list of domains for which the desired HSTS annotations are required. If domainPatterns is specified and a route is created with a spec.host matching one of the domains, the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy.\n\nThe use of wildcards is allowed like this: *.foo.com matches everything under foo.com. foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*.",
+	"maxAge":                  "maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. If set to 0, it negates the effect, and hosts are removed as HSTS hosts. If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS policy will eventually expire on that client.",
+	"preloadPolicy":           "preloadPolicy directs the client to include hosts in its host preload list so that it never needs to do an initial load to get the HSTS header (note that this is not defined in RFC 6797 and is therefore client implementation-dependent).",
+	"includeSubDomainsPolicy": "includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's domain name.  Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com",
+}
+
+func (RequiredHSTSPolicy) SwaggerDoc() map[string]string {
+	return map_RequiredHSTSPolicy
+}
+
+var map_SecretNameReference = map[string]string{
+	"":     "SecretNameReference references a secret in a specific namespace. The namespace must be specified at the point of use.",
+	"name": "name is the metadata.name of the referenced secret",
+}
+
+func (SecretNameReference) SwaggerDoc() map[string]string {
+	return map_SecretNameReference
+}
+
+var map_ServingInfo = map[string]string{
+	"":                  "ServingInfo holds information about serving web pages",
+	"bindAddress":       "bindAddress is the ip:port to serve on",
+	"bindNetwork":       "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"",
+	"clientCA":          "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates",
+	"namedCertificates": "namedCertificates is a list of certificates to use to secure requests to specific hostnames",
+	"minTLSVersion":     "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants",
+	"cipherSuites":      "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants",
+}
+
+func (ServingInfo) SwaggerDoc() map[string]string {
+	return map_ServingInfo
+}
+
+var map_StringSource = map[string]string{
+	"": "StringSource allows specifying a string inline, or externally via env var or file. When it contains only a string value, it marshals to a simple JSON string.",
+}
+
+func (StringSource) SwaggerDoc() map[string]string {
+	return map_StringSource
+}
+
+var map_StringSourceSpec = map[string]string{
+	"":        "StringSourceSpec specifies a string value, or external location",
+	"value":   "value specifies the cleartext value, or an encrypted value if keyFile is specified.",
+	"env":     "env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.",
+	"file":    "file references a file containing the cleartext value, or an encrypted value if a keyFile is specified.",
+	"keyFile": "keyFile references a file containing the key to use to decrypt the value.",
+}
+
+func (StringSourceSpec) SwaggerDoc() map[string]string {
+	return map_StringSourceSpec
+}
+
+var map_APIServer = map[string]string{
+	"":         "APIServer holds configuration (like serving certificates, client CA and CORS domains) shared by all API servers in the system, among them especially kube-apiserver and openshift-apiserver. The canonical name of an instance is 'cluster'.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (APIServer) SwaggerDoc() map[string]string {
+	return map_APIServer
+}
+
+var map_APIServerEncryption = map[string]string{
+	"":     "APIServerEncryption is used to encrypt sensitive resources on the cluster.",
+	"type": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time.  Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time.  The current authoritative list is:\n\n  1. secrets\n  2. configmaps\n  3. routes.route.openshift.io\n  4. oauthaccesstokens.oauth.openshift.io\n  5. oauthauthorizetokens.oauth.openshift.io",
+	"kms":  "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.",
+}
+
+func (APIServerEncryption) SwaggerDoc() map[string]string {
+	return map_APIServerEncryption
+}
+
+var map_APIServerList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (APIServerList) SwaggerDoc() map[string]string {
+	return map_APIServerList
+}
+
+var map_APIServerNamedServingCert = map[string]string{
+	"":                   "APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate.",
+	"names":              "names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.",
+	"servingCertificate": "servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. The secret must exist in the openshift-config namespace and contain the following required fields: - Secret.Data[\"tls.key\"] - TLS private key. - Secret.Data[\"tls.crt\"] - TLS certificate.",
+}
+
+func (APIServerNamedServingCert) SwaggerDoc() map[string]string {
+	return map_APIServerNamedServingCert
+}
+
+var map_APIServerServingCerts = map[string]string{
+	"namedCertificates": "namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. If no named certificates are provided, or no named certificates match the server name as understood by a client, the defaultServingCertificate will be used.",
+}
+
+func (APIServerServingCerts) SwaggerDoc() map[string]string {
+	return map_APIServerServingCerts
+}
+
+var map_APIServerSpec = map[string]string{
+	"servingCerts":                 "servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates will be used for serving secure traffic.",
+	"clientCA":                     "clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. You usually only have to set this if you have your own PKI you wish to honor client certificates from. The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - ConfigMap.Data[\"ca-bundle.crt\"] - CA bundle.",
+	"additionalCORSAllowedOrigins": "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.",
+	"encryption":                   "encryption allows the configuration of encryption of resources at the datastore layer.",
+	"tlsSecurityProfile":           "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.",
+	"audit":                        "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.",
+}
+
+func (APIServerSpec) SwaggerDoc() map[string]string {
+	return map_APIServerSpec
+}
+
+var map_Audit = map[string]string{
+	"profile":     "profile specifies the name of the desired top-level audit profile to be applied to all requests sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, openshift-apiserver and oauth-apiserver), with the exception of those requests that match one or more of the customRules.\n\nThe following profiles are provided: - Default: default policy which means MetaData level logging with the exception of events\n  (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody\n  level).\n- WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for write requests (create, update, patch). - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response HTTP payloads for read requests (get, list). - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.\n\nWarning: It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.\n\nIf unset, the 'Default' profile is used as the default.",
+	"customRules": "customRules specify profiles per group. These profile take precedence over the top-level profile field if they apply. They are evaluation from top to bottom and the first one that matches, applies.",
+}
+
+func (Audit) SwaggerDoc() map[string]string {
+	return map_Audit
+}
+
+var map_AuditCustomRule = map[string]string{
+	"":        "AuditCustomRule describes a custom rule for an audit profile that takes precedence over the top-level profile.",
+	"group":   "group is a name of group a request user must be member of in order to this profile to apply.",
+	"profile": "profile specifies the name of the desired audit policy configuration to be deployed to all OpenShift-provided API servers in the cluster.\n\nThe following profiles are provided: - Default: the existing default policy. - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for write requests (create, update, patch). - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response HTTP payloads for read requests (get, list). - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.\n\nIf unset, the 'Default' profile is used as the default.",
+}
+
+func (AuditCustomRule) SwaggerDoc() map[string]string {
+	return map_AuditCustomRule
+}
+
+var map_Authentication = map[string]string{
+	"":         "Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). The canonical name of an instance is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Authentication) SwaggerDoc() map[string]string {
+	return map_Authentication
+}
+
+var map_AuthenticationList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (AuthenticationList) SwaggerDoc() map[string]string {
+	return map_AuthenticationList
+}
+
+var map_AuthenticationSpec = map[string]string{
+	"type":                       "type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.",
+	"oauthMetadata":              "oauthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for an external OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 If oauthMetadata.name is non-empty, this value has precedence over any metadata reference stored in status. The key \"oauthMetadata\" is used to locate the data. If specified and the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config.",
+	"webhookTokenAuthenticators": "webhookTokenAuthenticators is DEPRECATED, setting it has no effect.",
+	"webhookTokenAuthenticator":  "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service.\n\nCan only be set if \"Type\" is set to \"None\".",
+	"serviceAccountIssuer":       "serviceAccountIssuer is the identifier of the bound service account token issuer. The default is https://kubernetes.default.svc WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the previous issuer value. Instead, the tokens issued by previous service account issuer will continue to be trusted for a time period chosen by the platform (currently set to 24h). This time period is subject to change over time. This allows internal components to transition to use new service account issuer without service distruption.",
+	"oidcProviders":              "oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if \"Type\" is set to \"OIDC\".\n\nAt most one provider can be configured.",
+}
+
+func (AuthenticationSpec) SwaggerDoc() map[string]string {
+	return map_AuthenticationSpec
+}
+
+var map_AuthenticationStatus = map[string]string{
+	"integratedOAuthMetadata": "integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for the in-cluster integrated OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This contains the observed value based on cluster state. An explicitly set value in spec.oauthMetadata has precedence over this field. This field has no meaning if authentication spec.type is not set to IntegratedOAuth. The key \"oauthMetadata\" is used to locate the data. If the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config-managed.",
+	"oidcClients":             "oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin.",
+}
+
+func (AuthenticationStatus) SwaggerDoc() map[string]string {
+	return map_AuthenticationStatus
+}
+
+var map_DeprecatedWebhookTokenAuthenticator = map[string]string{
+	"":           "deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.",
+	"kubeConfig": "kubeConfig contains kube config file data which describes how to access the remote webhook service. For further details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication The key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored. The namespace for this secret is determined by the point of use.",
+}
+
+func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string {
+	return map_DeprecatedWebhookTokenAuthenticator
+}
+
+var map_ExtraMapping = map[string]string{
+	"":                "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.",
+	"key":             "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.",
+	"valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.",
+}
+
+func (ExtraMapping) SwaggerDoc() map[string]string {
+	return map_ExtraMapping
+}
+
+var map_OIDCClientConfig = map[string]string{
+	"":                   "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method",
+	"componentName":      "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
+	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
+	"clientID":           "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").",
+	"clientSecret":       "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.",
+	"extraScopes":        "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.",
+}
+
+func (OIDCClientConfig) SwaggerDoc() map[string]string {
+	return map_OIDCClientConfig
+}
+
+var map_OIDCClientReference = map[string]string{
+	"":                 "OIDCClientReference is a reference to a platform component client configuration.",
+	"oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").",
+	"issuerURL":        "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.",
+	"clientID":         "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.",
+}
+
+func (OIDCClientReference) SwaggerDoc() map[string]string {
+	return map_OIDCClientReference
+}
+
+var map_OIDCClientStatus = map[string]string{
+	"":                   "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.",
+	"componentName":      "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
+	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
+	"currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.",
+	"consumingUsers":     "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.",
+	"conditions":         "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.",
+}
+
+func (OIDCClientStatus) SwaggerDoc() map[string]string {
+	return map_OIDCClientStatus
+}
+
+var map_OIDCProvider = map[string]string{
+	"name":                 "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").",
+	"issuer":               "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.",
+	"oidcClients":          "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.",
+	"claimMappings":        "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.",
+	"claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.",
+}
+
+func (OIDCProvider) SwaggerDoc() map[string]string {
+	return map_OIDCProvider
+}
+
+var map_PrefixedClaimMapping = map[string]string{
+	"":       "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.",
+	"prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and  \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
+}
+
+func (PrefixedClaimMapping) SwaggerDoc() map[string]string {
+	return map_PrefixedClaimMapping
+}
+
+var map_TokenClaimMapping = map[string]string{
+	"":      "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.",
+	"claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.",
+}
+
+func (TokenClaimMapping) SwaggerDoc() map[string]string {
+	return map_TokenClaimMapping
+}
+
+var map_TokenClaimMappings = map[string]string{
+	"username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.",
+	"groups":   "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.",
+	"uid":      "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.",
+	"extra":    "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.",
+}
+
+func (TokenClaimMappings) SwaggerDoc() map[string]string {
+	return map_TokenClaimMappings
+}
+
+var map_TokenClaimOrExpressionMapping = map[string]string{
+	"":           "TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.",
+	"claim":      "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated.\n\nPrecisely one of claim or expression must be set. claim must not be specified when expression is set. When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.",
+	"expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.",
+}
+
+func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string {
+	return map_TokenClaimOrExpressionMapping
+}
+
+var map_TokenClaimValidationRule = map[string]string{
+	"type":          "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
+	"requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.",
+}
+
+func (TokenClaimValidationRule) SwaggerDoc() map[string]string {
+	return map_TokenClaimValidationRule
+}
+
+var map_TokenIssuer = map[string]string{
+	"issuerURL":                  "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nissuerURL must use the 'https' scheme.",
+	"audiences":                  "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.",
+	"issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.",
+}
+
+func (TokenIssuer) SwaggerDoc() map[string]string {
+	return map_TokenIssuer
+}
+
+var map_TokenRequiredClaim = map[string]string{
+	"claim":         "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").",
+	"requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").",
+}
+
+func (TokenRequiredClaim) SwaggerDoc() map[string]string {
+	return map_TokenRequiredClaim
+}
+
+var map_UsernameClaimMapping = map[string]string{
+	"claim":        "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.",
+	"prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
+	"prefix":       "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.",
+}
+
+func (UsernameClaimMapping) SwaggerDoc() map[string]string {
+	return map_UsernameClaimMapping
+}
+
+var map_UsernamePrefix = map[string]string{
+	"":             "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.",
+	"prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").",
+}
+
+func (UsernamePrefix) SwaggerDoc() map[string]string {
+	return map_UsernamePrefix
+}
+
+var map_WebhookTokenAuthenticator = map[string]string{
+	"":           "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator",
+	"kubeConfig": "kubeConfig references a secret that contains kube config file data which describes how to access the remote webhook service. The namespace for the referenced secret is openshift-config.\n\nFor further details, see:\n\nhttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication\n\nThe key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored.",
+}
+
+func (WebhookTokenAuthenticator) SwaggerDoc() map[string]string {
+	return map_WebhookTokenAuthenticator
+}
+
+var map_Build = map[string]string{
+	"":         "Build configures the behavior of OpenShift builds for the entire cluster. This includes default settings that can be overridden in BuildConfig objects, and overrides which are applied to all builds.\n\nThe canonical name is \"cluster\"\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user-settable values for the build controller configuration",
+}
+
+func (Build) SwaggerDoc() map[string]string {
+	return map_Build
+}
+
+var map_BuildDefaults = map[string]string{
+	"defaultProxy": "defaultProxy contains the default proxy settings for all build operations, including image pull/push and source download.\n\nValues can be overrode by setting the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables in the build config's strategy.",
+	"gitProxy":     "gitProxy contains the proxy settings for git operations only. If set, this will override any Proxy settings for all git commands, such as git clone.\n\nValues that are not set here will be inherited from DefaultProxy.",
+	"env":          "env is a set of default environment variables that will be applied to the build if the specified variables do not exist on the build",
+	"imageLabels":  "imageLabels is a list of docker labels that are applied to the resulting image. User can override a default label by providing a label with the same name in their Build/BuildConfig.",
+	"resources":    "resources defines resource requirements to execute the build.",
+}
+
+func (BuildDefaults) SwaggerDoc() map[string]string {
+	return map_BuildDefaults
+}
+
+var map_BuildList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (BuildList) SwaggerDoc() map[string]string {
+	return map_BuildList
+}
+
+var map_BuildOverrides = map[string]string{
+	"imageLabels":  "imageLabels is a list of docker labels that are applied to the resulting image. If user provided a label in their Build/BuildConfig with the same name as one in this list, the user's label will be overwritten.",
+	"nodeSelector": "nodeSelector is a selector which must be true for the build pod to fit on a node",
+	"tolerations":  "tolerations is a list of Tolerations that will override any existing tolerations set on a build pod.",
+	"forcePull":    "forcePull overrides, if set, the equivalent value in the builds, i.e. false disables force pull for all builds, true enables force pull for all builds, independently of what each build specifies itself",
+}
+
+func (BuildOverrides) SwaggerDoc() map[string]string {
+	return map_BuildOverrides
+}
+
+var map_BuildSpec = map[string]string{
+	"additionalTrustedCA": "additionalTrustedCA is a reference to a ConfigMap containing additional CAs that should be trusted for image pushes and pulls during builds. The namespace for this config map is openshift-config.\n\nDEPRECATED: Additional CAs for image pull and push should be set on image.config.openshift.io/cluster instead.",
+	"buildDefaults":       "buildDefaults controls the default information for Builds",
+	"buildOverrides":      "buildOverrides controls override settings for builds",
+}
+
+func (BuildSpec) SwaggerDoc() map[string]string {
+	return map_BuildSpec
+}
+
+var map_ImageLabel = map[string]string{
+	"name":  "name defines the name of the label. It must have non-zero length.",
+	"value": "value defines the literal value of the label.",
+}
+
+func (ImageLabel) SwaggerDoc() map[string]string {
+	return map_ImageLabel
+}
+
+var map_ClusterImagePolicy = map[string]string{
+	"":         "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec contains the configuration for the cluster image policy.",
+	"status":   "status contains the observed state of the resource.",
+}
+
+func (ClusterImagePolicy) SwaggerDoc() map[string]string {
+	return map_ClusterImagePolicy
+}
+
+var map_ClusterImagePolicyList = map[string]string{
+	"":         "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items is a list of ClusterImagePolices",
+}
+
+func (ClusterImagePolicyList) SwaggerDoc() map[string]string {
+	return map_ClusterImagePolicyList
+}
+
+var map_ClusterImagePolicySpec = map[string]string{
+	"":       "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.",
+	"scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
+	"policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.",
+}
+
+func (ClusterImagePolicySpec) SwaggerDoc() map[string]string {
+	return map_ClusterImagePolicySpec
+}
+
+var map_ClusterImagePolicyStatus = map[string]string{
+	"conditions": "conditions provide details on the status of this API Resource.",
+}
+
+func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string {
+	return map_ClusterImagePolicyStatus
+}
+
+var map_ClusterOperator = map[string]string{
+	"":         "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds configuration that could apply to any operator.",
+	"status":   "status holds the information about the state of an operator.  It is consistent with status information across the Kubernetes ecosystem.",
+}
+
+func (ClusterOperator) SwaggerDoc() map[string]string {
+	return map_ClusterOperator
+}
+
+var map_ClusterOperatorList = map[string]string{
+	"":         "ClusterOperatorList is a list of OperatorStatus resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ClusterOperatorList) SwaggerDoc() map[string]string {
+	return map_ClusterOperatorList
+}
+
+var map_ClusterOperatorSpec = map[string]string{
+	"": "ClusterOperatorSpec is empty for now, but you could imagine holding information like \"pause\".",
+}
+
+func (ClusterOperatorSpec) SwaggerDoc() map[string]string {
+	return map_ClusterOperatorSpec
+}
+
+var map_ClusterOperatorStatus = map[string]string{
+	"":               "ClusterOperatorStatus provides information about the status of the operator.",
+	"conditions":     "conditions describes the state of the operator's managed and monitored components.",
+	"versions":       "versions is a slice of operator and operand version tuples.  Operators which manage multiple operands will have multiple operand entries in the array.  Available operators must report the version of the operator itself with the name \"operator\". An operator reports a new \"operator\" version when it has rolled out the new version to all of its operands.",
+	"relatedObjects": "relatedObjects is a list of objects that are \"interesting\" or related to this operator.  Common uses are: 1. the detailed resource driving the operator 2. operator namespaces 3. operand namespaces",
+	"extension":      "extension contains any additional status information specific to the operator which owns this status object.",
+}
+
+func (ClusterOperatorStatus) SwaggerDoc() map[string]string {
+	return map_ClusterOperatorStatus
+}
+
+var map_ClusterOperatorStatusCondition = map[string]string{
+	"":                   "ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components.",
+	"type":               "type specifies the aspect reported by this condition.",
+	"status":             "status of the condition, one of True, False, Unknown.",
+	"lastTransitionTime": "lastTransitionTime is the time of the last update to the current status property.",
+	"reason":             "reason is the CamelCase reason for the condition's current status.",
+	"message":            "message provides additional information about the current condition. This is only to be consumed by humans.  It may contain Line Feed characters (U+000A), which should be rendered as new lines.",
+}
+
+func (ClusterOperatorStatusCondition) SwaggerDoc() map[string]string {
+	return map_ClusterOperatorStatusCondition
+}
+
+var map_ObjectReference = map[string]string{
+	"":          "ObjectReference contains enough information to let you inspect or modify the referred object.",
+	"group":     "group of the referent.",
+	"resource":  "resource of the referent.",
+	"namespace": "namespace of the referent.",
+	"name":      "name of the referent.",
+}
+
+func (ObjectReference) SwaggerDoc() map[string]string {
+	return map_ObjectReference
+}
+
+var map_OperandVersion = map[string]string{
+	"name":    "name is the name of the particular operand this version is for.  It usually matches container images, not operators.",
+	"version": "version indicates which version of a particular operand is currently being managed.  It must always match the Available operand.  If 1.0.0 is Available, then this must indicate 1.0.0 even if the operator is trying to rollout 1.1.0",
+}
+
+func (OperandVersion) SwaggerDoc() map[string]string {
+	return map_OperandVersion
+}
+
+var map_ClusterCondition = map[string]string{
+	"":       "ClusterCondition is a union of typed cluster conditions.  The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.",
+	"type":   "type represents the cluster-condition type. This defines the members and semantics of any additional properties.",
+	"promql": "promql represents a cluster condition based on PromQL.",
+}
+
+func (ClusterCondition) SwaggerDoc() map[string]string {
+	return map_ClusterCondition
+}
+
+var map_ClusterVersion = map[string]string{
+	"":         "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster.",
+	"status":   "status contains information about the available updates and any in-progress updates.",
+}
+
+func (ClusterVersion) SwaggerDoc() map[string]string {
+	return map_ClusterVersion
+}
+
+var map_ClusterVersionCapabilitiesSpec = map[string]string{
+	"":                              "ClusterVersionCapabilitiesSpec selects the managed set of optional, core cluster components.",
+	"baselineCapabilitySet":         "baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities.  If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent.",
+	"additionalEnabledCapabilities": "additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet.  The default is an empty set.",
+}
+
+func (ClusterVersionCapabilitiesSpec) SwaggerDoc() map[string]string {
+	return map_ClusterVersionCapabilitiesSpec
+}
+
+var map_ClusterVersionCapabilitiesStatus = map[string]string{
+	"":                    "ClusterVersionCapabilitiesStatus describes the state of optional, core cluster components.",
+	"enabledCapabilities": "enabledCapabilities lists all the capabilities that are currently managed.",
+	"knownCapabilities":   "knownCapabilities lists all the capabilities known to the current cluster.",
+}
+
+func (ClusterVersionCapabilitiesStatus) SwaggerDoc() map[string]string {
+	return map_ClusterVersionCapabilitiesStatus
+}
+
+var map_ClusterVersionList = map[string]string{
+	"":         "ClusterVersionList is a list of ClusterVersion resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ClusterVersionList) SwaggerDoc() map[string]string {
+	return map_ClusterVersionList
+}
+
+var map_ClusterVersionSpec = map[string]string{
+	"":                "ClusterVersionSpec is the desired version state of the cluster. It includes the version the cluster should be at, how the cluster is identified, and where the cluster should look for version updates.",
+	"clusterID":       "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.",
+	"desiredUpdate":   "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.",
+	"upstream":        "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.",
+	"channel":         "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.",
+	"capabilities":    "capabilities configures the installation of optional, core cluster components.  A null value here is identical to an empty object; see the child properties for default semantics.",
+	"signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.",
+	"overrides":       "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.",
+}
+
+func (ClusterVersionSpec) SwaggerDoc() map[string]string {
+	return map_ClusterVersionSpec
+}
+
+var map_ClusterVersionStatus = map[string]string{
+	"":                   "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
+	"desired":            "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
+	"history":            "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
+	"observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
+	"versionHash":        "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
+	"capabilities":       "capabilities describes the state of optional, core cluster components.",
+	"conditions":         "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
+	"availableUpdates":   "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
+	"conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+}
+
+func (ClusterVersionStatus) SwaggerDoc() map[string]string {
+	return map_ClusterVersionStatus
+}
+
+var map_ComponentOverride = map[string]string{
+	"":          "ComponentOverride allows overriding cluster version operator's behavior for a component.",
+	"kind":      "kind indentifies which object to override.",
+	"group":     "group identifies the API group that the kind is in.",
+	"namespace": "namespace is the component's namespace. If the resource is cluster scoped, the namespace should be empty.",
+	"name":      "name is the component's name.",
+	"unmanaged": "unmanaged controls if cluster version operator should stop managing the resources in this cluster. Default: false",
+}
+
+func (ComponentOverride) SwaggerDoc() map[string]string {
+	return map_ComponentOverride
+}
+
+var map_ConditionalUpdate = map[string]string{
+	"":           "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.",
+	"release":    "release is the target of the update.",
+	"risks":      "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.",
+	"conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.",
+}
+
+func (ConditionalUpdate) SwaggerDoc() map[string]string {
+	return map_ConditionalUpdate
+}
+
+var map_ConditionalUpdateRisk = map[string]string{
+	"":              "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.",
+	"url":           "url contains information about this risk.",
+	"name":          "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.",
+	"message":       "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.",
+	"matchingRules": "matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended.",
+}
+
+func (ConditionalUpdateRisk) SwaggerDoc() map[string]string {
+	return map_ConditionalUpdateRisk
+}
+
+var map_PromQLClusterCondition = map[string]string{
+	"":       "PromQLClusterCondition represents a cluster condition based on PromQL.",
+	"promql": "promql is a PromQL query classifying clusters. This query query should return a 1 in the match case and a 0 in the does-not-match case. Queries which return no time series, or which return values besides 0 or 1, are evaluation failures.",
+}
+
+func (PromQLClusterCondition) SwaggerDoc() map[string]string {
+	return map_PromQLClusterCondition
+}
+
+var map_Release = map[string]string{
+	"":             "Release represents an OpenShift release image and associated metadata.",
+	"architecture": "architecture is an optional field that indicates the value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. Valid values are 'Multi' and empty.",
+	"version":      "version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified.",
+	"image":        "image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version.",
+	"url":          "url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases.",
+	"channels":     "channels is the set of Cincinnati channels to which the release currently belongs.",
+}
+
+func (Release) SwaggerDoc() map[string]string {
+	return map_Release
+}
+
+var map_SignatureStore = map[string]string{
+	"":    "SignatureStore represents the URL of custom Signature Store",
+	"url": "url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty.",
+	"ca":  "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config.",
+}
+
+func (SignatureStore) SwaggerDoc() map[string]string {
+	return map_SignatureStore
+}
+
+var map_Update = map[string]string{
+	"":             "Update represents an administrator update request.",
+	"architecture": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.",
+	"version":      "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
+	"image":        "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
+	"force":        "force allows an administrator to update to an image that has failed verification or upgradeable checks. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources.",
+}
+
+func (Update) SwaggerDoc() map[string]string {
+	return map_Update
+}
+
+var map_UpdateHistory = map[string]string{
+	"":               "UpdateHistory is a single attempted update to the cluster.",
+	"state":          "state reflects whether the update was fully applied. The Partial state indicates the update is not fully applied, while the Completed state indicates the update was successfully rolled out at least once (all parts of the update successfully applied).",
+	"startedTime":    "startedTime is the time at which the update was started.",
+	"completionTime": "completionTime, if set, is when the update was fully applied. The update that is currently being applied will have a null completion time. Completion time will always be set for entries that are not the current update (usually to the started time of the next update).",
+	"version":        "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.",
+	"image":          "image is a container image location that contains the update. This value is always populated.",
+	"verified":       "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.",
+	"acceptedRisks":  "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
+}
+
+func (UpdateHistory) SwaggerDoc() map[string]string {
+	return map_UpdateHistory
+}
+
+var map_Console = map[string]string{
+	"":         "Console holds cluster-wide configuration for the web console, including the logout URL, and reports the public URL of the console. The canonical name is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Console) SwaggerDoc() map[string]string {
+	return map_Console
+}
+
+var map_ConsoleAuthentication = map[string]string{
+	"":               "ConsoleAuthentication defines a list of optional configuration for console authentication.",
+	"logoutRedirect": "An optional, absolute URL to redirect web browsers to after logging out of the console. If not specified, it will redirect to the default login page. This is required when using an identity provider that supports single sign-on (SSO) such as: - OpenID (Keycloak, Azure) - RequestHeader (GSSAPI, SSPI, SAML) - OAuth (GitHub, GitLab, Google) Logging out of the console will destroy the user's token. The logoutRedirect provides the user the option to perform single logout (SLO) through the identity provider to destroy their single sign-on session.",
+}
+
+func (ConsoleAuthentication) SwaggerDoc() map[string]string {
+	return map_ConsoleAuthentication
+}
+
+var map_ConsoleList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ConsoleList) SwaggerDoc() map[string]string {
+	return map_ConsoleList
+}
+
+var map_ConsoleSpec = map[string]string{
+	"": "ConsoleSpec is the specification of the desired behavior of the Console.",
+}
+
+func (ConsoleSpec) SwaggerDoc() map[string]string {
+	return map_ConsoleSpec
+}
+
+var map_ConsoleStatus = map[string]string{
+	"":           "ConsoleStatus defines the observed status of the Console.",
+	"consoleURL": "The URL for the console. This will be derived from the host for the route that is created for the console.",
+}
+
+func (ConsoleStatus) SwaggerDoc() map[string]string {
+	return map_ConsoleStatus
+}
+
+var map_AWSDNSSpec = map[string]string{
+	"":                   "AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider.",
+	"privateZoneIAMRole": "privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed.",
+}
+
+func (AWSDNSSpec) SwaggerDoc() map[string]string {
+	return map_AWSDNSSpec
+}
+
+var map_DNS = map[string]string{
+	"":         "DNS holds cluster-wide information about DNS. The canonical name is `cluster`\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (DNS) SwaggerDoc() map[string]string {
+	return map_DNS
+}
+
+var map_DNSList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (DNSList) SwaggerDoc() map[string]string {
+	return map_DNSList
+}
+
+var map_DNSPlatformSpec = map[string]string{
+	"":     "DNSPlatformSpec holds cloud-provider-specific configuration for DNS administration.",
+	"type": "type is the underlying infrastructure provider for the cluster. Allowed values: \"\", \"AWS\".\n\nIndividual components may not support all platforms, and must handle unrecognized platforms with best-effort defaults.",
+	"aws":  "aws contains DNS configuration specific to the Amazon Web Services cloud provider.",
+}
+
+func (DNSPlatformSpec) SwaggerDoc() map[string]string {
+	return map_DNSPlatformSpec
+}
+
+var map_DNSSpec = map[string]string{
+	"baseDomain":  "baseDomain is the base domain of the cluster. All managed DNS records will be sub-domains of this base.\n\nFor example, given the base domain `openshift.example.com`, an API server DNS record may be created for `cluster-api.openshift.example.com`.\n\nOnce set, this field cannot be changed.",
+	"publicZone":  "publicZone is the location where all the DNS records that are publicly accessible to the internet exist.\n\nIf this field is nil, no public records should be created.\n\nOnce set, this field cannot be changed.",
+	"privateZone": "privateZone is the location where all the DNS records that are only available internally to the cluster exist.\n\nIf this field is nil, no private records should be created.\n\nOnce set, this field cannot be changed.",
+	"platform":    "platform holds configuration specific to the underlying infrastructure provider for DNS. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time.",
+}
+
+func (DNSSpec) SwaggerDoc() map[string]string {
+	return map_DNSSpec
+}
+
+var map_DNSZone = map[string]string{
+	"":     "DNSZone is used to define a DNS hosted zone. A zone can be identified by an ID or tags.",
+	"id":   "id is the identifier that can be used to find the DNS hosted zone.\n\non AWS zone can be fetched using `ID` as id in [1] on Azure zone can be fetched using `ID` as a pre-determined name in [2], on GCP zone can be fetched using `ID` as a pre-determined name in [3].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get",
+	"tags": "tags can be used to query the DNS hosted zone.\n\non AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options",
+}
+
+func (DNSZone) SwaggerDoc() map[string]string {
+	return map_DNSZone
+}
+
+var map_CustomFeatureGates = map[string]string{
+	"enabled":  "enabled is a list of all feature gates that you want to force on",
+	"disabled": "disabled is a list of all feature gates that you want to force off",
+}
+
+func (CustomFeatureGates) SwaggerDoc() map[string]string {
+	return map_CustomFeatureGates
+}
+
+var map_FeatureGate = map[string]string{
+	"":         "Feature holds cluster-wide information about feature gates.  The canonical name is `cluster`\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (FeatureGate) SwaggerDoc() map[string]string {
+	return map_FeatureGate
+}
+
+var map_FeatureGateAttributes = map[string]string{
+	"name": "name is the name of the FeatureGate.",
+}
+
+func (FeatureGateAttributes) SwaggerDoc() map[string]string {
+	return map_FeatureGateAttributes
+}
+
+var map_FeatureGateDetails = map[string]string{
+	"version":  "version matches the version provided by the ClusterVersion and in the ClusterOperator.Status.Versions field.",
+	"enabled":  "enabled is a list of all feature gates that are enabled in the cluster for the named version.",
+	"disabled": "disabled is a list of all feature gates that are disabled in the cluster for the named version.",
+}
+
+func (FeatureGateDetails) SwaggerDoc() map[string]string {
+	return map_FeatureGateDetails
+}
+
+var map_FeatureGateList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (FeatureGateList) SwaggerDoc() map[string]string {
+	return map_FeatureGateList
+}
+
+var map_FeatureGateSelection = map[string]string{
+	"featureSet":      "featureSet changes the list of features in the cluster.  The default is empty.  Be very careful adjusting this setting. Turning on or off features may cause irreversible changes in your cluster which cannot be undone.",
+	"customNoUpgrade": "customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. Because of its nature, this setting cannot be validated.  If you have any typos or accidentally apply invalid combinations your cluster may fail in an unrecoverable way.  featureSet must equal \"CustomNoUpgrade\" must be set to use this field.",
+}
+
+func (FeatureGateSelection) SwaggerDoc() map[string]string {
+	return map_FeatureGateSelection
+}
+
+var map_FeatureGateStatus = map[string]string{
+	"conditions":   "conditions represent the observations of the current state. Known .status.conditions.type are: \"DeterminationDegraded\"",
+	"featureGates": "featureGates contains a list of enabled and disabled featureGates that are keyed by payloadVersion. Operators other than the CVO and cluster-config-operator, must read the .status.featureGates, locate the version they are managing, find the enabled/disabled featuregates and make the operand and operator match. The enabled/disabled values for a particular version may change during the life of the cluster as various .spec.featureSet values are selected. Operators may choose to restart their processes to pick up these changes, but remembering past enable/disable lists is beyond the scope of this API and is the responsibility of individual operators. Only featureGates with .version in the ClusterVersion.status will be present in this list.",
+}
+
+func (FeatureGateStatus) SwaggerDoc() map[string]string {
+	return map_FeatureGateStatus
+}
+
+var map_Image = map[string]string{
+	"":         "Image governs policies related to imagestream imports and runtime configuration for external registries. It allows cluster admins to configure which registries OpenShift is allowed to import images from, extra CA trust bundles for external registries, and policies to block or allow registry hostnames. When exposing OpenShift's image registry to the public, this also lets cluster admins specify the external hostname.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Image) SwaggerDoc() map[string]string {
+	return map_Image
+}
+
+var map_ImageList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ImageList) SwaggerDoc() map[string]string {
+	return map_ImageList
+}
+
+var map_ImageSpec = map[string]string{
+	"allowedRegistriesForImport": "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.",
+	"externalRegistryHostnames":  "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.",
+	"additionalTrustedCA":        "additionalTrustedCA is a reference to a ConfigMap containing additional CAs that should be trusted during imagestream import, pod image pull, build image pull, and imageregistry pullthrough. The namespace for this config map is openshift-config.",
+	"registrySources":            "registrySources contains configuration that determines how the container runtime should treat individual registries when accessing images for builds+pods. (e.g. whether or not to allow insecure access).  It does not contain configuration for the internal cluster registry.",
+	"imageStreamImportMode":      "imageStreamImportMode controls the import mode behaviour of imagestreams. It can be set to `Legacy` or `PreserveOriginal` or the empty string. If this value is specified, this setting is applied to all newly created imagestreams which do not have the value set. `Legacy` indicates that the legacy behaviour should be used. For manifest lists, the legacy behaviour will discard the manifest list and import a single sub-manifest. In this case, the platform is chosen in the following order of priority: 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list. `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists, the manifest list and all its sub-manifests will be imported. When empty, the behaviour will be decided based on the payload type advertised by the ClusterVersion status, i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.",
+}
+
+func (ImageSpec) SwaggerDoc() map[string]string {
+	return map_ImageSpec
+}
+
+var map_ImageStatus = map[string]string{
+	"internalRegistryHostname":  "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format. This value is set by the image registry operator which controls the internal registry hostname.",
+	"externalRegistryHostnames": "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.",
+	"imageStreamImportMode":     "imageStreamImportMode controls the import mode behaviour of imagestreams. It can be `Legacy` or `PreserveOriginal`. `Legacy` indicates that the legacy behaviour should be used. For manifest lists, the legacy behaviour will discard the manifest list and import a single sub-manifest. In this case, the platform is chosen in the following order of priority: 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list. `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists, the manifest list and all its sub-manifests will be imported. This value will be reconciled based on either the spec value or if no spec value is specified, the image registry operator would look at the ClusterVersion status to determine the payload type and set the import mode accordingly, i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.",
+}
+
+func (ImageStatus) SwaggerDoc() map[string]string {
+	return map_ImageStatus
+}
+
+var map_RegistryLocation = map[string]string{
+	"":           "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.",
+	"domainName": "domainName specifies a domain name for the registry In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.",
+	"insecure":   "insecure indicates whether the registry is secure (https) or insecure (http) By default (if not specified) the registry is assumed as secure.",
+}
+
+func (RegistryLocation) SwaggerDoc() map[string]string {
+	return map_RegistryLocation
+}
+
+var map_RegistrySources = map[string]string{
+	"":                                 "RegistrySources holds cluster-wide information about how to handle the registries config.",
+	"insecureRegistries":               "insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.",
+	"blockedRegistries":                "blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.\n\nOnly one of BlockedRegistries or AllowedRegistries may be set.",
+	"allowedRegistries":                "allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.\n\nOnly one of BlockedRegistries or AllowedRegistries may be set.",
+	"containerRuntimeSearchRegistries": "containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified domains in their pull specs. Registries will be searched in the order provided in the list. Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports.",
+}
+
+func (RegistrySources) SwaggerDoc() map[string]string {
+	return map_RegistrySources
+}
+
+var map_ImageContentPolicy = map[string]string{
+	"":         "ImageContentPolicy holds cluster-wide information about how to handle registry mirror rules. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+}
+
+func (ImageContentPolicy) SwaggerDoc() map[string]string {
+	return map_ImageContentPolicy
+}
+
+var map_ImageContentPolicyList = map[string]string{
+	"":         "ImageContentPolicyList lists the items in the ImageContentPolicy CRD.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ImageContentPolicyList) SwaggerDoc() map[string]string {
+	return map_ImageContentPolicyList
+}
+
+var map_ImageContentPolicySpec = map[string]string{
+	"":                        "ImageContentPolicySpec is the specification of the ImageContentPolicy CRD.",
+	"repositoryDigestMirrors": "repositoryDigestMirrors allows images referenced by image digests in pods to be pulled from alternative mirrored repository locations. The image pull specification provided to the pod will be compared to the source locations described in RepositoryDigestMirrors and the image may be pulled down from any of the mirrors in the list instead of the specified repository allowing administrators to choose a potentially faster mirror. To pull image from mirrors by tags, should set the \"allowMirrorByTags\".\n\nEach “source� repository is treated independently; configurations for different “source� repositories don’t interact.\n\nIf the \"mirrors\" is not specified, the image will continue to be pulled from the specified repository in the pull spec.\n\nWhen multiple policies are defined for the same “source� repository, the sets of defined mirrors will be merged together, preserving the relative order of the mirrors, if possible. For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.",
+}
+
+func (ImageContentPolicySpec) SwaggerDoc() map[string]string {
+	return map_ImageContentPolicySpec
+}
+
+var map_RepositoryDigestMirrors = map[string]string{
+	"":                  "RepositoryDigestMirrors holds cluster-wide information about how to handle mirrors in the registries config.",
+	"source":            "source is the repository that users refer to, e.g. in image pull specifications.",
+	"allowMirrorByTags": "allowMirrorByTags if true, the mirrors can be used to pull the images that are referenced by their tags. Default is false, the mirrors only work when pulling the images that are referenced by their digests. Pulling images by tag can potentially yield different images, depending on which endpoint we pull from. Forcing digest-pulls for mirrors avoids that issue.",
+	"mirrors":           "mirrors is zero or more repositories that may also contain the same images. If the \"mirrors\" is not specified, the image will continue to be pulled from the specified repository in the pull spec. No mirror will be configured. The order of mirrors in this list is treated as the user's desired priority, while source is by default considered lower priority than all mirrors. Other cluster configuration, including (but not limited to) other repositoryDigestMirrors objects, may impact the exact order mirrors are contacted in, or some mirrors may be contacted in parallel, so this should be considered a preference rather than a guarantee of ordering.",
+}
+
+func (RepositoryDigestMirrors) SwaggerDoc() map[string]string {
+	return map_RepositoryDigestMirrors
+}
+
+var map_ImageDigestMirrorSet = map[string]string{
+	"":         "ImageDigestMirrorSet holds cluster-wide information about how to handle registry mirror rules on using digest pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status contains the observed state of the resource.",
+}
+
+func (ImageDigestMirrorSet) SwaggerDoc() map[string]string {
+	return map_ImageDigestMirrorSet
+}
+
+var map_ImageDigestMirrorSetList = map[string]string{
+	"":         "ImageDigestMirrorSetList lists the items in the ImageDigestMirrorSet CRD.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ImageDigestMirrorSetList) SwaggerDoc() map[string]string {
+	return map_ImageDigestMirrorSetList
+}
+
+var map_ImageDigestMirrorSetSpec = map[string]string{
+	"":                   "ImageDigestMirrorSetSpec is the specification of the ImageDigestMirrorSet CRD.",
+	"imageDigestMirrors": "imageDigestMirrors allows images referenced by image digests in pods to be pulled from alternative mirrored repository locations. The image pull specification provided to the pod will be compared to the source locations described in imageDigestMirrors and the image may be pulled down from any of the mirrors in the list instead of the specified repository allowing administrators to choose a potentially faster mirror. To use mirrors to pull images using tag specification, users should configure a list of mirrors using \"ImageTagMirrorSet\" CRD.\n\nIf the image pull specification matches the repository of \"source\" in multiple imagedigestmirrorset objects, only the objects which define the most specific namespace match will be used. For example, if there are objects using quay.io/libpod and quay.io/libpod/busybox as the \"source\", only the objects using quay.io/libpod/busybox are going to apply for pull specification quay.io/libpod/busybox. Each “source� repository is treated independently; configurations for different “source� repositories don’t interact.\n\nIf the \"mirrors\" is not specified, the image will continue to be pulled from the specified repository in the pull spec.\n\nWhen multiple policies are defined for the same “source� repository, the sets of defined mirrors will be merged together, preserving the relative order of the mirrors, if possible. For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified. Users who want to use a specific order of mirrors, should configure them into one list of mirrors using the expected order.",
+}
+
+func (ImageDigestMirrorSetSpec) SwaggerDoc() map[string]string {
+	return map_ImageDigestMirrorSetSpec
+}
+
+var map_ImageDigestMirrors = map[string]string{
+	"":                   "ImageDigestMirrors holds cluster-wide information about how to handle mirrors in the registries config.",
+	"source":             "source matches the repository that users refer to, e.g. in image pull specifications. Setting source to a registry hostname e.g. docker.io. quay.io, or registry.redhat.io, will match the image pull specification of corressponding registry. \"source\" uses one of the following formats: host[:port] host[:port]/namespace[/namespace…] host[:port]/namespace[/namespace…]/repo [*.]host for more information about the format, see the document about the location field: https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table",
+	"mirrors":            "mirrors is zero or more locations that may also contain the same images. No mirror will be configured if not specified. Images can be pulled from these mirrors only if they are referenced by their digests. The mirrored location is obtained by replacing the part of the input reference that matches source by the mirrors entry, e.g. for registry.redhat.io/product/repo reference, a (source, mirror) pair *.redhat.io, mirror.local/redhat causes a mirror.local/redhat/product/repo repository to be used. The order of mirrors in this list is treated as the user's desired priority, while source is by default considered lower priority than all mirrors. If no mirror is specified or all image pulls from the mirror list fail, the image will continue to be pulled from the repository in the pull spec unless explicitly prohibited by \"mirrorSourcePolicy\" Other cluster configuration, including (but not limited to) other imageDigestMirrors objects, may impact the exact order mirrors are contacted in, or some mirrors may be contacted in parallel, so this should be considered a preference rather than a guarantee of ordering. \"mirrors\" uses one of the following formats: host[:port] host[:port]/namespace[/namespace…] host[:port]/namespace[/namespace…]/repo for more information about the format, see the document about the location field: https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table",
+	"mirrorSourcePolicy": "mirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors. If unset, the image will continue to be pulled from the the repository in the pull spec. sourcePolicy is valid configuration only when one or more mirrors are in the mirror list.",
+}
+
+func (ImageDigestMirrors) SwaggerDoc() map[string]string {
+	return map_ImageDigestMirrors
+}
+
+var map_FulcioCAWithRekor = map[string]string{
+	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
+	"fulcioCAData":  "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ",
+	"rekorKeyData":  "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
+	"fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+}
+
+func (FulcioCAWithRekor) SwaggerDoc() map[string]string {
+	return map_FulcioCAWithRekor
+}
+
+var map_ImagePolicy = map[string]string{
+	"":         "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status contains the observed state of the resource.",
+}
+
+func (ImagePolicy) SwaggerDoc() map[string]string {
+	return map_ImagePolicy
+}
+
+var map_ImagePolicyList = map[string]string{
+	"":         "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items is a list of ImagePolicies",
+}
+
+func (ImagePolicyList) SwaggerDoc() map[string]string {
+	return map_ImagePolicyList
+}
+
+var map_ImagePolicySpec = map[string]string{
+	"":       "ImagePolicySpec is the specification of the ImagePolicy CRD.",
+	"scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
+	"policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.",
+}
+
+func (ImagePolicySpec) SwaggerDoc() map[string]string {
+	return map_ImagePolicySpec
+}
+
+var map_ImagePolicyStatus = map[string]string{
+	"conditions": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.",
+}
+
+func (ImagePolicyStatus) SwaggerDoc() map[string]string {
+	return map_ImagePolicyStatus
+}
+
+var map_PKI = map[string]string{
+	"":                      "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
+	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
+	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
+	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+}
+
+func (PKI) SwaggerDoc() map[string]string {
+	return map_PKI
+}
+
+var map_PKICertificateSubject = map[string]string{
+	"":         "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+	"email":    "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.",
+	"hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.",
+}
+
+func (PKICertificateSubject) SwaggerDoc() map[string]string {
+	return map_PKICertificateSubject
+}
+
+var map_Policy = map[string]string{
+	"":               "Policy defines the verification policy for the items in the scopes list.",
+	"rootOfTrust":    "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.",
+	"signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
+}
+
+func (Policy) SwaggerDoc() map[string]string {
+	return map_Policy
+}
+
+var map_PolicyFulcioSubject = map[string]string{
+	"":            "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.",
+	"oidcIssuer":  "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"",
+	"signedEmail": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"",
+}
+
+func (PolicyFulcioSubject) SwaggerDoc() map[string]string {
+	return map_PolicyFulcioSubject
+}
+
+var map_PolicyIdentity = map[string]string{
+	"":                "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".",
+	"matchPolicy":     "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix� if the the image identity matches the specified remapPrefix.",
+	"exactRepository": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.",
+	"remapIdentity":   "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.",
+}
+
+func (PolicyIdentity) SwaggerDoc() map[string]string {
+	return map_PolicyIdentity
+}
+
+var map_PolicyMatchExactRepository = map[string]string{
+	"repository": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox",
+}
+
+func (PolicyMatchExactRepository) SwaggerDoc() map[string]string {
+	return map_PolicyMatchExactRepository
+}
+
+var map_PolicyMatchRemapIdentity = map[string]string{
+	"prefix":       "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix� (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.",
+	"signedPrefix": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.",
+}
+
+func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string {
+	return map_PolicyMatchRemapIdentity
+}
+
+var map_PolicyRootOfTrust = map[string]string{
+	"":                  "PolicyRootOfTrust defines the root of trust based on the selected policyType.",
+	"policyType":        "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.",
+	"publicKey":         "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.",
+	"fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor",
+	"pki":               "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.",
+}
+
+func (PolicyRootOfTrust) SwaggerDoc() map[string]string {
+	return map_PolicyRootOfTrust
+}
+
+var map_PublicKey = map[string]string{
+	"":             "PublicKey defines the root of trust based on a sigstore public key.",
+	"keyData":      "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ",
+	"rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
+}
+
+func (PublicKey) SwaggerDoc() map[string]string {
+	return map_PublicKey
+}
+
+var map_ImageTagMirrorSet = map[string]string{
+	"":         "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status contains the observed state of the resource.",
+}
+
+func (ImageTagMirrorSet) SwaggerDoc() map[string]string {
+	return map_ImageTagMirrorSet
+}
+
+var map_ImageTagMirrorSetList = map[string]string{
+	"":         "ImageTagMirrorSetList lists the items in the ImageTagMirrorSet CRD.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ImageTagMirrorSetList) SwaggerDoc() map[string]string {
+	return map_ImageTagMirrorSetList
+}
+
+var map_ImageTagMirrorSetSpec = map[string]string{
+	"":                "ImageTagMirrorSetSpec is the specification of the ImageTagMirrorSet CRD.",
+	"imageTagMirrors": "imageTagMirrors allows images referenced by image tags in pods to be pulled from alternative mirrored repository locations. The image pull specification provided to the pod will be compared to the source locations described in imageTagMirrors and the image may be pulled down from any of the mirrors in the list instead of the specified repository allowing administrators to choose a potentially faster mirror. To use mirrors to pull images using digest specification only, users should configure a list of mirrors using \"ImageDigestMirrorSet\" CRD.\n\nIf the image pull specification matches the repository of \"source\" in multiple imagetagmirrorset objects, only the objects which define the most specific namespace match will be used. For example, if there are objects using quay.io/libpod and quay.io/libpod/busybox as the \"source\", only the objects using quay.io/libpod/busybox are going to apply for pull specification quay.io/libpod/busybox. Each “source� repository is treated independently; configurations for different “source� repositories don’t interact.\n\nIf the \"mirrors\" is not specified, the image will continue to be pulled from the specified repository in the pull spec.\n\nWhen multiple policies are defined for the same “source� repository, the sets of defined mirrors will be merged together, preserving the relative order of the mirrors, if possible. For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified. Users who want to use a deterministic order of mirrors, should configure them into one list of mirrors using the expected order.",
+}
+
+func (ImageTagMirrorSetSpec) SwaggerDoc() map[string]string {
+	return map_ImageTagMirrorSetSpec
+}
+
+var map_ImageTagMirrors = map[string]string{
+	"":                   "ImageTagMirrors holds cluster-wide information about how to handle mirrors in the registries config.",
+	"source":             "source matches the repository that users refer to, e.g. in image pull specifications. Setting source to a registry hostname e.g. docker.io. quay.io, or registry.redhat.io, will match the image pull specification of corressponding registry. \"source\" uses one of the following formats: host[:port] host[:port]/namespace[/namespace…] host[:port]/namespace[/namespace…]/repo [*.]host for more information about the format, see the document about the location field: https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table",
+	"mirrors":            "mirrors is zero or more locations that may also contain the same images. No mirror will be configured if not specified. Images can be pulled from these mirrors only if they are referenced by their tags. The mirrored location is obtained by replacing the part of the input reference that matches source by the mirrors entry, e.g. for registry.redhat.io/product/repo reference, a (source, mirror) pair *.redhat.io, mirror.local/redhat causes a mirror.local/redhat/product/repo repository to be used. Pulling images by tag can potentially yield different images, depending on which endpoint we pull from. Configuring a list of mirrors using \"ImageDigestMirrorSet\" CRD and forcing digest-pulls for mirrors avoids that issue. The order of mirrors in this list is treated as the user's desired priority, while source is by default considered lower priority than all mirrors. If no mirror is specified or all image pulls from the mirror list fail, the image will continue to be pulled from the repository in the pull spec unless explicitly prohibited by \"mirrorSourcePolicy\". Other cluster configuration, including (but not limited to) other imageTagMirrors objects, may impact the exact order mirrors are contacted in, or some mirrors may be contacted in parallel, so this should be considered a preference rather than a guarantee of ordering. \"mirrors\" uses one of the following formats: host[:port] host[:port]/namespace[/namespace…] host[:port]/namespace[/namespace…]/repo for more information about the format, see the document about the location field: https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table",
+	"mirrorSourcePolicy": "mirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors. If unset, the image will continue to be pulled from the repository in the pull spec. sourcePolicy is valid configuration only when one or more mirrors are in the mirror list.",
+}
+
+func (ImageTagMirrors) SwaggerDoc() map[string]string {
+	return map_ImageTagMirrors
+}
+
+var map_AWSPlatformSpec = map[string]string{
+	"":                 "AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"serviceEndpoints": "serviceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.",
+}
+
+func (AWSPlatformSpec) SwaggerDoc() map[string]string {
+	return map_AWSPlatformSpec
+}
+
+var map_AWSPlatformStatus = map[string]string{
+	"":                        "AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.",
+	"region":                  "region holds the default AWS region for new AWS resources created by the cluster.",
+	"serviceEndpoints":        "serviceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.",
+	"resourceTags":            "resourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user.",
+	"cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.",
+}
+
+func (AWSPlatformStatus) SwaggerDoc() map[string]string {
+	return map_AWSPlatformStatus
+}
+
+var map_AWSResourceTag = map[string]string{
+	"":      "AWSResourceTag is a tag to apply to AWS resources created for the cluster.",
+	"key":   "key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag. Key should consist of between 1 and 128 characters, and may contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.",
+	"value": "value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag. Value should consist of between 1 and 256 characters, and may contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services.",
+}
+
+func (AWSResourceTag) SwaggerDoc() map[string]string {
+	return map_AWSResourceTag
+}
+
+var map_AWSServiceEndpoint = map[string]string{
+	"":     "AWSServiceEndpoint store the configuration of a custom url to override existing defaults of AWS Services.",
+	"name": "name is the name of the AWS service. The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html This must be provided and cannot be empty.",
+	"url":  "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty.",
+}
+
+func (AWSServiceEndpoint) SwaggerDoc() map[string]string {
+	return map_AWSServiceEndpoint
+}
+
+var map_AlibabaCloudPlatformSpec = map[string]string{
+	"": "AlibabaCloudPlatformSpec holds the desired state of the Alibaba Cloud infrastructure provider. This only includes fields that can be modified in the cluster.",
+}
+
+func (AlibabaCloudPlatformSpec) SwaggerDoc() map[string]string {
+	return map_AlibabaCloudPlatformSpec
+}
+
+var map_AlibabaCloudPlatformStatus = map[string]string{
+	"":                "AlibabaCloudPlatformStatus holds the current status of the Alibaba Cloud infrastructure provider.",
+	"region":          "region specifies the region for Alibaba Cloud resources created for the cluster.",
+	"resourceGroupID": "resourceGroupID is the ID of the resource group for the cluster.",
+	"resourceTags":    "resourceTags is a list of additional tags to apply to Alibaba Cloud resources created for the cluster.",
+}
+
+func (AlibabaCloudPlatformStatus) SwaggerDoc() map[string]string {
+	return map_AlibabaCloudPlatformStatus
+}
+
+var map_AlibabaCloudResourceTag = map[string]string{
+	"":      "AlibabaCloudResourceTag is the set of tags to add to apply to resources.",
+	"key":   "key is the key of the tag.",
+	"value": "value is the value of the tag.",
+}
+
+func (AlibabaCloudResourceTag) SwaggerDoc() map[string]string {
+	return map_AlibabaCloudResourceTag
+}
+
+var map_AzurePlatformSpec = map[string]string{
+	"": "AzurePlatformSpec holds the desired state of the Azure infrastructure provider. This only includes fields that can be modified in the cluster.",
+}
+
+func (AzurePlatformSpec) SwaggerDoc() map[string]string {
+	return map_AzurePlatformSpec
+}
+
+var map_AzurePlatformStatus = map[string]string{
+	"":                         "AzurePlatformStatus holds the current status of the Azure infrastructure provider.",
+	"resourceGroupName":        "resourceGroupName is the Resource Group for new Azure resources created for the cluster.",
+	"networkResourceGroupName": "networkResourceGroupName is the Resource Group for network resources like the Virtual Network and Subnets used by the cluster. If empty, the value is same as ResourceGroupName.",
+	"cloudName":                "cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK with the appropriate Azure API endpoints. If empty, the value is equal to `AzurePublicCloud`.",
+	"armEndpoint":              "armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.",
+	"resourceTags":             "resourceTags is a list of additional tags to apply to Azure resources created for the cluster. See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources. Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration.",
+}
+
+func (AzurePlatformStatus) SwaggerDoc() map[string]string {
+	return map_AzurePlatformStatus
+}
+
+var map_AzureResourceTag = map[string]string{
+	"":      "AzureResourceTag is a tag to apply to Azure resources created for the cluster.",
+	"key":   "key is the key part of the tag. A tag key can have a maximum of 128 characters and cannot be empty. Key must begin with a letter, end with a letter, number or underscore, and must contain only alphanumeric characters and the following special characters `_ . -`.",
+	"value": "value is the value part of the tag. A tag value can have a maximum of 256 characters and cannot be empty. Value must contain only alphanumeric characters and the following special characters `_ + , - . / : ; < = > ? @`.",
+}
+
+func (AzureResourceTag) SwaggerDoc() map[string]string {
+	return map_AzureResourceTag
+}
+
+var map_BareMetalPlatformLoadBalancer = map[string]string{
+	"":     "BareMetalPlatformLoadBalancer defines the load balancer used by the cluster on BareMetal platform.",
+	"type": "type defines the type of load balancer used by the cluster on BareMetal platform which can be a user-managed or openshift-managed load balancer that is to be used for the OpenShift API and Ingress endpoints. When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing defined in the machine config operator will be deployed. When set to UserManaged these static pods will not be deployed and it is expected that the load balancer is configured out of band by the deployer. When omitted, this means no opinion and the platform is left to choose a reasonable default. The default value is OpenShiftManagedDefault.",
+}
+
+func (BareMetalPlatformLoadBalancer) SwaggerDoc() map[string]string {
+	return map_BareMetalPlatformLoadBalancer
+}
+
+var map_BareMetalPlatformSpec = map[string]string{
+	"":                     "BareMetalPlatformSpec holds the desired state of the BareMetal infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can).",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can).",
+	"machineNetworks":      "machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example \"10.0.0.0/8\" or \"fd00::/8\".",
+}
+
+func (BareMetalPlatformSpec) SwaggerDoc() map[string]string {
+	return map_BareMetalPlatformSpec
+}
+
+var map_BareMetalPlatformStatus = map[string]string{
+	"":                     "BareMetalPlatformStatus holds the current status of the BareMetal infrastructure provider. For more information about the network architecture used with the BareMetal platform type, see: https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md",
+	"apiServerInternalIP":  "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.\n\nDeprecated: Use APIServerInternalIPs instead.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IPs otherwise only one.",
+	"ingressIP":            "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.\n\nDeprecated: Use IngressIPs instead.",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.",
+	"nodeDNSIP":            "nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for BareMetal deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster.",
+	"loadBalancer":         "loadBalancer defines how the load balancer used by the cluster is configured.",
+	"machineNetworks":      "machineNetworks are IP networks used to connect all the OpenShift cluster nodes.",
+}
+
+func (BareMetalPlatformStatus) SwaggerDoc() map[string]string {
+	return map_BareMetalPlatformStatus
+}
+
+var map_CloudControllerManagerStatus = map[string]string{
+	"":      "CloudControllerManagerStatus holds the state of Cloud Controller Manager (a.k.a. CCM or CPI) related settings",
+	"state": "state determines whether or not an external Cloud Controller Manager is expected to be installed within the cluster. https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/#running-cloud-controller-manager\n\nValid values are \"External\", \"None\" and omitted. When set to \"External\", new nodes will be tainted as uninitialized when created, preventing them from running workloads until they are initialized by the cloud controller manager. When omitted or set to \"None\", new nodes will be not tainted and no extra initialization from the cloud controller manager is expected.",
+}
+
+func (CloudControllerManagerStatus) SwaggerDoc() map[string]string {
+	return map_CloudControllerManagerStatus
+}
+
+var map_CloudLoadBalancerConfig = map[string]string{
+	"":              "CloudLoadBalancerConfig contains an union discriminator indicating the type of DNS solution in use within the cluster. When the DNSType is `ClusterHosted`, the cloud's Load Balancer configuration needs to be provided so that the DNS solution hosted within the cluster can be configured with those values.",
+	"dnsType":       "dnsType indicates the type of DNS solution in use within the cluster. Its default value of `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. The cluster's use of the cloud's Load Balancers is unaffected by this setting. The value is immutable after it has been set at install time. Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. Enabling this functionality allows the user to start their own DNS solution outside the cluster after installation is complete. The customer would be responsible for configuring this custom DNS solution, and it can be run in addition to the in-cluster DNS solution.",
+	"clusterHosted": "clusterHosted holds the IP addresses of API, API-Int and Ingress Load Balancers on Cloud Platforms. The DNS solution hosted within the cluster use these IP addresses to provide resolution for API, API-Int and Ingress services.",
+}
+
+func (CloudLoadBalancerConfig) SwaggerDoc() map[string]string {
+	return map_CloudLoadBalancerConfig
+}
+
+var map_CloudLoadBalancerIPs = map[string]string{
+	"":                       "CloudLoadBalancerIPs contains the Load Balancer IPs for the cloud's API, API-Int and Ingress Load balancers. They will be populated as soon as the respective Load Balancers have been configured. These values are utilized to configure the DNS solution hosted within the cluster.",
+	"apiIntLoadBalancerIPs":  "apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. Entries in the apiIntLoadBalancerIPs must be unique. A maximum of 16 IP addresses are permitted.",
+	"apiLoadBalancerIPs":     "apiLoadBalancerIPs holds Load Balancer IPs for the API service. These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. Could be empty for private clusters. Entries in the apiLoadBalancerIPs must be unique. A maximum of 16 IP addresses are permitted.",
+	"ingressLoadBalancerIPs": "ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. Entries in the ingressLoadBalancerIPs must be unique. A maximum of 16 IP addresses are permitted.",
+}
+
+func (CloudLoadBalancerIPs) SwaggerDoc() map[string]string {
+	return map_CloudLoadBalancerIPs
+}
+
+var map_EquinixMetalPlatformSpec = map[string]string{
+	"": "EquinixMetalPlatformSpec holds the desired state of the Equinix Metal infrastructure provider. This only includes fields that can be modified in the cluster.",
+}
+
+func (EquinixMetalPlatformSpec) SwaggerDoc() map[string]string {
+	return map_EquinixMetalPlatformSpec
+}
+
+var map_EquinixMetalPlatformStatus = map[string]string{
+	"":                    "EquinixMetalPlatformStatus holds the current status of the Equinix Metal infrastructure provider.",
+	"apiServerInternalIP": "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.",
+	"ingressIP":           "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.",
+}
+
+func (EquinixMetalPlatformStatus) SwaggerDoc() map[string]string {
+	return map_EquinixMetalPlatformStatus
+}
+
+var map_ExternalPlatformSpec = map[string]string{
+	"":             "ExternalPlatformSpec holds the desired state for the generic External infrastructure provider.",
+	"platformName": "platformName holds the arbitrary string representing the infrastructure provider name, expected to be set at the installation time. This field is solely for informational and reporting purposes and is not expected to be used for decision-making.",
+}
+
+func (ExternalPlatformSpec) SwaggerDoc() map[string]string {
+	return map_ExternalPlatformSpec
+}
+
+var map_ExternalPlatformStatus = map[string]string{
+	"":                       "ExternalPlatformStatus holds the current status of the generic External infrastructure provider.",
+	"cloudControllerManager": "cloudControllerManager contains settings specific to the external Cloud Controller Manager (a.k.a. CCM or CPI). When omitted, new nodes will be not tainted and no extra initialization from the cloud controller manager is expected.",
+}
+
+func (ExternalPlatformStatus) SwaggerDoc() map[string]string {
+	return map_ExternalPlatformStatus
+}
+
+var map_GCPPlatformSpec = map[string]string{
+	"": "GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. This only includes fields that can be modified in the cluster.",
+}
+
+func (GCPPlatformSpec) SwaggerDoc() map[string]string {
+	return map_GCPPlatformSpec
+}
+
+var map_GCPPlatformStatus = map[string]string{
+	"":                        "GCPPlatformStatus holds the current status of the Google Cloud Platform infrastructure provider.",
+	"projectID":               "resourceGroupName is the Project ID for new GCP resources created for the cluster.",
+	"region":                  "region holds the region for new GCP resources created for the cluster.",
+	"resourceLabels":          "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.",
+	"resourceTags":            "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.",
+	"cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.",
+	"serviceEndpoints":        "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.",
+}
+
+func (GCPPlatformStatus) SwaggerDoc() map[string]string {
+	return map_GCPPlatformStatus
+}
+
+var map_GCPResourceLabel = map[string]string{
+	"":      "GCPResourceLabel is a label to apply to GCP resources created for the cluster.",
+	"key":   "key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty. Label key must begin with a lowercase letter, and must contain only lowercase letters, numeric characters, and the following special characters `_-`. Label key must not have the reserved prefixes `kubernetes-io` and `openshift-io`.",
+	"value": "value is the value part of the label. A label value can have a maximum of 63 characters and cannot be empty. Value must contain only lowercase letters, numeric characters, and the following special characters `_-`.",
+}
+
+func (GCPResourceLabel) SwaggerDoc() map[string]string {
+	return map_GCPResourceLabel
+}
+
+var map_GCPResourceTag = map[string]string{
+	"":         "GCPResourceTag is a tag to apply to GCP resources created for the cluster.",
+	"parentID": "parentID is the ID of the hierarchical resource where the tags are defined, e.g. at the Organization or the Project level. To find the Organization or Project ID refer to the following pages: https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id, https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects. An OrganizationID must consist of decimal numbers, and cannot have leading zeroes. A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, and hyphens, and must start with a letter, and cannot end with a hyphen.",
+	"key":      "key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `._-`.",
+	"value":    "value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.",
+}
+
+func (GCPResourceTag) SwaggerDoc() map[string]string {
+	return map_GCPResourceTag
+}
+
+var map_GCPServiceEndpoint = map[string]string{
+	"":     "GCPServiceEndpoint store the configuration of a custom url to override existing defaults of GCP Services.",
+	"name": "name is the name of the GCP service whose endpoint is being overridden. This must be provided and cannot be empty.\n\nAllowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, Storage, and TagManager.\n\nAs an example, when setting the name to Compute all requests made by the caller to the GCP Compute Service will be directed to the endpoint specified in the url field.",
+	"url":  "url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified in the name field. url is required, must use the scheme https, must not be more than 253 characters in length, and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)\n\nAn example of a valid endpoint that overrides the Compute Service: \"https://compute-myendpoint1.p.googleapis.com\"",
+}
+
+func (GCPServiceEndpoint) SwaggerDoc() map[string]string {
+	return map_GCPServiceEndpoint
+}
+
+var map_IBMCloudPlatformSpec = map[string]string{
+	"":                 "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.",
+}
+
+func (IBMCloudPlatformSpec) SwaggerDoc() map[string]string {
+	return map_IBMCloudPlatformSpec
+}
+
+var map_IBMCloudPlatformStatus = map[string]string{
+	"":                  "IBMCloudPlatformStatus holds the current status of the IBMCloud infrastructure provider.",
+	"location":          "location is where the cluster has been deployed",
+	"resourceGroupName": "resourceGroupName is the Resource Group for new IBMCloud resources created for the cluster.",
+	"providerType":      "providerType indicates the type of cluster that was created",
+	"cisInstanceCRN":    "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain",
+	"dnsInstanceCRN":    "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain",
+	"serviceEndpoints":  "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.",
+}
+
+func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string {
+	return map_IBMCloudPlatformStatus
+}
+
+var map_IBMCloudServiceEndpoint = map[string]string{
+	"":     "IBMCloudServiceEndpoint stores the configuration of a custom url to override existing defaults of IBM Cloud Services.",
+	"name": "name is the name of the IBM Cloud service. Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. For example, the IBM Cloud Private IAM service could be configured with the service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`",
+	"url":  "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty. The path must follow the pattern /v[0,9]+ or /api/v[0,9]+",
+}
+
+func (IBMCloudServiceEndpoint) SwaggerDoc() map[string]string {
+	return map_IBMCloudServiceEndpoint
+}
+
+var map_Infrastructure = map[string]string{
+	"":         "Infrastructure holds cluster-wide information about Infrastructure.  The canonical name is `cluster`\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Infrastructure) SwaggerDoc() map[string]string {
+	return map_Infrastructure
+}
+
+var map_InfrastructureList = map[string]string{
+	"":         "InfrastructureList is\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (InfrastructureList) SwaggerDoc() map[string]string {
+	return map_InfrastructureList
+}
+
+var map_InfrastructureSpec = map[string]string{
+	"":             "InfrastructureSpec contains settings that apply to the cluster infrastructure.",
+	"cloudConfig":  "cloudConfig is a reference to a ConfigMap containing the cloud provider configuration file. This configuration file is used to configure the Kubernetes cloud provider integration when using the built-in cloud provider integration or the external cloud controller manager. The namespace for this config map is openshift-config.\n\ncloudConfig should only be consumed by the kube_cloud_config controller. The controller is responsible for using the user configuration in the spec for various platforms and combining that with the user provided ConfigMap in this field to create a stitched kube cloud config. The controller generates a ConfigMap `kube-cloud-config` in `openshift-config-managed` namespace with the kube cloud config is stored in `cloud.conf` key. All the clients are expected to use the generated ConfigMap only.",
+	"platformSpec": "platformSpec holds desired information specific to the underlying infrastructure provider.",
+}
+
+func (InfrastructureSpec) SwaggerDoc() map[string]string {
+	return map_InfrastructureSpec
+}
+
+var map_InfrastructureStatus = map[string]string{
+	"":                       "InfrastructureStatus describes the infrastructure the cluster is leveraging.",
+	"infrastructureName":     "infrastructureName uniquely identifies a cluster with a human friendly name. Once set it should not be changed. Must be of max length 27 and must have only alphanumeric or hyphen characters.",
+	"platform":               "platform is the underlying infrastructure provider for the cluster.\n\nDeprecated: Use platformStatus.type instead.",
+	"platformStatus":         "platformStatus holds status information specific to the underlying infrastructure provider.",
+	"etcdDiscoveryDomain":    "etcdDiscoveryDomain is the domain used to fetch the SRV records for discovering etcd servers and clients. For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery deprecated: as of 4.7, this field is no longer set or honored.  It will be removed in a future release.",
+	"apiServerURL":           "apiServerURL is a valid URI with scheme 'https', address and optionally a port (defaulting to 443).  apiServerURL can be used by components like the web console to tell users where to find the Kubernetes API.",
+	"apiServerInternalURI":   "apiServerInternalURL is a valid URI with scheme 'https', address and optionally a port (defaulting to 443).  apiServerInternalURL can be used by components like kubelets, to contact the Kubernetes API server using the infrastructure provider rather than Kubernetes networking.",
+	"controlPlaneTopology":   "controlPlaneTopology expresses the expectations for operands that normally run on control nodes. The default is 'HighlyAvailable', which represents the behavior operators have in a \"normal\" cluster. The 'SingleReplica' mode will be used in single-node deployments and the operators should not configure the operand for highly-available operation The 'External' mode indicates that the control plane is hosted externally to the cluster and that its components are not visible within the cluster.",
+	"infrastructureTopology": "infrastructureTopology expresses the expectations for infrastructure services that do not run on control plane nodes, usually indicated by a node selector for a `role` value other than `master`. The default is 'HighlyAvailable', which represents the behavior operators have in a \"normal\" cluster. The 'SingleReplica' mode will be used in single-node deployments and the operators should not configure the operand for highly-available operation NOTE: External topology mode is not applicable for this field.",
+	"cpuPartitioning":        "cpuPartitioning expresses if CPU partitioning is a currently enabled feature in the cluster. CPU Partitioning means that this cluster can support partitioning workloads to specific CPU Sets. Valid values are \"None\" and \"AllNodes\". When omitted, the default value is \"None\". The default value of \"None\" indicates that no nodes will be setup with CPU partitioning. The \"AllNodes\" value indicates that all nodes have been setup with CPU partitioning, and can then be further configured via the PerformanceProfile API.",
+}
+
+func (InfrastructureStatus) SwaggerDoc() map[string]string {
+	return map_InfrastructureStatus
+}
+
+var map_KubevirtPlatformSpec = map[string]string{
+	"": "KubevirtPlatformSpec holds the desired state of the kubevirt infrastructure provider. This only includes fields that can be modified in the cluster.",
+}
+
+func (KubevirtPlatformSpec) SwaggerDoc() map[string]string {
+	return map_KubevirtPlatformSpec
+}
+
+var map_KubevirtPlatformStatus = map[string]string{
+	"":                    "KubevirtPlatformStatus holds the current status of the kubevirt infrastructure provider.",
+	"apiServerInternalIP": "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.",
+	"ingressIP":           "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.",
+}
+
+func (KubevirtPlatformStatus) SwaggerDoc() map[string]string {
+	return map_KubevirtPlatformStatus
+}
+
+var map_NutanixFailureDomain = map[string]string{
+	"":        "NutanixFailureDomain configures failure domain information for the Nutanix platform.",
+	"name":    "name defines the unique name of a failure domain. Name is required and must be at most 64 characters in length. It must consist of only lower case alphanumeric characters and hyphens (-). It must start and end with an alphanumeric character. This value is arbitrary and is used to identify the failure domain within the platform.",
+	"cluster": "cluster is to identify the cluster (the Prism Element under management of the Prism Central), in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained from the Prism Central console or using the prism_central API.",
+	"subnets": "subnets holds a list of identifiers (one or more) of the cluster's network subnets If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured. for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be obtained from the Prism Central console or using the prism_central API.",
+}
+
+func (NutanixFailureDomain) SwaggerDoc() map[string]string {
+	return map_NutanixFailureDomain
+}
+
+var map_NutanixPlatformLoadBalancer = map[string]string{
+	"":     "NutanixPlatformLoadBalancer defines the load balancer used by the cluster on Nutanix platform.",
+	"type": "type defines the type of load balancer used by the cluster on Nutanix platform which can be a user-managed or openshift-managed load balancer that is to be used for the OpenShift API and Ingress endpoints. When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing defined in the machine config operator will be deployed. When set to UserManaged these static pods will not be deployed and it is expected that the load balancer is configured out of band by the deployer. When omitted, this means no opinion and the platform is left to choose a reasonable default. The default value is OpenShiftManagedDefault.",
+}
+
+func (NutanixPlatformLoadBalancer) SwaggerDoc() map[string]string {
+	return map_NutanixPlatformLoadBalancer
+}
+
+var map_NutanixPlatformSpec = map[string]string{
+	"":               "NutanixPlatformSpec holds the desired state of the Nutanix infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"prismCentral":   "prismCentral holds the endpoint address and port to access the Nutanix Prism Central. When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy. Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the proxy spec.noProxy list.",
+	"prismElements":  "prismElements holds one or more endpoint address and port data to access the Nutanix Prism Elements (clusters) of the Nutanix Prism Central. Currently we only support one Prism Element (cluster) for an OpenShift cluster, where all the Nutanix resources (VMs, subnets, volumes, etc.) used in the OpenShift cluster are located. In the future, we may support Nutanix resources (VMs, etc.) spread over multiple Prism Elements (clusters) of the Prism Central.",
+	"failureDomains": "failureDomains configures failure domains information for the Nutanix platform. When set, the failure domains defined here may be used to spread Machines across prism element clusters to improve fault tolerance of the cluster.",
+}
+
+func (NutanixPlatformSpec) SwaggerDoc() map[string]string {
+	return map_NutanixPlatformSpec
+}
+
+var map_NutanixPlatformStatus = map[string]string{
+	"":                     "NutanixPlatformStatus holds the current status of the Nutanix infrastructure provider.",
+	"apiServerInternalIP":  "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.\n\nDeprecated: Use APIServerInternalIPs instead.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IPs otherwise only one.",
+	"ingressIP":            "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.\n\nDeprecated: Use IngressIPs instead.",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.",
+	"loadBalancer":         "loadBalancer defines how the load balancer used by the cluster is configured.",
+}
+
+func (NutanixPlatformStatus) SwaggerDoc() map[string]string {
+	return map_NutanixPlatformStatus
+}
+
+var map_NutanixPrismElementEndpoint = map[string]string{
+	"":         "NutanixPrismElementEndpoint holds the name and endpoint data for a Prism Element (cluster)",
+	"name":     "name is the name of the Prism Element (cluster). This value will correspond with the cluster field configured on other resources (eg Machines, PVCs, etc).",
+	"endpoint": "endpoint holds the endpoint address and port data of the Prism Element (cluster). When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy. Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the proxy spec.noProxy list.",
+}
+
+func (NutanixPrismElementEndpoint) SwaggerDoc() map[string]string {
+	return map_NutanixPrismElementEndpoint
+}
+
+var map_NutanixPrismEndpoint = map[string]string{
+	"":        "NutanixPrismEndpoint holds the endpoint address and port to access the Nutanix Prism Central or Element (cluster)",
+	"address": "address is the endpoint address (DNS name or IP address) of the Nutanix Prism Central or Element (cluster)",
+	"port":    "port is the port number to access the Nutanix Prism Central or Element (cluster)",
+}
+
+func (NutanixPrismEndpoint) SwaggerDoc() map[string]string {
+	return map_NutanixPrismEndpoint
+}
+
+var map_NutanixResourceIdentifier = map[string]string{
+	"":     "NutanixResourceIdentifier holds the identity of a Nutanix PC resource (cluster, image, subnet, etc.)",
+	"type": "type is the identifier type to use for this resource.",
+	"uuid": "uuid is the UUID of the resource in the PC. It cannot be empty if the type is UUID.",
+	"name": "name is the resource name in the PC. It cannot be empty if the type is Name.",
+}
+
+func (NutanixResourceIdentifier) SwaggerDoc() map[string]string {
+	return map_NutanixResourceIdentifier
+}
+
+var map_OpenStackPlatformLoadBalancer = map[string]string{
+	"":     "OpenStackPlatformLoadBalancer defines the load balancer used by the cluster on OpenStack platform.",
+	"type": "type defines the type of load balancer used by the cluster on OpenStack platform which can be a user-managed or openshift-managed load balancer that is to be used for the OpenShift API and Ingress endpoints. When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing defined in the machine config operator will be deployed. When set to UserManaged these static pods will not be deployed and it is expected that the load balancer is configured out of band by the deployer. When omitted, this means no opinion and the platform is left to choose a reasonable default. The default value is OpenShiftManagedDefault.",
+}
+
+func (OpenStackPlatformLoadBalancer) SwaggerDoc() map[string]string {
+	return map_OpenStackPlatformLoadBalancer
+}
+
+var map_OpenStackPlatformSpec = map[string]string{
+	"":                     "OpenStackPlatformSpec holds the desired state of the OpenStack infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can).",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can).",
+	"machineNetworks":      "machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example \"10.0.0.0/8\" or \"fd00::/8\".",
+}
+
+func (OpenStackPlatformSpec) SwaggerDoc() map[string]string {
+	return map_OpenStackPlatformSpec
+}
+
+var map_OpenStackPlatformStatus = map[string]string{
+	"":                     "OpenStackPlatformStatus holds the current status of the OpenStack infrastructure provider.",
+	"apiServerInternalIP":  "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.\n\nDeprecated: Use APIServerInternalIPs instead.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IPs otherwise only one.",
+	"cloudName":            "cloudName is the name of the desired OpenStack cloud in the client configuration file (`clouds.yaml`).",
+	"ingressIP":            "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.\n\nDeprecated: Use IngressIPs instead.",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.",
+	"nodeDNSIP":            "nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for OpenStack deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster.",
+	"loadBalancer":         "loadBalancer defines how the load balancer used by the cluster is configured.",
+	"machineNetworks":      "machineNetworks are IP networks used to connect all the OpenShift cluster nodes.",
+}
+
+func (OpenStackPlatformStatus) SwaggerDoc() map[string]string {
+	return map_OpenStackPlatformStatus
+}
+
+var map_OvirtPlatformLoadBalancer = map[string]string{
+	"":     "OvirtPlatformLoadBalancer defines the load balancer used by the cluster on Ovirt platform.",
+	"type": "type defines the type of load balancer used by the cluster on Ovirt platform which can be a user-managed or openshift-managed load balancer that is to be used for the OpenShift API and Ingress endpoints. When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing defined in the machine config operator will be deployed. When set to UserManaged these static pods will not be deployed and it is expected that the load balancer is configured out of band by the deployer. When omitted, this means no opinion and the platform is left to choose a reasonable default. The default value is OpenShiftManagedDefault.",
+}
+
+func (OvirtPlatformLoadBalancer) SwaggerDoc() map[string]string {
+	return map_OvirtPlatformLoadBalancer
+}
+
+var map_OvirtPlatformSpec = map[string]string{
+	"": "OvirtPlatformSpec holds the desired state of the oVirt infrastructure provider. This only includes fields that can be modified in the cluster.",
+}
+
+func (OvirtPlatformSpec) SwaggerDoc() map[string]string {
+	return map_OvirtPlatformSpec
+}
+
+var map_OvirtPlatformStatus = map[string]string{
+	"":                     "OvirtPlatformStatus holds the current status of the  oVirt infrastructure provider.",
+	"apiServerInternalIP":  "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.\n\nDeprecated: Use APIServerInternalIPs instead.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IPs otherwise only one.",
+	"ingressIP":            "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.\n\nDeprecated: Use IngressIPs instead.",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.",
+	"nodeDNSIP":            "deprecated: as of 4.6, this field is no longer set or honored.  It will be removed in a future release.",
+	"loadBalancer":         "loadBalancer defines how the load balancer used by the cluster is configured.",
+}
+
+func (OvirtPlatformStatus) SwaggerDoc() map[string]string {
+	return map_OvirtPlatformStatus
+}
+
+var map_PlatformSpec = map[string]string{
+	"":             "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.",
+	"type":         "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
+	"aws":          "aws contains settings specific to the Amazon Web Services infrastructure provider.",
+	"azure":        "azure contains settings specific to the Azure infrastructure provider.",
+	"gcp":          "gcp contains settings specific to the Google Cloud Platform infrastructure provider.",
+	"baremetal":    "baremetal contains settings specific to the BareMetal platform.",
+	"openstack":    "openstack contains settings specific to the OpenStack infrastructure provider.",
+	"ovirt":        "ovirt contains settings specific to the oVirt infrastructure provider.",
+	"vsphere":      "vsphere contains settings specific to the VSphere infrastructure provider.",
+	"ibmcloud":     "ibmcloud contains settings specific to the IBMCloud infrastructure provider.",
+	"kubevirt":     "kubevirt contains settings specific to the kubevirt infrastructure provider.",
+	"equinixMetal": "equinixMetal contains settings specific to the Equinix Metal infrastructure provider.",
+	"powervs":      "powervs contains settings specific to the IBM Power Systems Virtual Servers infrastructure provider.",
+	"alibabaCloud": "alibabaCloud contains settings specific to the Alibaba Cloud infrastructure provider.",
+	"nutanix":      "nutanix contains settings specific to the Nutanix infrastructure provider.",
+	"external":     "ExternalPlatformType represents generic infrastructure provider. Platform-specific components should be supplemented separately.",
+}
+
+func (PlatformSpec) SwaggerDoc() map[string]string {
+	return map_PlatformSpec
+}
+
+var map_PlatformStatus = map[string]string{
+	"":             "PlatformStatus holds the current status specific to the underlying infrastructure provider of the current cluster. Since these are used at status-level for the underlying cluster, it is supposed that only one of the status structs is set.",
+	"type":         "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.\n\nThis value will be synced with to the `status.platform` and `status.platformStatus.type`. Currently this value cannot be changed once set.",
+	"aws":          "aws contains settings specific to the Amazon Web Services infrastructure provider.",
+	"azure":        "azure contains settings specific to the Azure infrastructure provider.",
+	"gcp":          "gcp contains settings specific to the Google Cloud Platform infrastructure provider.",
+	"baremetal":    "baremetal contains settings specific to the BareMetal platform.",
+	"openstack":    "openstack contains settings specific to the OpenStack infrastructure provider.",
+	"ovirt":        "ovirt contains settings specific to the oVirt infrastructure provider.",
+	"vsphere":      "vsphere contains settings specific to the VSphere infrastructure provider.",
+	"ibmcloud":     "ibmcloud contains settings specific to the IBMCloud infrastructure provider.",
+	"kubevirt":     "kubevirt contains settings specific to the kubevirt infrastructure provider.",
+	"equinixMetal": "equinixMetal contains settings specific to the Equinix Metal infrastructure provider.",
+	"powervs":      "powervs contains settings specific to the Power Systems Virtual Servers infrastructure provider.",
+	"alibabaCloud": "alibabaCloud contains settings specific to the Alibaba Cloud infrastructure provider.",
+	"nutanix":      "nutanix contains settings specific to the Nutanix infrastructure provider.",
+	"external":     "external contains settings specific to the generic External infrastructure provider.",
+}
+
+func (PlatformStatus) SwaggerDoc() map[string]string {
+	return map_PlatformStatus
+}
+
+var map_PowerVSPlatformSpec = map[string]string{
+	"":                 "PowerVSPlatformSpec holds the desired state of the IBM Power Systems Virtual Servers infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of a Power VS service.",
+}
+
+func (PowerVSPlatformSpec) SwaggerDoc() map[string]string {
+	return map_PowerVSPlatformSpec
+}
+
+var map_PowerVSPlatformStatus = map[string]string{
+	"":                 "PowerVSPlatformStatus holds the current status of the IBM Power Systems Virtual Servers infrastrucutre provider.",
+	"region":           "region holds the default Power VS region for new Power VS resources created by the cluster.",
+	"zone":             "zone holds the default zone for the new Power VS resources created by the cluster. Note: Currently only single-zone OCP clusters are supported",
+	"resourceGroup":    "resourceGroup is the resource group name for new IBMCloud resources created for a cluster. The resource group specified here will be used by cluster-image-registry-operator to set up a COS Instance in IBMCloud for the cluster registry. More about resource groups can be found here: https://cloud.ibm.com/docs/account?topic=account-rgs. When omitted, the image registry operator won't be able to configure storage, which results in the image registry cluster operator not being in an available state.",
+	"serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of a Power VS service.",
+	"cisInstanceCRN":   "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain",
+	"dnsInstanceCRN":   "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain",
+}
+
+func (PowerVSPlatformStatus) SwaggerDoc() map[string]string {
+	return map_PowerVSPlatformStatus
+}
+
+var map_PowerVSServiceEndpoint = map[string]string{
+	"":     "PowervsServiceEndpoint stores the configuration of a custom url to override existing defaults of PowerVS Services.",
+	"name": "name is the name of the Power VS service. Few of the services are IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller Power Cloud - https://cloud.ibm.com/apidocs/power-cloud",
+	"url":  "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty.",
+}
+
+func (PowerVSServiceEndpoint) SwaggerDoc() map[string]string {
+	return map_PowerVSServiceEndpoint
+}
+
+var map_VSphereFailureDomainHostGroup = map[string]string{
+	"":           "VSphereFailureDomainHostGroup holds the vmGroup and the hostGroup names in vCenter corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also contains the vmHostRule which is an affinity vm-host rule in vCenter.",
+	"vmGroup":    "vmGroup is the name of the vm-host group of type virtual machine within vCenter for this failure domain. vmGroup is limited to 80 characters. This field is required when the VSphereFailureDomain ZoneType is HostGroup",
+	"hostGroup":  "hostGroup is the name of the vm-host group of type host within vCenter for this failure domain. hostGroup is limited to 80 characters. This field is required when the VSphereFailureDomain ZoneType is HostGroup",
+	"vmHostRule": "vmHostRule is the name of the affinity vm-host rule within vCenter for this failure domain. vmHostRule is limited to 80 characters. This field is required when the VSphereFailureDomain ZoneType is HostGroup",
+}
+
+func (VSphereFailureDomainHostGroup) SwaggerDoc() map[string]string {
+	return map_VSphereFailureDomainHostGroup
+}
+
+var map_VSphereFailureDomainRegionAffinity = map[string]string{
+	"":     "VSphereFailureDomainRegionAffinity contains the region type which is the string representation of the VSphereFailureDomainRegionType with available options of Datacenter and ComputeCluster.",
+	"type": "type determines the vSphere object type for a region within this failure domain. Available types are Datacenter and ComputeCluster. When set to Datacenter, this means the vCenter Datacenter defined is the region. When set to ComputeCluster, this means the vCenter cluster defined is the region.",
+}
+
+func (VSphereFailureDomainRegionAffinity) SwaggerDoc() map[string]string {
+	return map_VSphereFailureDomainRegionAffinity
+}
+
+var map_VSphereFailureDomainZoneAffinity = map[string]string{
+	"":          "VSphereFailureDomainZoneAffinity contains the vCenter cluster vm-host group (virtual machine and host types) and the vm-host affinity rule that together creates an affinity configuration for vm-host based zonal. This configuration within vCenter creates the required association between a failure domain, virtual machines and ESXi hosts to create a vm-host based zone.",
+	"type":      "type determines the vSphere object type for a zone within this failure domain. Available types are ComputeCluster and HostGroup. When set to ComputeCluster, this means the vCenter cluster defined is the zone. When set to HostGroup, hostGroup must be configured with hostGroup, vmGroup and vmHostRule and this means the zone is defined by the grouping of those fields.",
+	"hostGroup": "hostGroup holds the vmGroup and the hostGroup names in vCenter corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also contains the vmHostRule which is an affinity vm-host rule in vCenter.",
+}
+
+func (VSphereFailureDomainZoneAffinity) SwaggerDoc() map[string]string {
+	return map_VSphereFailureDomainZoneAffinity
+}
+
+var map_VSpherePlatformFailureDomainSpec = map[string]string{
+	"":               "VSpherePlatformFailureDomainSpec holds the region and zone failure domain and the vCenter topology of that failure domain.",
+	"name":           "name defines the arbitrary but unique name of a failure domain.",
+	"region":         "region defines the name of a region tag that will be attached to a vCenter datacenter. The tag category in vCenter must be named openshift-region.",
+	"zone":           "zone defines the name of a zone tag that will be attached to a vCenter cluster. The tag category in vCenter must be named openshift-zone.",
+	"regionAffinity": "regionAffinity holds the type of region, Datacenter or ComputeCluster. When set to Datacenter, this means the region is a vCenter Datacenter as defined in topology. When set to ComputeCluster, this means the region is a vCenter Cluster as defined in topology.",
+	"zoneAffinity":   "zoneAffinity holds the type of the zone and the hostGroup which vmGroup and the hostGroup names in vCenter corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also contains the vmHostRule which is an affinity vm-host rule in vCenter.",
+	"server":         "server is the fully-qualified domain name or the IP address of the vCenter server.",
+	"topology":       "topology describes a given failure domain using vSphere constructs",
+}
+
+func (VSpherePlatformFailureDomainSpec) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformFailureDomainSpec
+}
+
+var map_VSpherePlatformLoadBalancer = map[string]string{
+	"":     "VSpherePlatformLoadBalancer defines the load balancer used by the cluster on VSphere platform.",
+	"type": "type defines the type of load balancer used by the cluster on VSphere platform which can be a user-managed or openshift-managed load balancer that is to be used for the OpenShift API and Ingress endpoints. When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing defined in the machine config operator will be deployed. When set to UserManaged these static pods will not be deployed and it is expected that the load balancer is configured out of band by the deployer. When omitted, this means no opinion and the platform is left to choose a reasonable default. The default value is OpenShiftManagedDefault.",
+}
+
+func (VSpherePlatformLoadBalancer) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformLoadBalancer
+}
+
+var map_VSpherePlatformNodeNetworking = map[string]string{
+	"":         "VSpherePlatformNodeNetworking holds the external and internal node networking spec.",
+	"external": "external represents the network configuration of the node that is externally routable.",
+	"internal": "internal represents the network configuration of the node that is routable only within the cluster.",
+}
+
+func (VSpherePlatformNodeNetworking) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformNodeNetworking
+}
+
+var map_VSpherePlatformNodeNetworkingSpec = map[string]string{
+	"":                         "VSpherePlatformNodeNetworkingSpec holds the network CIDR(s) and port group name for including and excluding IP ranges in the cloud provider. This would be used for example when multiple network adapters are attached to a guest to help determine which IP address the cloud config manager should use for the external and internal node networking.",
+	"networkSubnetCidr":        "networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs that will be used in respective status.addresses fields.",
+	"network":                  "network VirtualMachine's VM Network names that will be used to when searching for status.addresses fields. Note that if internal.networkSubnetCIDR and external.networkSubnetCIDR are not set, then the vNIC associated to this network must only have a single IP address assigned to it. The available networks (port groups) can be listed using `govc ls 'network/*'`",
+	"excludeNetworkSubnetCidr": "excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting the IP address from the VirtualMachine's VM for use in the status.addresses fields.",
+}
+
+func (VSpherePlatformNodeNetworkingSpec) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformNodeNetworkingSpec
+}
+
+var map_VSpherePlatformSpec = map[string]string{
+	"":                     "VSpherePlatformSpec holds the desired state of the vSphere infrastructure provider. In the future the cloud provider operator, storage operator and machine operator will use these fields for configuration.",
+	"vcenters":             "vcenters holds the connection details for services to communicate with vCenter. Currently, only a single vCenter is supported, but in tech preview 3 vCenters are supported. Once the cluster has been installed, you are unable to change the current number of defined vCenters except in the case where the cluster has been upgraded from a version of OpenShift where the vsphere platform spec was not present.  You may make modifications to the existing vCenters that are defined in the vcenters list in order to match with any added or modified failure domains.",
+	"failureDomains":       "failureDomains contains the definition of region, zone and the vCenter topology. If this is omitted failure domains (regions and zones) will not be used.",
+	"nodeNetworking":       "nodeNetworking contains the definition of internal and external network constraints for assigning the node's networking. If this field is omitted, networking defaults to the legacy address selection behavior which is to only support a single address and return the first one found.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.apiServerInternalIPs will be used. Once set, the list cannot be completely removed (but its second entry can).",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IP addresses, one from IPv4 family and one from IPv6. In single stack clusters a single IP address is expected. When omitted, values from the status.ingressIPs will be used. Once set, the list cannot be completely removed (but its second entry can).",
+	"machineNetworks":      "machineNetworks are IP networks used to connect all the OpenShift cluster nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6, for example \"10.0.0.0/8\" or \"fd00::/8\".",
+}
+
+func (VSpherePlatformSpec) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformSpec
+}
+
+var map_VSpherePlatformStatus = map[string]string{
+	"":                     "VSpherePlatformStatus holds the current status of the vSphere infrastructure provider.",
+	"apiServerInternalIP":  "apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI points to. It is the IP for a self-hosted load balancer in front of the API servers.\n\nDeprecated: Use APIServerInternalIPs instead.",
+	"apiServerInternalIPs": "apiServerInternalIPs are the IP addresses to contact the Kubernetes API server that can be used by components inside the cluster, like kubelets using the infrastructure rather than Kubernetes networking. These are the IPs for a self-hosted load balancer in front of the API servers. In dual stack clusters this list contains two IPs otherwise only one.",
+	"ingressIP":            "ingressIP is an external IP which routes to the default ingress controller. The IP is a suitable target of a wildcard DNS record used to resolve default route host names.\n\nDeprecated: Use IngressIPs instead.",
+	"ingressIPs":           "ingressIPs are the external IPs which route to the default ingress controller. The IPs are suitable targets of a wildcard DNS record used to resolve default route host names. In dual stack clusters this list contains two IPs otherwise only one.",
+	"nodeDNSIP":            "nodeDNSIP is the IP address for the internal DNS used by the nodes. Unlike the one managed by the DNS operator, `NodeDNSIP` provides name resolution for the nodes themselves. There is no DNS-as-a-service for vSphere deployments. In order to minimize necessary changes to the datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames to the nodes in the cluster.",
+	"loadBalancer":         "loadBalancer defines how the load balancer used by the cluster is configured.",
+	"machineNetworks":      "machineNetworks are IP networks used to connect all the OpenShift cluster nodes.",
+}
+
+func (VSpherePlatformStatus) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformStatus
+}
+
+var map_VSpherePlatformTopology = map[string]string{
+	"":               "VSpherePlatformTopology holds the required and optional vCenter objects - datacenter, computeCluster, networks, datastore and resourcePool - to provision virtual machines.",
+	"datacenter":     "datacenter is the name of vCenter datacenter in which virtual machines will be located. The maximum length of the datacenter name is 80 characters.",
+	"computeCluster": "computeCluster the absolute path of the vCenter cluster in which virtual machine will be located. The absolute path is of the form /<datacenter>/host/<cluster>. The maximum length of the path is 2048 characters.",
+	"networks":       "networks is the list of port group network names within this failure domain. If feature gate VSphereMultiNetworks is enabled, up to 10 network adapters may be defined. 10 is the maximum number of virtual network devices which may be attached to a VM as defined by: https://configmax.esp.vmware.com/guest?vmwareproduct=vSphere&release=vSphere%208.0&categories=1-0 The available networks (port groups) can be listed using `govc ls 'network/*'` Networks should be in the form of an absolute path: /<datacenter>/network/<portgroup>.",
+	"datastore":      "datastore is the absolute path of the datastore in which the virtual machine is located. The absolute path is of the form /<datacenter>/datastore/<datastore> The maximum length of the path is 2048 characters.",
+	"resourcePool":   "resourcePool is the absolute path of the resource pool where virtual machines will be created. The absolute path is of the form /<datacenter>/host/<cluster>/Resources/<resourcepool>. The maximum length of the path is 2048 characters.",
+	"folder":         "folder is the absolute path of the folder where virtual machines are located. The absolute path is of the form /<datacenter>/vm/<folder>. The maximum length of the path is 2048 characters.",
+	"template":       "template is the full inventory path of the virtual machine or template that will be cloned when creating new machines in this failure domain. The maximum length of the path is 2048 characters.\n\nWhen omitted, the template will be calculated by the control plane machineset operator based on the region and zone defined in VSpherePlatformFailureDomainSpec. For example, for zone=zonea, region=region1, and infrastructure name=test, the template path would be calculated as /<datacenter>/vm/test-rhcos-region1-zonea.",
+}
+
+func (VSpherePlatformTopology) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformTopology
+}
+
+var map_VSpherePlatformVCenterSpec = map[string]string{
+	"":            "VSpherePlatformVCenterSpec stores the vCenter connection fields. This is used by the vSphere CCM.",
+	"server":      "server is the fully-qualified domain name or the IP address of the vCenter server.",
+	"port":        "port is the TCP port that will be used to communicate to the vCenter endpoint. When omitted, this means the user has no opinion and it is up to the platform to choose a sensible default, which is subject to change over time.",
+	"datacenters": "The vCenter Datacenters in which the RHCOS vm guests are located. This field will be used by the Cloud Controller Manager. Each datacenter listed here should be used within a topology.",
+}
+
+func (VSpherePlatformVCenterSpec) SwaggerDoc() map[string]string {
+	return map_VSpherePlatformVCenterSpec
+}
+
+var map_AWSIngressSpec = map[string]string{
+	"":     "AWSIngressSpec holds the desired state of the Ingress for Amazon Web Services infrastructure provider. This only includes fields that can be modified in the cluster.",
+	"type": "type allows user to set a load balancer type. When this field is set the default ingresscontroller will get created using the specified LBType. If this field is not set then the default ingress controller of LBType Classic will be created. Valid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n  the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n  the following for additional details:\n\n    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n  transport layer (TCP/SSL). See the following for additional details:\n\n    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb",
+}
+
+func (AWSIngressSpec) SwaggerDoc() map[string]string {
+	return map_AWSIngressSpec
+}
+
+var map_ComponentRouteSpec = map[string]string{
+	"":                         "ComponentRouteSpec allows for configuration of a route's hostname and serving certificate.",
+	"namespace":                "namespace is the namespace of the route to customize.\n\nThe namespace and name of this componentRoute must match a corresponding entry in the list of status.componentRoutes if the route is to be customized.",
+	"name":                     "name is the logical name of the route to customize.\n\nThe namespace and name of this componentRoute must match a corresponding entry in the list of status.componentRoutes if the route is to be customized.",
+	"hostname":                 "hostname is the hostname that should be used by the route.",
+	"servingCertKeyPairSecret": "servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. If the custom hostname uses the default routing suffix of the cluster, the Secret specification for a serving certificate will not be needed.",
+}
+
+func (ComponentRouteSpec) SwaggerDoc() map[string]string {
+	return map_ComponentRouteSpec
+}
+
+var map_ComponentRouteStatus = map[string]string{
+	"":                 "ComponentRouteStatus contains information allowing configuration of a route's hostname and serving certificate.",
+	"namespace":        "namespace is the namespace of the route to customize. It must be a real namespace. Using an actual namespace ensures that no two components will conflict and the same component can be installed multiple times.\n\nThe namespace and name of this componentRoute must match a corresponding entry in the list of spec.componentRoutes if the route is to be customized.",
+	"name":             "name is the logical name of the route to customize. It does not have to be the actual name of a route resource but it cannot be renamed.\n\nThe namespace and name of this componentRoute must match a corresponding entry in the list of spec.componentRoutes if the route is to be customized.",
+	"defaultHostname":  "defaultHostname is the hostname of this route prior to customization.",
+	"consumingUsers":   "consumingUsers is a slice of ServiceAccounts that need to have read permission on the servingCertKeyPairSecret secret.",
+	"currentHostnames": "currentHostnames is the list of current names used by the route. Typically, this list should consist of a single hostname, but if multiple hostnames are supported by the route the operator may write multiple entries to this list.",
+	"conditions":       "conditions are used to communicate the state of the componentRoutes entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf available is true, the content served by the route can be accessed by users. This includes cases where a default may continue to serve content while the customized route specified by the cluster-admin is being configured.\n\nIf Degraded is true, that means something has gone wrong trying to handle the componentRoutes entry. The currentHostnames field may or may not be in effect.\n\nIf Progressing is true, that means the component is taking some action related to the componentRoutes entry.",
+	"relatedObjects":   "relatedObjects is a list of resources which are useful when debugging or inspecting how spec.componentRoutes is applied.",
+}
+
+func (ComponentRouteStatus) SwaggerDoc() map[string]string {
+	return map_ComponentRouteStatus
+}
+
+var map_Ingress = map[string]string{
+	"":         "Ingress holds cluster-wide information about ingress, including the default ingress domain used for routes. The canonical name is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Ingress) SwaggerDoc() map[string]string {
+	return map_Ingress
+}
+
+var map_IngressList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (IngressList) SwaggerDoc() map[string]string {
+	return map_IngressList
+}
+
+var map_IngressPlatformSpec = map[string]string{
+	"":     "IngressPlatformSpec holds the desired state of Ingress specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.",
+	"type": "type is the underlying infrastructure provider for the cluster. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
+	"aws":  "aws contains settings specific to the Amazon Web Services infrastructure provider.",
+}
+
+func (IngressPlatformSpec) SwaggerDoc() map[string]string {
+	return map_IngressPlatformSpec
+}
+
+var map_IngressSpec = map[string]string{
+	"domain":               "domain is used to generate a default host name for a route when the route's host name is empty. The generated host name will follow this pattern: \"<route-name>.<route-namespace>.<domain>\".\n\nIt is also used as the default wildcard domain suffix for ingress. The default ingresscontroller domain will follow this pattern: \"*.<domain>\".\n\nOnce set, changing domain is not currently supported.",
+	"appsDomain":           "appsDomain is an optional domain to use instead of the one specified in the domain field when a Route is created without specifying an explicit host. If appsDomain is nonempty, this value is used to generate default host values for Route. Unlike domain, appsDomain may be modified after installation. This assumes a new ingresscontroller has been setup with a wildcard certificate.",
+	"componentRoutes":      "componentRoutes is an optional list of routes that are managed by OpenShift components that a cluster-admin is able to configure the hostname and serving certificate for. The namespace and name of each route in this list should match an existing entry in the status.componentRoutes list.\n\nTo determine the set of configurable Routes, look at namespace and name of entries in the .status.componentRoutes list, where participating operators write the status of configurable routes.",
+	"requiredHSTSPolicies": "requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created  or updated routes matching the domainPattern/s and namespaceSelector/s that are specified in the policy. Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route annotation, and affect route admission.\n\nA candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: \"haproxy.router.openshift.io/hsts_header\" E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains\n\n- For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted.  Otherwise, the route is rejected. - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies determines the route's admission status. - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, then it may use any HSTS Policy annotation.\n\nThe HSTS policy configuration may be changed after routes have already been created. An update to a previously admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working.\n\nNote that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid.",
+	"loadBalancer":         "loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure provider of the current cluster and are required for Ingress Controller to work on OpenShift.",
+}
+
+func (IngressSpec) SwaggerDoc() map[string]string {
+	return map_IngressSpec
+}
+
+var map_IngressStatus = map[string]string{
+	"componentRoutes":  "componentRoutes is where participating operators place the current route status for routes whose hostnames and serving certificates can be customized by the cluster-admin.",
+	"defaultPlacement": "defaultPlacement is set at installation time to control which nodes will host the ingress router pods by default. The options are control-plane nodes or worker nodes.\n\nThis field works by dictating how the Cluster Ingress Operator will consider unset replicas and nodePlacement fields in IngressController resources when creating the corresponding Deployments.\n\nSee the documentation for the IngressController replicas and nodePlacement fields for more information.\n\nWhen omitted, the default value is Workers",
+}
+
+func (IngressStatus) SwaggerDoc() map[string]string {
+	return map_IngressStatus
+}
+
+var map_LoadBalancer = map[string]string{
+	"platform": "platform holds configuration specific to the underlying infrastructure provider for the ingress load balancers. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time.",
+}
+
+func (LoadBalancer) SwaggerDoc() map[string]string {
+	return map_LoadBalancer
+}
+
+var map_AWSKMSConfig = map[string]string{
+	"":       "AWSKMSConfig defines the KMS config specific to AWS KMS provider",
+	"keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where: - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `<account_id>` is a 12-digit numeric identifier for the AWS account. - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.",
+	"region": "region specifies the AWS region where the KMS instance exists, and follows the format `<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.",
+}
+
+func (AWSKMSConfig) SwaggerDoc() map[string]string {
+	return map_AWSKMSConfig
+}
+
+var map_KMSConfig = map[string]string{
+	"":     "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption",
+	"type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.",
+	"aws":  "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.",
+}
+
+func (KMSConfig) SwaggerDoc() map[string]string {
+	return map_KMSConfig
+}
+
+var map_ClusterNetworkEntry = map[string]string{
+	"":           "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.",
+	"cidr":       "The complete block for pod IPs.",
+	"hostPrefix": "The size (prefix) of block to allocate to each node. If this field is not used by the plugin, it can be left unset.",
+}
+
+func (ClusterNetworkEntry) SwaggerDoc() map[string]string {
+	return map_ClusterNetworkEntry
+}
+
+var map_ExternalIPConfig = map[string]string{
+	"":                "ExternalIPConfig specifies some IP blocks relevant for the ExternalIP field of a Service resource.",
+	"policy":          "policy is a set of restrictions applied to the ExternalIP field. If nil or empty, then ExternalIP is not allowed to be set.",
+	"autoAssignCIDRs": "autoAssignCIDRs is a list of CIDRs from which to automatically assign Service.ExternalIP. These are assigned when the service is of type LoadBalancer. In general, this is only useful for bare-metal clusters. In Openshift 3.x, this was misleadingly called \"IngressIPs\". Automatically assigned External IPs are not affected by any ExternalIPPolicy rules. Currently, only one entry may be provided.",
+}
+
+func (ExternalIPConfig) SwaggerDoc() map[string]string {
+	return map_ExternalIPConfig
+}
+
+var map_ExternalIPPolicy = map[string]string{
+	"":              "ExternalIPPolicy configures exactly which IPs are allowed for the ExternalIP field in a Service. If the zero struct is supplied, then none are permitted. The policy controller always allows automatically assigned external IPs.",
+	"allowedCIDRs":  "allowedCIDRs is the list of allowed CIDRs.",
+	"rejectedCIDRs": "rejectedCIDRs is the list of disallowed CIDRs. These take precedence over allowedCIDRs.",
+}
+
+func (ExternalIPPolicy) SwaggerDoc() map[string]string {
+	return map_ExternalIPPolicy
+}
+
+var map_MTUMigration = map[string]string{
+	"":        "MTUMigration contains infomation about MTU migration.",
+	"network": "network contains MTU migration configuration for the default network.",
+	"machine": "machine contains MTU migration configuration for the machine's uplink.",
+}
+
+func (MTUMigration) SwaggerDoc() map[string]string {
+	return map_MTUMigration
+}
+
+var map_MTUMigrationValues = map[string]string{
+	"":     "MTUMigrationValues contains the values for a MTU migration.",
+	"to":   "to is the MTU to migrate to.",
+	"from": "from is the MTU to migrate from.",
+}
+
+func (MTUMigrationValues) SwaggerDoc() map[string]string {
+	return map_MTUMigrationValues
+}
+
+var map_Network = map[string]string{
+	"":         "Network holds cluster-wide information about Network. The canonical name is `cluster`. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. Please view network.spec for an explanation on what applies when configuring this resource.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration. As a general rule, this SHOULD NOT be read directly. Instead, you should consume the NetworkStatus, as it indicates the currently deployed configuration. Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Network) SwaggerDoc() map[string]string {
+	return map_Network
+}
+
+var map_NetworkDiagnostics = map[string]string{
+	"mode":            "mode controls the network diagnostics mode\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is All.",
+	"sourcePlacement": "sourcePlacement controls the scheduling of network diagnostics source deployment\n\nSee NetworkDiagnosticsSourcePlacement for more details about default values.",
+	"targetPlacement": "targetPlacement controls the scheduling of network diagnostics target daemonset\n\nSee NetworkDiagnosticsTargetPlacement for more details about default values.",
+}
+
+func (NetworkDiagnostics) SwaggerDoc() map[string]string {
+	return map_NetworkDiagnostics
+}
+
+var map_NetworkDiagnosticsSourcePlacement = map[string]string{
+	"":             "NetworkDiagnosticsSourcePlacement defines node scheduling configuration network diagnostics source components",
+	"nodeSelector": "nodeSelector is the node selector applied to network diagnostics components\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `kubernetes.io/os: linux`.",
+	"tolerations":  "tolerations is a list of tolerations applied to network diagnostics components\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is an empty list.",
+}
+
+func (NetworkDiagnosticsSourcePlacement) SwaggerDoc() map[string]string {
+	return map_NetworkDiagnosticsSourcePlacement
+}
+
+var map_NetworkDiagnosticsTargetPlacement = map[string]string{
+	"":             "NetworkDiagnosticsTargetPlacement defines node scheduling configuration network diagnostics target components",
+	"nodeSelector": "nodeSelector is the node selector applied to network diagnostics components\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `kubernetes.io/os: linux`.",
+	"tolerations":  "tolerations is a list of tolerations applied to network diagnostics components\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `- operator: \"Exists\"` which means that all taints are tolerated.",
+}
+
+func (NetworkDiagnosticsTargetPlacement) SwaggerDoc() map[string]string {
+	return map_NetworkDiagnosticsTargetPlacement
+}
+
+var map_NetworkList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (NetworkList) SwaggerDoc() map[string]string {
+	return map_NetworkList
+}
+
+var map_NetworkMigration = map[string]string{
+	"":            "NetworkMigration represents the network migration status.",
+	"networkType": "networkType is the target plugin that is being deployed. DEPRECATED: network type migration is no longer supported, so this should always be unset.",
+	"mtu":         "mtu is the MTU configuration that is being deployed.",
+}
+
+func (NetworkMigration) SwaggerDoc() map[string]string {
+	return map_NetworkMigration
+}
+
+var map_NetworkSpec = map[string]string{
+	"":                     "NetworkSpec is the desired network configuration. As a general rule, this SHOULD NOT be read directly. Instead, you should consume the NetworkStatus, as it indicates the currently deployed configuration. Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.",
+	"clusterNetwork":       "IP address pool to use for pod IPs. This field is immutable after installation.",
+	"serviceNetwork":       "IP address pool for services. Currently, we only support a single entry here. This field is immutable after installation.",
+	"networkType":          "networkType is the plugin that is to be deployed (e.g. OVNKubernetes). This should match a value that the cluster-network-operator understands, or else no networking will be installed. Currently supported values are: - OVNKubernetes This field is immutable after installation.",
+	"externalIP":           "externalIP defines configuration for controllers that affect Service.ExternalIP. If nil, then ExternalIP is not allowed to be set.",
+	"serviceNodePortRange": "The port range allowed for Services of type NodePort. If not specified, the default of 30000-32767 will be used. Such Services without a NodePort specified will have one automatically allocated from this range. This parameter can be updated after the cluster is installed.",
+	"networkDiagnostics":   "networkDiagnostics defines network diagnostics configuration.\n\nTakes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. If networkDiagnostics is not specified or is empty, and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, the network diagnostics feature will be disabled.",
+}
+
+func (NetworkSpec) SwaggerDoc() map[string]string {
+	return map_NetworkSpec
+}
+
+var map_NetworkStatus = map[string]string{
+	"":                  "NetworkStatus is the current network configuration.",
+	"clusterNetwork":    "IP address pool to use for pod IPs.",
+	"serviceNetwork":    "IP address pool for services. Currently, we only support a single entry here.",
+	"networkType":       "networkType is the plugin that is deployed (e.g. OVNKubernetes).",
+	"clusterNetworkMTU": "clusterNetworkMTU is the MTU for inter-pod networking.",
+	"migration":         "migration contains the cluster network migration configuration.",
+	"conditions":        "conditions represents the observations of a network.config current state. Known .status.conditions.type are: \"NetworkDiagnosticsAvailable\"",
+}
+
+func (NetworkStatus) SwaggerDoc() map[string]string {
+	return map_NetworkStatus
+}
+
+var map_Node = map[string]string{
+	"":         "Node holds cluster-wide information about node specific features.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values.",
+}
+
+func (Node) SwaggerDoc() map[string]string {
+	return map_Node
+}
+
+var map_NodeList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (NodeList) SwaggerDoc() map[string]string {
+	return map_NodeList
+}
+
+var map_NodeSpec = map[string]string{
+	"cgroupMode":            "cgroupMode determines the cgroups version on the node",
+	"workerLatencyProfile":  "workerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster",
+	"minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
+}
+
+func (NodeSpec) SwaggerDoc() map[string]string {
+	return map_NodeSpec
+}
+
+var map_NodeStatus = map[string]string{
+	"conditions": "conditions contain the details and the current state of the nodes.config object",
+}
+
+func (NodeStatus) SwaggerDoc() map[string]string {
+	return map_NodeStatus
+}
+
+var map_BasicAuthIdentityProvider = map[string]string{
+	"": "BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials",
+}
+
+func (BasicAuthIdentityProvider) SwaggerDoc() map[string]string {
+	return map_BasicAuthIdentityProvider
+}
+
+var map_GitHubIdentityProvider = map[string]string{
+	"":              "GitHubIdentityProvider provides identities for users authenticating using GitHub credentials",
+	"clientID":      "clientID is the oauth client ID",
+	"clientSecret":  "clientSecret is a required reference to the secret by name containing the oauth client secret. The key \"clientSecret\" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.",
+	"organizations": "organizations optionally restricts which organizations are allowed to log in",
+	"teams":         "teams optionally restricts which teams are allowed to log in. Format is <org>/<team>.",
+	"hostname":      "hostname is the optional domain (e.g. \"mycompany.com\") for use with a hosted instance of GitHub Enterprise. It must match the GitHub Enterprise settings value configured at /setup/settings#hostname.",
+	"ca":            "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value. The namespace for this config map is openshift-config.",
+}
+
+func (GitHubIdentityProvider) SwaggerDoc() map[string]string {
+	return map_GitHubIdentityProvider
+}
+
+var map_GitLabIdentityProvider = map[string]string{
+	"":             "GitLabIdentityProvider provides identities for users authenticating using GitLab credentials",
+	"clientID":     "clientID is the oauth client ID",
+	"clientSecret": "clientSecret is a required reference to the secret by name containing the oauth client secret. The key \"clientSecret\" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.",
+	"url":          "url is the oauth server base URL",
+	"ca":           "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.",
+}
+
+func (GitLabIdentityProvider) SwaggerDoc() map[string]string {
+	return map_GitLabIdentityProvider
+}
+
+var map_GoogleIdentityProvider = map[string]string{
+	"":             "GoogleIdentityProvider provides identities for users authenticating using Google credentials",
+	"clientID":     "clientID is the oauth client ID",
+	"clientSecret": "clientSecret is a required reference to the secret by name containing the oauth client secret. The key \"clientSecret\" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.",
+	"hostedDomain": "hostedDomain is the optional Google App domain (e.g. \"mycompany.com\") to restrict logins to",
+}
+
+func (GoogleIdentityProvider) SwaggerDoc() map[string]string {
+	return map_GoogleIdentityProvider
+}
+
+var map_HTPasswdIdentityProvider = map[string]string{
+	"":         "HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials",
+	"fileData": "fileData is a required reference to a secret by name containing the data to use as the htpasswd file. The key \"htpasswd\" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. If the specified htpasswd data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.",
+}
+
+func (HTPasswdIdentityProvider) SwaggerDoc() map[string]string {
+	return map_HTPasswdIdentityProvider
+}
+
+var map_IdentityProvider = map[string]string{
+	"":              "IdentityProvider provides identities for users authenticating using credentials",
+	"name":          "name is used to qualify the identities returned by this provider. - It MUST be unique and not shared by any other identity provider used - It MUST be a valid path segment: name cannot equal \".\" or \"..\" or contain \"/\" or \"%\" or \":\"\n  Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName",
+	"mappingMethod": "mappingMethod determines how identities from this provider are mapped to users Defaults to \"claim\"",
+}
+
+func (IdentityProvider) SwaggerDoc() map[string]string {
+	return map_IdentityProvider
+}
+
+var map_IdentityProviderConfig = map[string]string{
+	"":              "IdentityProviderConfig contains configuration for using a specific identity provider",
+	"type":          "type identifies the identity provider type for this entry.",
+	"basicAuth":     "basicAuth contains configuration options for the BasicAuth IdP",
+	"github":        "github enables user authentication using GitHub credentials",
+	"gitlab":        "gitlab enables user authentication using GitLab credentials",
+	"google":        "google enables user authentication using Google credentials",
+	"htpasswd":      "htpasswd enables user authentication using an HTPasswd file to validate credentials",
+	"keystone":      "keystone enables user authentication using keystone password credentials",
+	"ldap":          "ldap enables user authentication using LDAP credentials",
+	"openID":        "openID enables user authentication using OpenID credentials",
+	"requestHeader": "requestHeader enables user authentication using request header credentials",
+}
+
+func (IdentityProviderConfig) SwaggerDoc() map[string]string {
+	return map_IdentityProviderConfig
+}
+
+var map_KeystoneIdentityProvider = map[string]string{
+	"":           "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials",
+	"domainName": "domainName is required for keystone v3",
+}
+
+func (KeystoneIdentityProvider) SwaggerDoc() map[string]string {
+	return map_KeystoneIdentityProvider
+}
+
+var map_LDAPAttributeMapping = map[string]string{
+	"":                  "LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields",
+	"id":                "id is the list of attributes whose values should be used as the user ID. Required. First non-empty attribute is used. At least one attribute is required. If none of the listed attribute have a value, authentication fails. LDAP standard identity attribute is \"dn\"",
+	"preferredUsername": "preferredUsername is the list of attributes whose values should be used as the preferred username. LDAP standard login attribute is \"uid\"",
+	"name":              "name is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity LDAP standard display name attribute is \"cn\"",
+	"email":             "email is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity",
+}
+
+func (LDAPAttributeMapping) SwaggerDoc() map[string]string {
+	return map_LDAPAttributeMapping
+}
+
+var map_LDAPIdentityProvider = map[string]string{
+	"":             "LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials",
+	"url":          "url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is: ldap://host:port/basedn?attribute?scope?filter",
+	"bindDN":       "bindDN is an optional DN to bind with during the search phase.",
+	"bindPassword": "bindPassword is an optional reference to a secret by name containing a password to bind with during the search phase. The key \"bindPassword\" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.",
+	"insecure":     "insecure, if true, indicates the connection should not use TLS WARNING: Should not be set to `true` with the URL scheme \"ldaps://\" as \"ldaps://\" URLs always\n         attempt to connect using TLS, even when `insecure` is set to `true`\nWhen `true`, \"ldap://\" URLS connect insecurely. When `false`, \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830.",
+	"ca":           "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.",
+	"attributes":   "attributes maps LDAP attributes to identities",
+}
+
+func (LDAPIdentityProvider) SwaggerDoc() map[string]string {
+	return map_LDAPIdentityProvider
+}
+
+var map_OAuth = map[string]string{
+	"":         "OAuth holds cluster-wide information about OAuth.  The canonical name is `cluster`. It is used to configure the integrated OAuth server. This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (OAuth) SwaggerDoc() map[string]string {
+	return map_OAuth
+}
+
+var map_OAuthList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (OAuthList) SwaggerDoc() map[string]string {
+	return map_OAuthList
+}
+
+var map_OAuthRemoteConnectionInfo = map[string]string{
+	"":              "OAuthRemoteConnectionInfo holds information necessary for establishing a remote connection",
+	"url":           "url is the remote URL to connect to",
+	"ca":            "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.",
+	"tlsClientCert": "tlsClientCert is an optional reference to a secret by name that contains the PEM-encoded TLS client certificate to present when connecting to the server. The key \"tls.crt\" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. If the specified certificate data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.",
+	"tlsClientKey":  "tlsClientKey is an optional reference to a secret by name that contains the PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. The key \"tls.key\" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. If the specified certificate data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.",
+}
+
+func (OAuthRemoteConnectionInfo) SwaggerDoc() map[string]string {
+	return map_OAuthRemoteConnectionInfo
+}
+
+var map_OAuthSpec = map[string]string{
+	"":                  "OAuthSpec contains desired cluster auth configuration",
+	"identityProviders": "identityProviders is an ordered list of ways for a user to identify themselves. When this list is empty, no identities are provisioned for users.",
+	"tokenConfig":       "tokenConfig contains options for authorization and access tokens",
+	"templates":         "templates allow you to customize pages like the login page.",
+}
+
+func (OAuthSpec) SwaggerDoc() map[string]string {
+	return map_OAuthSpec
+}
+
+var map_OAuthStatus = map[string]string{
+	"": "OAuthStatus shows current known state of OAuth server in the cluster",
+}
+
+func (OAuthStatus) SwaggerDoc() map[string]string {
+	return map_OAuthStatus
+}
+
+var map_OAuthTemplates = map[string]string{
+	"":                  "OAuthTemplates allow for customization of pages like the login page",
+	"login":             "login is the name of a secret that specifies a go template to use to render the login page. The key \"login.html\" is used to locate the template data. If specified and the secret or expected key is not found, the default login page is used. If the specified template is not valid, the default login page is used. If unspecified, the default login page is used. The namespace for this secret is openshift-config.",
+	"providerSelection": "providerSelection is the name of a secret that specifies a go template to use to render the provider selection page. The key \"providers.html\" is used to locate the template data. If specified and the secret or expected key is not found, the default provider selection page is used. If the specified template is not valid, the default provider selection page is used. If unspecified, the default provider selection page is used. The namespace for this secret is openshift-config.",
+	"error":             "error is the name of a secret that specifies a go template to use to render error pages during the authentication or grant flow. The key \"errors.html\" is used to locate the template data. If specified and the secret or expected key is not found, the default error page is used. If the specified template is not valid, the default error page is used. If unspecified, the default error page is used. The namespace for this secret is openshift-config.",
+}
+
+func (OAuthTemplates) SwaggerDoc() map[string]string {
+	return map_OAuthTemplates
+}
+
+var map_OpenIDClaims = map[string]string{
+	"":                  "OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider",
+	"preferredUsername": "preferredUsername is the list of claims whose values should be used as the preferred username. If unspecified, the preferred username is determined from the value of the sub claim",
+	"name":              "name is the list of claims whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity",
+	"email":             "email is the list of claims whose values should be used as the email address. Optional. If unspecified, no email is set for the identity",
+	"groups":            "groups is the list of claims value of which should be used to synchronize groups from the OIDC provider to OpenShift for the user. If multiple claims are specified, the first one with a non-empty value is used.",
+}
+
+func (OpenIDClaims) SwaggerDoc() map[string]string {
+	return map_OpenIDClaims
+}
+
+var map_OpenIDIdentityProvider = map[string]string{
+	"":                         "OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials",
+	"clientID":                 "clientID is the oauth client ID",
+	"clientSecret":             "clientSecret is a required reference to the secret by name containing the oauth client secret. The key \"clientSecret\" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.",
+	"ca":                       "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.",
+	"extraScopes":              "extraScopes are any scopes to request in addition to the standard \"openid\" scope.",
+	"extraAuthorizeParameters": "extraAuthorizeParameters are any custom parameters to add to the authorize request.",
+	"issuer":                   "issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. It must use the https scheme with no query or fragment component.",
+	"claims":                   "claims mappings",
+}
+
+func (OpenIDIdentityProvider) SwaggerDoc() map[string]string {
+	return map_OpenIDIdentityProvider
+}
+
+var map_RequestHeaderIdentityProvider = map[string]string{
+	"":                         "RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials",
+	"loginURL":                 "loginURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here ${url} is replaced with the current URL, escaped to be safe in a query parameter\n  https://www.example.com/sso-login?then=${url}\n${query} is replaced with the current query string\n  https://www.example.com/auth-proxy/oauth/authorize?${query}\nRequired when login is set to true.",
+	"challengeURL":             "challengeURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here. ${url} is replaced with the current URL, escaped to be safe in a query parameter\n  https://www.example.com/sso-login?then=${url}\n${query} is replaced with the current query string\n  https://www.example.com/auth-proxy/oauth/authorize?${query}\nRequired when challenge is set to true.",
+	"ca":                       "ca is a required reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. Specifically, it allows verification of incoming requests to prevent header spoofing. The key \"ca.crt\" is used to locate the data. If the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. The namespace for this config map is openshift-config.",
+	"clientCommonNames":        "clientCommonNames is an optional list of common names to require a match from. If empty, any client certificate validated against the clientCA bundle is considered authoritative.",
+	"headers":                  "headers is the set of headers to check for identity information",
+	"preferredUsernameHeaders": "preferredUsernameHeaders is the set of headers to check for the preferred username",
+	"nameHeaders":              "nameHeaders is the set of headers to check for the display name",
+	"emailHeaders":             "emailHeaders is the set of headers to check for the email address",
+}
+
+func (RequestHeaderIdentityProvider) SwaggerDoc() map[string]string {
+	return map_RequestHeaderIdentityProvider
+}
+
+var map_TokenConfig = map[string]string{
+	"":                                    "TokenConfig holds the necessary configuration options for authorization and access tokens",
+	"accessTokenMaxAgeSeconds":            "accessTokenMaxAgeSeconds defines the maximum age of access tokens",
+	"accessTokenInactivityTimeoutSeconds": "accessTokenInactivityTimeoutSeconds - DEPRECATED: setting this field has no effect.",
+	"accessTokenInactivityTimeout":        "accessTokenInactivityTimeout defines the token inactivity timeout for tokens granted by any client. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Takes valid time duration string such as \"5m\", \"1.5h\" or \"2h45m\". The minimum allowed value for duration is 300s (5 minutes). If the timeout is configured per client, then that value takes precedence. If the timeout value is not specified and the client does not override the value, then tokens are valid until their lifetime.\n\nWARNING: existing tokens' timeout will not be affected (lowered) by changing this value",
+}
+
+func (TokenConfig) SwaggerDoc() map[string]string {
+	return map_TokenConfig
+}
+
+var map_HubSource = map[string]string{
+	"":         "HubSource is used to specify the hub source and its configuration",
+	"name":     "name is the name of one of the default hub sources",
+	"disabled": "disabled is used to disable a default hub source on cluster",
+}
+
+func (HubSource) SwaggerDoc() map[string]string {
+	return map_HubSource
+}
+
+var map_HubSourceStatus = map[string]string{
+	"":        "HubSourceStatus is used to reflect the current state of applying the configuration to a default source",
+	"status":  "status indicates success or failure in applying the configuration",
+	"message": "message provides more information regarding failures",
+}
+
+func (HubSourceStatus) SwaggerDoc() map[string]string {
+	return map_HubSourceStatus
+}
+
+var map_OperatorHub = map[string]string{
+	"":         "OperatorHub is the Schema for the operatorhubs API. It can be used to change the state of the default hub sources for OperatorHub on the cluster from enabled to disabled and vice versa.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (OperatorHub) SwaggerDoc() map[string]string {
+	return map_OperatorHub
+}
+
+var map_OperatorHubList = map[string]string{
+	"":         "OperatorHubList contains a list of OperatorHub\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (OperatorHubList) SwaggerDoc() map[string]string {
+	return map_OperatorHubList
+}
+
+var map_OperatorHubSpec = map[string]string{
+	"":                         "OperatorHubSpec defines the desired state of OperatorHub",
+	"disableAllDefaultSources": "disableAllDefaultSources allows you to disable all the default hub sources. If this is true, a specific entry in sources can be used to enable a default source. If this is false, a specific entry in sources can be used to disable or enable a default source.",
+	"sources":                  "sources is the list of default hub sources and their configuration. If the list is empty, it implies that the default hub sources are enabled on the cluster unless disableAllDefaultSources is true. If disableAllDefaultSources is true and sources is not empty, the configuration present in sources will take precedence. The list of default hub sources and their current state will always be reflected in the status block.",
+}
+
+func (OperatorHubSpec) SwaggerDoc() map[string]string {
+	return map_OperatorHubSpec
+}
+
+var map_OperatorHubStatus = map[string]string{
+	"":        "OperatorHubStatus defines the observed state of OperatorHub. The current state of the default hub sources will always be reflected here.",
+	"sources": "sources encapsulates the result of applying the configuration for each hub source",
+}
+
+func (OperatorHubStatus) SwaggerDoc() map[string]string {
+	return map_OperatorHubStatus
+}
+
+var map_Project = map[string]string{
+	"":         "Project holds cluster-wide information about Project.  The canonical name is `cluster`\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Project) SwaggerDoc() map[string]string {
+	return map_Project
+}
+
+var map_ProjectList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ProjectList) SwaggerDoc() map[string]string {
+	return map_ProjectList
+}
+
+var map_ProjectSpec = map[string]string{
+	"":                       "ProjectSpec holds the project creation configuration.",
+	"projectRequestMessage":  "projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint",
+	"projectRequestTemplate": "projectRequestTemplate is the template to use for creating projects in response to projectrequest. This must point to a template in 'openshift-config' namespace. It is optional. If it is not specified, a default template is used.",
+}
+
+func (ProjectSpec) SwaggerDoc() map[string]string {
+	return map_ProjectSpec
+}
+
+var map_TemplateReference = map[string]string{
+	"":     "TemplateReference references a template in a specific namespace. The namespace must be specified at the point of use.",
+	"name": "name is the metadata.name of the referenced project request template",
+}
+
+func (TemplateReference) SwaggerDoc() map[string]string {
+	return map_TemplateReference
+}
+
+var map_Proxy = map[string]string{
+	"":         "Proxy holds cluster-wide information on how to configure default proxies for the cluster. The canonical name is `cluster`\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user-settable values for the proxy configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Proxy) SwaggerDoc() map[string]string {
+	return map_Proxy
+}
+
+var map_ProxyList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (ProxyList) SwaggerDoc() map[string]string {
+	return map_ProxyList
+}
+
+var map_ProxySpec = map[string]string{
+	"":                   "ProxySpec contains cluster proxy creation configuration.",
+	"httpProxy":          "httpProxy is the URL of the proxy for HTTP requests.  Empty means unset and will not result in an env var.",
+	"httpsProxy":         "httpsProxy is the URL of the proxy for HTTPS requests.  Empty means unset and will not result in an env var.",
+	"noProxy":            "noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. Empty means unset and will not result in an env var.",
+	"readinessEndpoints": "readinessEndpoints is a list of endpoints used to verify readiness of the proxy.",
+	"trustedCA":          "trustedCA is a reference to a ConfigMap containing a CA certificate bundle. The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from the required key \"ca-bundle.crt\", merging it with the system default trust bundle, and writing the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" namespace. Clients that expect to make proxy connections must use the trusted-ca-bundle for all HTTPS requests to the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as well.\n\nThe namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: user-ca-bundle\n namespace: openshift-config\n data:\n   ca-bundle.crt: |",
+}
+
+func (ProxySpec) SwaggerDoc() map[string]string {
+	return map_ProxySpec
+}
+
+var map_ProxyStatus = map[string]string{
+	"":           "ProxyStatus shows current known state of the cluster proxy.",
+	"httpProxy":  "httpProxy is the URL of the proxy for HTTP requests.",
+	"httpsProxy": "httpsProxy is the URL of the proxy for HTTPS requests.",
+	"noProxy":    "noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used.",
+}
+
+func (ProxyStatus) SwaggerDoc() map[string]string {
+	return map_ProxyStatus
+}
+
+var map_ProfileCustomizations = map[string]string{
+	"":                          "ProfileCustomizations contains various parameters for modifying the default behavior of certain profiles",
+	"dynamicResourceAllocation": "dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. Third-party resource drivers are responsible for tracking and allocating resources. Different kinds of resources support arbitrary parameters for defining requirements and initialization. Valid values are Enabled, Disabled and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Disabled.",
+}
+
+func (ProfileCustomizations) SwaggerDoc() map[string]string {
+	return map_ProfileCustomizations
+}
+
+var map_Scheduler = map[string]string{
+	"":         "Scheduler holds cluster-wide config information to run the Kubernetes Scheduler and influence its placement decisions. The canonical name for this config is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (Scheduler) SwaggerDoc() map[string]string {
+	return map_Scheduler
+}
+
+var map_SchedulerList = map[string]string{
+	"":         "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (SchedulerList) SwaggerDoc() map[string]string {
+	return map_SchedulerList
+}
+
+var map_SchedulerSpec = map[string]string{
+	"policy":                "DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. policy is a reference to a ConfigMap containing scheduler policy which has user specified predicates and priorities. If this ConfigMap is not available scheduler will default to use DefaultAlgorithmProvider. The namespace for this configmap is openshift-config.",
+	"profile":               "profile sets which scheduling profile should be set in order to configure scheduling decisions for new pods.\n\nValid values are \"LowNodeUtilization\", \"HighNodeUtilization\", \"NoScoring\" Defaults to \"LowNodeUtilization\"",
+	"profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles.",
+	"defaultNodeSelector":   "defaultNodeSelector helps set the cluster-wide default node selector to restrict pod placement to specific nodes. This is applied to the pods created in all namespaces and creates an intersection with any existing nodeSelectors already set on a pod, additionally constraining that pod's selector. For example, defaultNodeSelector: \"type=user-node,region=east\" would set nodeSelector field in pod spec to \"type=user-node,region=east\" to all pods created in all namespaces. Namespaces having project-wide node selectors won't be impacted even if this field is set. This adds an annotation section to the namespace. For example, if a new namespace is created with node-selector='type=user-node,region=east', the annotation openshift.io/node-selector: type=user-node,region=east gets added to the project. When the openshift.io/node-selector annotation is set on the project the value is used in preference to the value we are setting for defaultNodeSelector field. For instance, openshift.io/node-selector: \"type=user-node,region=west\" means that the default of \"type=user-node,region=east\" set in defaultNodeSelector would not be applied.",
+	"mastersSchedulable":    "mastersSchedulable allows masters nodes to be schedulable. When this flag is turned on, all the master nodes in the cluster will be made schedulable, so that workload pods can run on them. The default value for this field is false, meaning none of the master nodes are schedulable. Important Note: Once the workload pods start running on the master nodes, extreme care must be taken to ensure that cluster-critical control plane components are not impacted. Please turn on this field after doing due diligence.",
+}
+
+func (SchedulerSpec) SwaggerDoc() map[string]string {
+	return map_SchedulerSpec
+}
+
+var map_FeatureGateTests = map[string]string{
+	"featureGate": "featureGate is the name of the FeatureGate as it appears in The FeatureGate CR instance.",
+	"tests":       "tests contains an item for every TestName",
+}
+
+func (FeatureGateTests) SwaggerDoc() map[string]string {
+	return map_FeatureGateTests
+}
+
+var map_TestDetails = map[string]string{
+	"testName": "testName is the name of the test as it appears in junit XMLs. It does not include the suite name since the same test can be executed in many suites.",
+}
+
+func (TestDetails) SwaggerDoc() map[string]string {
+	return map_TestDetails
+}
+
+var map_TestReporting = map[string]string{
+	"":         "TestReporting is used for origin (and potentially others) to report the test names for a given FeatureGate into the payload for later analysis on a per-payload basis. This doesn't need any CRD because it's never stored in the cluster.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"status":   "status holds observed values from the cluster. They may not be overridden.",
+}
+
+func (TestReporting) SwaggerDoc() map[string]string {
+	return map_TestReporting
+}
+
+var map_TestReportingSpec = map[string]string{
+	"testsForFeatureGates": "testsForFeatureGates is a list, indexed by FeatureGate and includes information about testing.",
+}
+
+func (TestReportingSpec) SwaggerDoc() map[string]string {
+	return map_TestReportingSpec
+}
+
+var map_CustomTLSProfile = map[string]string{
+	"": "CustomTLSProfile is a user-defined TLS security profile. Be extremely careful using a custom TLS profile as invalid configurations can be catastrophic.",
+}
+
+func (CustomTLSProfile) SwaggerDoc() map[string]string {
+	return map_CustomTLSProfile
+}
+
+var map_IntermediateTLSProfile = map[string]string{
+	"": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29",
+}
+
+func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
+	return map_IntermediateTLSProfile
+}
+
+var map_ModernTLSProfile = map[string]string{
+	"": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility",
+}
+
+func (ModernTLSProfile) SwaggerDoc() map[string]string {
+	return map_ModernTLSProfile
+}
+
+var map_OldTLSProfile = map[string]string{
+	"": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility",
+}
+
+func (OldTLSProfile) SwaggerDoc() map[string]string {
+	return map_OldTLSProfile
+}
+
+var map_TLSProfileSpec = map[string]string{
+	"":              "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.",
+	"ciphers":       "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake.  Operators may remove entries their operands do not support.  For example, to use DES-CBC3-SHA  (yaml):\n\n  ciphers:\n    - DES-CBC3-SHA",
+	"minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+}
+
+func (TLSProfileSpec) SwaggerDoc() map[string]string {
+	return map_TLSProfileSpec
+}
+
+var map_TLSSecurityProfile = map[string]string{
+	"":             "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.",
+	"type":         "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.",
+	"old":          "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n    - DHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-ECDSA-AES128-SHA256\n\n    - ECDHE-RSA-AES128-SHA256\n\n    - ECDHE-ECDSA-AES128-SHA\n\n    - ECDHE-RSA-AES128-SHA\n\n    - ECDHE-ECDSA-AES256-SHA384\n\n    - ECDHE-RSA-AES256-SHA384\n\n    - ECDHE-ECDSA-AES256-SHA\n\n    - ECDHE-RSA-AES256-SHA\n\n    - DHE-RSA-AES128-SHA256\n\n    - DHE-RSA-AES256-SHA256\n\n    - AES128-GCM-SHA256\n\n    - AES256-GCM-SHA384\n\n    - AES128-SHA256\n\n    - AES256-SHA256\n\n    - AES128-SHA\n\n    - AES256-SHA\n\n    - DES-CBC3-SHA\n\n  minTLSVersion: VersionTLS10",
+	"intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n  minTLSVersion: VersionTLS12",
+	"modern":       "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n  minTLSVersion: VersionTLS13",
+	"custom":       "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n  ciphers:\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n  minTLSVersion: VersionTLS11",
+}
+
+func (TLSSecurityProfile) SwaggerDoc() map[string]string {
+	return map_TLSSecurityProfile
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/vendor/github.com/pquerna/cachecontrol/.travis.yml b/vendor/github.com/pquerna/cachecontrol/.travis.yml
new file mode 100644
index 00000000..0d966bb0
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/.travis.yml
@@ -0,0 +1,8 @@
+arch:
+  - amd64
+  - ppc64le
+language: go
+
+go:
+  - "1.15"
+  - "1.16"
diff --git a/vendor/github.com/pquerna/cachecontrol/LICENSE b/vendor/github.com/pquerna/cachecontrol/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/pquerna/cachecontrol/README.md b/vendor/github.com/pquerna/cachecontrol/README.md
new file mode 100644
index 00000000..35ea9c8c
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/README.md
@@ -0,0 +1,107 @@
+# cachecontrol: HTTP Caching Parser and Interpretation
+
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/pquerna/cachecontrol?tab=doc)](https://pkg.go.dev/github.com/pquerna/cachecontrol?tab=doc)[![Build Status](https://travis-ci.org/pquerna/cachecontrol.svg?branch=master)](https://travis-ci.org/pquerna/cachecontrol)
+
+ 
+
+`cachecontrol` implements [RFC 7234](http://tools.ietf.org/html/rfc7234) __Hypertext Transfer Protocol (HTTP/1.1): Caching__.  It does this by parsing the `Cache-Control` and other headers, providing information about requests and responses -- but `cachecontrol` does not implement an actual cache backend, just the control plane to make decisions about if a particular response is cachable.
+
+# Usage
+
+`cachecontrol.CachableResponse` returns an array of [reasons](https://godoc.org/github.com/pquerna/cachecontrol/cacheobject#Reason) why a response should not be cached and when it expires.  In the case that `len(reasons) == 0`, the response is cachable according to the RFC.  However, some people want non-compliant caches for various business use cases, so each reason is specifically named, so if your cache wants to cache `POST` requests, it can easily do that, but still be RFC compliant in other situations.
+
+# Examples
+
+## Can you cache Example.com?
+
+```go
+package main
+
+import (
+	"github.com/pquerna/cachecontrol"
+
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+func main() {
+	req, _ := http.NewRequest("GET", "http://www.example.com/", nil)
+
+	res, _ := http.DefaultClient.Do(req)
+	_, _ = ioutil.ReadAll(res.Body)
+
+	reasons, expires, _ := cachecontrol.CachableResponse(req, res, cachecontrol.Options{})
+
+	fmt.Println("Reasons to not cache: ", reasons)
+	fmt.Println("Expiration: ", expires.String())
+}
+```
+
+## Can I use this in a high performance caching server?
+
+`cachecontrol` is divided into two packages: `cachecontrol` with a high level API, and a lower level `cacheobject` package.  Use [Object](https://godoc.org/github.com/pquerna/cachecontrol/cacheobject#Object) in a high performance use case where you have previously parsed headers containing dates or would like to avoid memory allocations.
+
+```go
+package main
+
+import (
+	"github.com/pquerna/cachecontrol/cacheobject"
+
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+func main() {
+	req, _ := http.NewRequest("GET", "http://www.example.com/", nil)
+
+	res, _ := http.DefaultClient.Do(req)
+	_, _ = ioutil.ReadAll(res.Body)
+
+	reqDir, _ := cacheobject.ParseRequestCacheControl(req.Header.Get("Cache-Control"))
+
+	resDir, _ := cacheobject.ParseResponseCacheControl(res.Header.Get("Cache-Control"))
+	expiresHeader, _ := http.ParseTime(res.Header.Get("Expires"))
+	dateHeader, _ := http.ParseTime(res.Header.Get("Date"))
+	lastModifiedHeader, _ := http.ParseTime(res.Header.Get("Last-Modified"))
+
+	obj := cacheobject.Object{
+		RespDirectives:         resDir,
+		RespHeaders:            res.Header,
+		RespStatusCode:         res.StatusCode,
+		RespExpiresHeader:      expiresHeader,
+		RespDateHeader:         dateHeader,
+		RespLastModifiedHeader: lastModifiedHeader,
+
+		ReqDirectives: reqDir,
+		ReqHeaders:    req.Header,
+		ReqMethod:     req.Method,
+
+		NowUTC: time.Now().UTC(),
+	}
+	rv := cacheobject.ObjectResults{}
+
+	cacheobject.CachableObject(&obj, &rv)
+	cacheobject.ExpirationObject(&obj, &rv)
+
+	fmt.Println("Errors: ", rv.OutErr)
+	fmt.Println("Reasons to not cache: ", rv.OutReasons)
+	fmt.Println("Warning headers to add: ", rv.OutWarnings)
+	fmt.Println("Expiration: ", rv.OutExpirationTime.String())
+}
+```
+
+## Improvements, bugs, adding features, and taking cachecontrol new directions!
+
+Please [open issues in Github](https://github.com/pquerna/cachecontrol/issues) for ideas, bugs, and general thoughts.  Pull requests are of course preferred :)
+
+# Credits
+
+`cachecontrol` has recieved significant contributions from:
+
+* [Paul Querna](https://github.com/pquerna) 
+
+## License
+
+`cachecontrol` is licensed under the [Apache License, Version 2.0](./LICENSE)
diff --git a/vendor/github.com/pquerna/cachecontrol/api.go b/vendor/github.com/pquerna/cachecontrol/api.go
new file mode 100644
index 00000000..5759a4c0
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/api.go
@@ -0,0 +1,48 @@
+/**
+ *  Copyright 2015 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package cachecontrol
+
+import (
+	"github.com/pquerna/cachecontrol/cacheobject"
+
+	"net/http"
+	"time"
+)
+
+type Options struct {
+	// Set to True for a private cache, which is not shared among users (eg, in a browser)
+	// Set to False for a "shared" cache, which is more common in a server context.
+	PrivateCache bool
+}
+
+// Given an HTTP Request, the future Status Code, and an ResponseWriter,
+// determine the possible reasons a response SHOULD NOT be cached.
+func CachableResponseWriter(req *http.Request,
+	statusCode int,
+	resp http.ResponseWriter,
+	opts Options) ([]cacheobject.Reason, time.Time, error) {
+	return cacheobject.UsingRequestResponse(req, statusCode, resp.Header(), opts.PrivateCache)
+}
+
+// Given an HTTP Request and Response, determine the possible reasons a response SHOULD NOT
+// be cached.
+func CachableResponse(req *http.Request,
+	resp *http.Response,
+	opts Options) ([]cacheobject.Reason, time.Time, error) {
+	return cacheobject.UsingRequestResponse(req, resp.StatusCode, resp.Header, opts.PrivateCache)
+}
diff --git a/vendor/github.com/pquerna/cachecontrol/cacheobject/directive.go b/vendor/github.com/pquerna/cachecontrol/cacheobject/directive.go
new file mode 100644
index 00000000..afc63dc7
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/cacheobject/directive.go
@@ -0,0 +1,547 @@
+/**
+ *  Copyright 2015 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package cacheobject
+
+import (
+	"errors"
+	"math"
+	"net/http"
+	"net/textproto"
+	"strconv"
+	"strings"
+)
+
+// TODO(pquerna): add extensions from here: http://www.iana.org/assignments/http-cache-directives/http-cache-directives.xhtml
+
+var (
+	ErrQuoteMismatch         = errors.New("Missing closing quote")
+	ErrMaxAgeDeltaSeconds    = errors.New("Failed to parse delta-seconds in `max-age`")
+	ErrSMaxAgeDeltaSeconds   = errors.New("Failed to parse delta-seconds in `s-maxage`")
+	ErrMaxStaleDeltaSeconds  = errors.New("Failed to parse delta-seconds in `max-stale`")
+	ErrMinFreshDeltaSeconds  = errors.New("Failed to parse delta-seconds in `min-fresh`")
+	ErrNoCacheNoArgs         = errors.New("Unexpected argument to `no-cache`")
+	ErrNoStoreNoArgs         = errors.New("Unexpected argument to `no-store`")
+	ErrNoTransformNoArgs     = errors.New("Unexpected argument to `no-transform`")
+	ErrOnlyIfCachedNoArgs    = errors.New("Unexpected argument to `only-if-cached`")
+	ErrMustRevalidateNoArgs  = errors.New("Unexpected argument to `must-revalidate`")
+	ErrPublicNoArgs          = errors.New("Unexpected argument to `public`")
+	ErrProxyRevalidateNoArgs = errors.New("Unexpected argument to `proxy-revalidate`")
+	// Experimental
+	ErrImmutableNoArgs                  = errors.New("Unexpected argument to `immutable`")
+	ErrStaleIfErrorDeltaSeconds         = errors.New("Failed to parse delta-seconds in `stale-if-error`")
+	ErrStaleWhileRevalidateDeltaSeconds = errors.New("Failed to parse delta-seconds in `stale-while-revalidate`")
+)
+
+func whitespace(b byte) bool {
+	if b == '\t' || b == ' ' {
+		return true
+	}
+	return false
+}
+
+func parse(value string, cd cacheDirective) error {
+	var err error = nil
+	i := 0
+
+	for i < len(value) && err == nil {
+		// eat leading whitespace or commas
+		if whitespace(value[i]) || value[i] == ',' {
+			i++
+			continue
+		}
+
+		j := i + 1
+
+		for j < len(value) {
+			if !isToken(value[j]) {
+				break
+			}
+			j++
+		}
+
+		token := strings.ToLower(value[i:j])
+		tokenHasFields := hasFieldNames(token)
+		/*
+			println("GOT TOKEN:")
+			println("	i -> ", i)
+			println("	j -> ", j)
+			println("	token -> ", token)
+		*/
+
+		if j+1 < len(value) && value[j] == '=' {
+			k := j + 1
+			// minimum size two bytes of "", but we let httpUnquote handle it.
+			if k < len(value) && value[k] == '"' {
+				eaten, result := httpUnquote(value[k:])
+				if eaten == -1 {
+					return ErrQuoteMismatch
+				}
+				i = k + eaten
+
+				err = cd.addPair(token, result)
+			} else {
+				z := k
+				for z < len(value) {
+					if tokenHasFields {
+						if whitespace(value[z]) {
+							break
+						}
+					} else {
+						if whitespace(value[z]) || value[z] == ',' {
+							break
+						}
+					}
+					z++
+				}
+				i = z
+
+				result := value[k:z]
+				if result != "" && result[len(result)-1] == ',' {
+					result = result[:len(result)-1]
+				}
+
+				err = cd.addPair(token, result)
+			}
+		} else {
+			if token != "," {
+				err = cd.addToken(token)
+			}
+			i = j
+		}
+	}
+
+	return err
+}
+
+// DeltaSeconds specifies a non-negative integer, representing
+// time in seconds: http://tools.ietf.org/html/rfc7234#section-1.2.1
+//
+// When set to -1, this means unset.
+//
+type DeltaSeconds int32
+
+// Parser for delta-seconds, a uint31, more or less:
+// http://tools.ietf.org/html/rfc7234#section-1.2.1
+func parseDeltaSeconds(v string) (DeltaSeconds, error) {
+	n, err := strconv.ParseUint(v, 10, 32)
+	if err != nil {
+		if numError, ok := err.(*strconv.NumError); ok {
+			if numError.Err == strconv.ErrRange {
+				return DeltaSeconds(math.MaxInt32), nil
+			}
+		}
+		return DeltaSeconds(-1), err
+	} else {
+		if n > math.MaxInt32 {
+			return DeltaSeconds(math.MaxInt32), nil
+		} else {
+			return DeltaSeconds(n), nil
+		}
+	}
+}
+
+// Fields present in a header.
+type FieldNames map[string]bool
+
+// internal interface for shared methods of RequestCacheDirectives and ResponseCacheDirectives
+type cacheDirective interface {
+	addToken(s string) error
+	addPair(s string, v string) error
+}
+
+// LOW LEVEL API: Representation of possible request directives in a `Cache-Control` header: http://tools.ietf.org/html/rfc7234#section-5.2.1
+//
+// Note: Many fields will be `nil` in practice.
+//
+type RequestCacheDirectives struct {
+
+	// max-age(delta seconds): http://tools.ietf.org/html/rfc7234#section-5.2.1.1
+	//
+	// The "max-age" request directive indicates that the client is
+	// unwilling to accept a response whose age is greater than the
+	// specified number of seconds.  Unless the max-stale request directive
+	// is also present, the client is not willing to accept a stale
+	// response.
+	MaxAge DeltaSeconds
+
+	// max-stale(delta seconds): http://tools.ietf.org/html/rfc7234#section-5.2.1.2
+	//
+	// The "max-stale" request directive indicates that the client is
+	// willing to accept a response that has exceeded its freshness
+	// lifetime.  If max-stale is assigned a value, then the client is
+	// willing to accept a response that has exceeded its freshness lifetime
+	// by no more than the specified number of seconds.  If no value is
+	// assigned to max-stale, then the client is willing to accept a stale
+	// response of any age.
+	MaxStale DeltaSeconds
+	MaxStaleSet bool
+
+	// min-fresh(delta seconds): http://tools.ietf.org/html/rfc7234#section-5.2.1.3
+	//
+	// The "min-fresh" request directive indicates that the client is
+	// willing to accept a response whose freshness lifetime is no less than
+	// its current age plus the specified time in seconds.  That is, the
+	// client wants a response that will still be fresh for at least the
+	// specified number of seconds.
+	MinFresh DeltaSeconds
+
+	// no-cache(bool): http://tools.ietf.org/html/rfc7234#section-5.2.1.4
+	//
+	// The "no-cache" request directive indicates that a cache MUST NOT use
+	// a stored response to satisfy the request without successful
+	// validation on the origin server.
+	NoCache bool
+
+	// no-store(bool): http://tools.ietf.org/html/rfc7234#section-5.2.1.5
+	//
+	// The "no-store" request directive indicates that a cache MUST NOT
+	// store any part of either this request or any response to it.  This
+	// directive applies to both private and shared caches.
+	NoStore bool
+
+	// no-transform(bool): http://tools.ietf.org/html/rfc7234#section-5.2.1.6
+	//
+	// The "no-transform" request directive indicates that an intermediary
+	// (whether or not it implements a cache) MUST NOT transform the
+	// payload, as defined in Section 5.7.2 of RFC7230.
+	NoTransform bool
+
+	// only-if-cached(bool): http://tools.ietf.org/html/rfc7234#section-5.2.1.7
+	//
+	// The "only-if-cached" request directive indicates that the client only
+	// wishes to obtain a stored response.
+	OnlyIfCached bool
+
+	// Extensions: http://tools.ietf.org/html/rfc7234#section-5.2.3
+	//
+	// The Cache-Control header field can be extended through the use of one
+	// or more cache-extension tokens, each with an optional value.  A cache
+	// MUST ignore unrecognized cache directives.
+	Extensions []string
+}
+
+func (cd *RequestCacheDirectives) addToken(token string) error {
+	var err error = nil
+
+	switch token {
+	case "max-age":
+		err = ErrMaxAgeDeltaSeconds
+	case "min-fresh":
+		err = ErrMinFreshDeltaSeconds
+	case "max-stale":
+		cd.MaxStaleSet = true
+	case "no-cache":
+		cd.NoCache = true
+	case "no-store":
+		cd.NoStore = true
+	case "no-transform":
+		cd.NoTransform = true
+	case "only-if-cached":
+		cd.OnlyIfCached = true
+	default:
+		cd.Extensions = append(cd.Extensions, token)
+	}
+	return err
+}
+
+func (cd *RequestCacheDirectives) addPair(token string, v string) error {
+	var err error = nil
+
+	switch token {
+	case "max-age":
+		cd.MaxAge, err = parseDeltaSeconds(v)
+		if err != nil {
+			err = ErrMaxAgeDeltaSeconds
+		}
+	case "max-stale":
+		cd.MaxStale, err = parseDeltaSeconds(v)
+		if err != nil {
+			err = ErrMaxStaleDeltaSeconds
+		}
+	case "min-fresh":
+		cd.MinFresh, err = parseDeltaSeconds(v)
+		if err != nil {
+			err = ErrMinFreshDeltaSeconds
+		}
+	case "no-cache":
+		err = ErrNoCacheNoArgs
+	case "no-store":
+		err = ErrNoStoreNoArgs
+	case "no-transform":
+		err = ErrNoTransformNoArgs
+	case "only-if-cached":
+		err = ErrOnlyIfCachedNoArgs
+	default:
+		// TODO(pquerna): this sucks, making user re-parse
+		cd.Extensions = append(cd.Extensions, token+"="+v)
+	}
+
+	return err
+}
+
+// LOW LEVEL API: Parses a Cache Control Header from a Request into a set of directives.
+func ParseRequestCacheControl(value string) (*RequestCacheDirectives, error) {
+	cd := &RequestCacheDirectives{
+		MaxAge:   -1,
+		MaxStale: -1,
+		MinFresh: -1,
+	}
+
+	err := parse(value, cd)
+	if err != nil {
+		return nil, err
+	}
+	return cd, nil
+}
+
+// LOW LEVEL API: Repersentation of possible response directives in a `Cache-Control` header: http://tools.ietf.org/html/rfc7234#section-5.2.2
+//
+// Note: Many fields will be `nil` in practice.
+//
+type ResponseCacheDirectives struct {
+
+	// must-revalidate(bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.1
+	//
+	// The "must-revalidate" response directive indicates that once it has
+	// become stale, a cache MUST NOT use the response to satisfy subsequent
+	// requests without successful validation on the origin server.
+	MustRevalidate bool
+
+	// no-cache(FieldName): http://tools.ietf.org/html/rfc7234#section-5.2.2.2
+	//
+	// The "no-cache" response directive indicates that the response MUST
+	// NOT be used to satisfy a subsequent request without successful
+	// validation on the origin server.
+	//
+	// If the no-cache response directive specifies one or more field-names,
+	// then a cache MAY use the response to satisfy a subsequent request,
+	// subject to any other restrictions on caching.  However, any header
+	// fields in the response that have the field-name(s) listed MUST NOT be
+	// sent in the response to a subsequent request without successful
+	// revalidation with the origin server.
+	NoCache FieldNames
+
+	// no-cache(cast-to-bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.2
+	//
+	// While the RFC defines optional field-names on a no-cache directive,
+	// many applications only want to know if any no-cache directives were
+	// present at all.
+	NoCachePresent bool
+
+	// no-store(bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.3
+	//
+	// The "no-store" request directive indicates that a cache MUST NOT
+	// store any part of either this request or any response to it.  This
+	// directive applies to both private and shared caches.
+	NoStore bool
+
+	// no-transform(bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.4
+	//
+	// The "no-transform" response directive indicates that an intermediary
+	// (regardless of whether it implements a cache) MUST NOT transform the
+	// payload, as defined in Section 5.7.2 of RFC7230.
+	NoTransform bool
+
+	// public(bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.5
+	//
+	// The "public" response directive indicates that any cache MAY store
+	// the response, even if the response would normally be non-cacheable or
+	// cacheable only within a private cache.
+	Public bool
+
+	// private(FieldName): http://tools.ietf.org/html/rfc7234#section-5.2.2.6
+	//
+	// The "private" response directive indicates that the response message
+	// is intended for a single user and MUST NOT be stored by a shared
+	// cache.  A private cache MAY store the response and reuse it for later
+	// requests, even if the response would normally be non-cacheable.
+	//
+	// If the private response directive specifies one or more field-names,
+	// this requirement is limited to the field-values associated with the
+	// listed response header fields.  That is, a shared cache MUST NOT
+	// store the specified field-names(s), whereas it MAY store the
+	// remainder of the response message.
+	Private FieldNames
+
+	// private(cast-to-bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.6
+	//
+	// While the RFC defines optional field-names on a private directive,
+	// many applications only want to know if any private directives were
+	// present at all.
+	PrivatePresent bool
+
+	// proxy-revalidate(bool): http://tools.ietf.org/html/rfc7234#section-5.2.2.7
+	//
+	// The "proxy-revalidate" response directive has the same meaning as the
+	// must-revalidate response directive, except that it does not apply to
+	// private caches.
+	ProxyRevalidate bool
+
+	// max-age(delta seconds): http://tools.ietf.org/html/rfc7234#section-5.2.2.8
+	//
+	// The "max-age" response directive indicates that the response is to be
+	// considered stale after its age is greater than the specified number
+	// of seconds.
+	MaxAge DeltaSeconds
+
+	// s-maxage(delta seconds): http://tools.ietf.org/html/rfc7234#section-5.2.2.9
+	//
+	// The "s-maxage" response directive indicates that, in shared caches,
+	// the maximum age specified by this directive overrides the maximum age
+	// specified by either the max-age directive or the Expires header
+	// field.  The s-maxage directive also implies the semantics of the
+	// proxy-revalidate response directive.
+	SMaxAge DeltaSeconds
+
+	////
+	// Experimental features
+	// - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#Extension_Cache-Control_directives
+	// - https://www.fastly.com/blog/stale-while-revalidate-stale-if-error-available-today
+	////
+
+	// immutable(cast-to-bool): experimental feature
+	Immutable bool
+
+	// stale-if-error(delta seconds): experimental feature
+	StaleIfError DeltaSeconds
+
+	// stale-while-revalidate(delta seconds): experimental feature
+	StaleWhileRevalidate DeltaSeconds
+
+	// Extensions: http://tools.ietf.org/html/rfc7234#section-5.2.3
+	//
+	// The Cache-Control header field can be extended through the use of one
+	// or more cache-extension tokens, each with an optional value.  A cache
+	// MUST ignore unrecognized cache directives.
+	Extensions []string
+}
+
+// LOW LEVEL API: Parses a Cache Control Header from a Response into a set of directives.
+func ParseResponseCacheControl(value string) (*ResponseCacheDirectives, error) {
+	cd := &ResponseCacheDirectives{
+		MaxAge:  -1,
+		SMaxAge: -1,
+		// Exerimantal stale timeouts
+		StaleIfError:         -1,
+		StaleWhileRevalidate: -1,
+	}
+
+	err := parse(value, cd)
+	if err != nil {
+		return nil, err
+	}
+	return cd, nil
+}
+
+func (cd *ResponseCacheDirectives) addToken(token string) error {
+	var err error = nil
+	switch token {
+	case "must-revalidate":
+		cd.MustRevalidate = true
+	case "no-cache":
+		cd.NoCachePresent = true
+	case "no-store":
+		cd.NoStore = true
+	case "no-transform":
+		cd.NoTransform = true
+	case "public":
+		cd.Public = true
+	case "private":
+		cd.PrivatePresent = true
+	case "proxy-revalidate":
+		cd.ProxyRevalidate = true
+	case "max-age":
+		err = ErrMaxAgeDeltaSeconds
+	case "s-maxage":
+		err = ErrSMaxAgeDeltaSeconds
+	// Experimental
+	case "immutable":
+		cd.Immutable = true
+	case "stale-if-error":
+		err = ErrMaxAgeDeltaSeconds
+	case "stale-while-revalidate":
+		err = ErrMaxAgeDeltaSeconds
+	default:
+		cd.Extensions = append(cd.Extensions, token)
+	}
+	return err
+}
+
+func hasFieldNames(token string) bool {
+	switch token {
+	case "no-cache":
+		return true
+	case "private":
+		return true
+	}
+	return false
+}
+
+func (cd *ResponseCacheDirectives) addPair(token string, v string) error {
+	var err error = nil
+
+	switch token {
+	case "must-revalidate":
+		err = ErrMustRevalidateNoArgs
+	case "no-cache":
+		cd.NoCachePresent = true
+		tokens := strings.Split(v, ",")
+		if cd.NoCache == nil {
+			cd.NoCache = make(FieldNames)
+		}
+		for _, t := range tokens {
+			k := http.CanonicalHeaderKey(textproto.TrimString(t))
+			cd.NoCache[k] = true
+		}
+	case "no-store":
+		err = ErrNoStoreNoArgs
+	case "no-transform":
+		err = ErrNoTransformNoArgs
+	case "public":
+		err = ErrPublicNoArgs
+	case "private":
+		cd.PrivatePresent = true
+		tokens := strings.Split(v, ",")
+		if cd.Private == nil {
+			cd.Private = make(FieldNames)
+		}
+		for _, t := range tokens {
+			k := http.CanonicalHeaderKey(textproto.TrimString(t))
+			cd.Private[k] = true
+		}
+	case "proxy-revalidate":
+		err = ErrProxyRevalidateNoArgs
+	case "max-age":
+		cd.MaxAge, err = parseDeltaSeconds(v)
+	case "s-maxage":
+		cd.SMaxAge, err = parseDeltaSeconds(v)
+	// Experimental
+	case "immutable":
+		err = ErrImmutableNoArgs
+	case "stale-if-error":
+		cd.StaleIfError, err = parseDeltaSeconds(v)
+	case "stale-while-revalidate":
+		cd.StaleWhileRevalidate, err = parseDeltaSeconds(v)
+	default:
+		// TODO(pquerna): this sucks, making user re-parse, and its technically not 'quoted' like the original,
+		// but this is still easier, just a SplitN on "="
+		cd.Extensions = append(cd.Extensions, token+"="+v)
+	}
+
+	return err
+}
diff --git a/vendor/github.com/pquerna/cachecontrol/cacheobject/lex.go b/vendor/github.com/pquerna/cachecontrol/cacheobject/lex.go
new file mode 100644
index 00000000..c658e09b
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/cacheobject/lex.go
@@ -0,0 +1,93 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cacheobject
+
+// This file deals with lexical matters of HTTP
+
+func isSeparator(c byte) bool {
+	switch c {
+	case '(', ')', '<', '>', '@', ',', ';', ':', '\\', '"', '/', '[', ']', '?', '=', '{', '}', ' ', '\t':
+		return true
+	}
+	return false
+}
+
+func isCtl(c byte) bool { return (0 <= c && c <= 31) || c == 127 }
+
+func isChar(c byte) bool { return 0 <= c && c <= 127 }
+
+func isAnyText(c byte) bool { return !isCtl(c) }
+
+func isQdText(c byte) bool { return isAnyText(c) && c != '"' }
+
+func isToken(c byte) bool { return isChar(c) && !isCtl(c) && !isSeparator(c) }
+
+// Valid escaped sequences are not specified in RFC 2616, so for now, we assume
+// that they coincide with the common sense ones used by GO. Malformed
+// characters should probably not be treated as errors by a robust (forgiving)
+// parser, so we replace them with the '?' character.
+func httpUnquotePair(b byte) byte {
+	// skip the first byte, which should always be '\'
+	switch b {
+	case 'a':
+		return '\a'
+	case 'b':
+		return '\b'
+	case 'f':
+		return '\f'
+	case 'n':
+		return '\n'
+	case 'r':
+		return '\r'
+	case 't':
+		return '\t'
+	case 'v':
+		return '\v'
+	case '\\':
+		return '\\'
+	case '\'':
+		return '\''
+	case '"':
+		return '"'
+	}
+	return '?'
+}
+
+// raw must begin with a valid quoted string. Only the first quoted string is
+// parsed and is unquoted in result. eaten is the number of bytes parsed, or -1
+// upon failure.
+func httpUnquote(raw string) (eaten int, result string) {
+	buf := make([]byte, len(raw))
+	if raw[0] != '"' {
+		return -1, ""
+	}
+	eaten = 1
+	j := 0 // # of bytes written in buf
+	for i := 1; i < len(raw); i++ {
+		switch b := raw[i]; b {
+		case '"':
+			eaten++
+			buf = buf[0:j]
+			return i + 1, string(buf)
+		case '\\':
+			if len(raw) < i+2 {
+				return -1, ""
+			}
+			buf[j] = httpUnquotePair(raw[i+1])
+			eaten += 2
+			j++
+			i++
+		default:
+			if isQdText(b) {
+				buf[j] = b
+			} else {
+				buf[j] = '?'
+			}
+			eaten++
+			j++
+		}
+	}
+	return -1, ""
+}
diff --git a/vendor/github.com/pquerna/cachecontrol/cacheobject/object.go b/vendor/github.com/pquerna/cachecontrol/cacheobject/object.go
new file mode 100644
index 00000000..ae38a317
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/cacheobject/object.go
@@ -0,0 +1,398 @@
+/**
+ *  Copyright 2015 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package cacheobject
+
+import (
+	"net/http"
+	"time"
+)
+
+// LOW LEVEL API: Represents a potentially cachable HTTP object.
+//
+// This struct is designed to be serialized efficiently, so in a high
+// performance caching server, things like Date-Strings don't need to be
+// parsed for every use of a cached object.
+type Object struct {
+	CacheIsPrivate bool
+
+	RespDirectives         *ResponseCacheDirectives
+	RespHeaders            http.Header
+	RespStatusCode         int
+	RespExpiresHeader      time.Time
+	RespDateHeader         time.Time
+	RespLastModifiedHeader time.Time
+
+	ReqDirectives *RequestCacheDirectives
+	ReqHeaders    http.Header
+	ReqMethod     string
+
+	NowUTC time.Time
+}
+
+// LOW LEVEL API: Represents the results of examining an Object with
+// CachableObject and ExpirationObject.
+//
+// TODO(pquerna): decide if this is a good idea or bad
+type ObjectResults struct {
+	OutReasons        []Reason
+	OutWarnings       []Warning
+	OutExpirationTime time.Time
+	OutErr            error
+}
+
+// LOW LEVEL API: Check if a request is cacheable.
+// This function doesn't reset the passed ObjectResults.
+func CachableRequestObject(obj *Object, rv *ObjectResults) {
+	switch obj.ReqMethod {
+	case "GET":
+		break
+	case "HEAD":
+		break
+	case "POST":
+		// Responses to POST requests can be cacheable if they include explicit freshness information
+		break
+
+	case "PUT":
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodPUT)
+
+	case "DELETE":
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodDELETE)
+
+	case "CONNECT":
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodCONNECT)
+
+	case "OPTIONS":
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodOPTIONS)
+
+	case "TRACE":
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodTRACE)
+
+	// HTTP Extension Methods: http://www.iana.org/assignments/http-methods/http-methods.xhtml
+	//
+	// To my knowledge, none of them are cachable. Please open a ticket if this is not the case!
+	//
+	default:
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodUnknown)
+	}
+
+	if obj.ReqDirectives != nil && obj.ReqDirectives.NoStore {
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestNoStore)
+	}
+}
+
+// LOW LEVEL API: Check if a response is cacheable.
+// This function doesn't reset the passed ObjectResults.
+func CachableResponseObject(obj *Object, rv *ObjectResults) {
+	/**
+	  POST: http://tools.ietf.org/html/rfc7231#section-4.3.3
+
+	  Responses to POST requests are only cacheable when they include
+	  explicit freshness information (see Section 4.2.1 of [RFC7234]).
+	  However, POST caching is not widely implemented.  For cases where an
+	  origin server wishes the client to be able to cache the result of a
+	  POST in a way that can be reused by a later GET, the origin server
+	  MAY send a 200 (OK) response containing the result and a
+	  Content-Location header field that has the same value as the POST's
+	  effective request URI (Section 3.1.4.2).
+	*/
+	if obj.ReqMethod == http.MethodPost && !hasFreshness(obj.RespDirectives, obj.RespHeaders, obj.RespExpiresHeader, obj.CacheIsPrivate) {
+		rv.OutReasons = append(rv.OutReasons, ReasonRequestMethodPOST)
+	}
+
+	// Storing Responses to Authenticated Requests: http://tools.ietf.org/html/rfc7234#section-3.2
+	if obj.ReqHeaders.Get("Authorization") != "" {
+		if obj.RespDirectives.MustRevalidate ||
+			obj.RespDirectives.Public ||
+			obj.RespDirectives.SMaxAge != -1 {
+			// Expires of some kind present, this is potentially OK.
+		} else {
+			rv.OutReasons = append(rv.OutReasons, ReasonRequestAuthorizationHeader)
+		}
+	}
+
+	if obj.RespDirectives.PrivatePresent && !obj.CacheIsPrivate {
+		rv.OutReasons = append(rv.OutReasons, ReasonResponsePrivate)
+	}
+
+	if obj.RespDirectives.NoStore {
+		rv.OutReasons = append(rv.OutReasons, ReasonResponseNoStore)
+	}
+
+	/*
+	   the response either:
+
+	     *  contains an Expires header field (see Section 5.3), or
+
+	     *  contains a max-age response directive (see Section 5.2.2.8), or
+
+	     *  contains a s-maxage response directive (see Section 5.2.2.9)
+	        and the cache is shared, or
+
+	     *  contains a Cache Control Extension (see Section 5.2.3) that
+	        allows it to be cached, or
+
+	     *  has a status code that is defined as cacheable by default (see
+	        Section 4.2.2), or
+
+	     *  contains a public response directive (see Section 5.2.2.5).
+	*/
+
+	if obj.RespHeaders.Get("Expires") != "" ||
+		obj.RespDirectives.MaxAge != -1 ||
+		(obj.RespDirectives.SMaxAge != -1 && !obj.CacheIsPrivate) ||
+		cachableStatusCode(obj.RespStatusCode) ||
+		obj.RespDirectives.Public {
+		/* cachable by default, at least one of the above conditions was true */
+		return
+	}
+
+	rv.OutReasons = append(rv.OutReasons, ReasonResponseUncachableByDefault)
+}
+
+// LOW LEVEL API: Check if a object is cachable.
+func CachableObject(obj *Object, rv *ObjectResults) {
+	rv.OutReasons = nil
+	rv.OutWarnings = nil
+	rv.OutErr = nil
+
+	CachableRequestObject(obj, rv)
+	CachableResponseObject(obj, rv)
+}
+
+var twentyFourHours = time.Duration(24 * time.Hour)
+
+const debug = false
+
+// LOW LEVEL API: Update an objects expiration time.
+func ExpirationObject(obj *Object, rv *ObjectResults) {
+	/**
+	 * Okay, lets calculate Freshness/Expiration now. woo:
+	 *  http://tools.ietf.org/html/rfc7234#section-4.2
+	 */
+
+	/*
+	   o  If the cache is shared and the s-maxage response directive
+	      (Section 5.2.2.9) is present, use its value, or
+
+	   o  If the max-age response directive (Section 5.2.2.8) is present,
+	      use its value, or
+
+	   o  If the Expires response header field (Section 5.3) is present, use
+	      its value minus the value of the Date response header field, or
+
+	   o  Otherwise, no explicit expiration time is present in the response.
+	      A heuristic freshness lifetime might be applicable; see
+	      Section 4.2.2.
+	*/
+
+	var expiresTime time.Time
+
+	if obj.RespDirectives.SMaxAge != -1 && !obj.CacheIsPrivate {
+		expiresTime = obj.NowUTC.Add(time.Second * time.Duration(obj.RespDirectives.SMaxAge))
+	} else if obj.RespDirectives.MaxAge != -1 {
+		expiresTime = obj.NowUTC.UTC().Add(time.Second * time.Duration(obj.RespDirectives.MaxAge))
+	} else if !obj.RespExpiresHeader.IsZero() {
+		serverDate := obj.RespDateHeader
+		if serverDate.IsZero() {
+			// common enough case when a Date: header has not yet been added to an
+			// active response.
+			serverDate = obj.NowUTC
+		}
+		expiresTime = obj.NowUTC.Add(obj.RespExpiresHeader.Sub(serverDate))
+	} else if !obj.RespLastModifiedHeader.IsZero() {
+		// heuristic freshness lifetime
+		rv.OutWarnings = append(rv.OutWarnings, WarningHeuristicExpiration)
+
+		// http://httpd.apache.org/docs/2.4/mod/mod_cache.html#cachelastmodifiedfactor
+		// CacheMaxExpire defaults to 24 hours
+		// CacheLastModifiedFactor: is 0.1
+		//
+		// expiry-period = MIN(time-since-last-modified-date * factor, 24 hours)
+		//
+		// obj.NowUTC
+
+		since := obj.RespLastModifiedHeader.Sub(obj.NowUTC)
+		since = time.Duration(float64(since) * -0.1)
+
+		if since > twentyFourHours {
+			expiresTime = obj.NowUTC.Add(twentyFourHours)
+		} else {
+			expiresTime = obj.NowUTC.Add(since)
+		}
+
+		if debug {
+			println("Now UTC: ", obj.NowUTC.String())
+			println("Last-Modified: ", obj.RespLastModifiedHeader.String())
+			println("Since: ", since.String())
+			println("TwentyFourHours: ", twentyFourHours.String())
+			println("Expiration: ", expiresTime.String())
+		}
+	} else {
+		// TODO(pquerna): what should the default behavior be for expiration time?
+	}
+
+	rv.OutExpirationTime = expiresTime
+}
+
+// Evaluate cachability based on an HTTP request, and parts of the response.
+func UsingRequestResponse(req *http.Request,
+	statusCode int,
+	respHeaders http.Header,
+	privateCache bool) ([]Reason, time.Time, error) {
+	reasons, time, _, _, err := UsingRequestResponseWithObject(req, statusCode, respHeaders, privateCache)
+	return reasons, time, err
+}
+
+// Evaluate cachability based on an HTTP request, and parts of the response.
+// Returns the parsed Object as well.
+func UsingRequestResponseWithObject(req *http.Request,
+	statusCode int,
+	respHeaders http.Header,
+	privateCache bool) ([]Reason, time.Time, []Warning, *Object, error) {
+	var reqHeaders http.Header
+	var reqMethod string
+
+	var reqDir *RequestCacheDirectives = nil
+	respDir, err := ParseResponseCacheControl(respHeaders.Get("Cache-Control"))
+	if err != nil {
+		return nil, time.Time{}, nil, nil, err
+	}
+
+	if req != nil {
+		reqDir, err = ParseRequestCacheControl(req.Header.Get("Cache-Control"))
+		if err != nil {
+			return nil, time.Time{}, nil, nil, err
+		}
+		reqHeaders = req.Header
+		reqMethod = req.Method
+	}
+
+	var expiresHeader time.Time
+	var dateHeader time.Time
+	var lastModifiedHeader time.Time
+
+	if respHeaders.Get("Expires") != "" {
+		expiresHeader, err = http.ParseTime(respHeaders.Get("Expires"))
+		if err != nil {
+			// sometimes servers will return `Expires: 0` or `Expires: -1` to
+			// indicate expired content
+			expiresHeader = time.Time{}
+		}
+		expiresHeader = expiresHeader.UTC()
+	}
+
+	if respHeaders.Get("Date") != "" {
+		dateHeader, err = http.ParseTime(respHeaders.Get("Date"))
+		if err != nil {
+			return nil, time.Time{}, nil, nil, err
+		}
+		dateHeader = dateHeader.UTC()
+	}
+
+	if respHeaders.Get("Last-Modified") != "" {
+		lastModifiedHeader, err = http.ParseTime(respHeaders.Get("Last-Modified"))
+		if err != nil {
+			return nil, time.Time{}, nil, nil, err
+		}
+		lastModifiedHeader = lastModifiedHeader.UTC()
+	}
+
+	obj := Object{
+		CacheIsPrivate: privateCache,
+
+		RespDirectives:         respDir,
+		RespHeaders:            respHeaders,
+		RespStatusCode:         statusCode,
+		RespExpiresHeader:      expiresHeader,
+		RespDateHeader:         dateHeader,
+		RespLastModifiedHeader: lastModifiedHeader,
+
+		ReqDirectives: reqDir,
+		ReqHeaders:    reqHeaders,
+		ReqMethod:     reqMethod,
+
+		NowUTC: time.Now().UTC(),
+	}
+	rv := ObjectResults{}
+
+	CachableObject(&obj, &rv)
+	if rv.OutErr != nil {
+		return nil, time.Time{}, nil, nil, rv.OutErr
+	}
+
+	ExpirationObject(&obj, &rv)
+	if rv.OutErr != nil {
+		return nil, time.Time{}, nil, nil, rv.OutErr
+	}
+
+	return rv.OutReasons, rv.OutExpirationTime, rv.OutWarnings, &obj, nil
+}
+
+// calculate if a freshness directive is present: http://tools.ietf.org/html/rfc7234#section-4.2.1
+func hasFreshness(respDir *ResponseCacheDirectives, respHeaders http.Header, respExpires time.Time, privateCache bool) bool {
+	if !privateCache && respDir.SMaxAge != -1 {
+		return true
+	}
+
+	if respDir.MaxAge != -1 {
+		return true
+	}
+
+	if !respExpires.IsZero() || respHeaders.Get("Expires") != "" {
+		return true
+	}
+
+	return false
+}
+
+func cachableStatusCode(statusCode int) bool {
+	/*
+		Responses with status codes that are defined as cacheable by default
+		(e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in
+		this specification) can be reused by a cache with heuristic
+		expiration unless otherwise indicated by the method definition or
+		explicit cache controls [RFC7234]; all other status codes are not
+		cacheable by default.
+	*/
+	switch statusCode {
+	case 200:
+		return true
+	case 203:
+		return true
+	case 204:
+		return true
+	case 206:
+		return true
+	case 300:
+		return true
+	case 301:
+		return true
+	case 404:
+		return true
+	case 405:
+		return true
+	case 410:
+		return true
+	case 414:
+		return true
+	case 501:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/vendor/github.com/pquerna/cachecontrol/cacheobject/reasons.go b/vendor/github.com/pquerna/cachecontrol/cacheobject/reasons.go
new file mode 100644
index 00000000..2e75ae72
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/cacheobject/reasons.go
@@ -0,0 +1,95 @@
+/**
+ *  Copyright 2015 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package cacheobject
+
+// Repersents a potential Reason to not cache an object.
+//
+// Applications may wish to ignore specific reasons, which will make them non-RFC
+// compliant, but this type gives them specific cases they can choose to ignore,
+// making them compliant in as many cases as they can.
+type Reason int
+
+const (
+
+	// The request method was POST and an Expiration header was not supplied.
+	ReasonRequestMethodPOST Reason = iota
+
+	// The request method was PUT and PUTs are not cachable.
+	ReasonRequestMethodPUT
+
+	// The request method was DELETE and DELETEs are not cachable.
+	ReasonRequestMethodDELETE
+
+	// The request method was CONNECT and CONNECTs are not cachable.
+	ReasonRequestMethodCONNECT
+
+	// The request method was OPTIONS and OPTIONS are not cachable.
+	ReasonRequestMethodOPTIONS
+
+	// The request method was TRACE and TRACEs are not cachable.
+	ReasonRequestMethodTRACE
+
+	// The request method was not recognized by cachecontrol, and should not be cached.
+	ReasonRequestMethodUnknown
+
+	// The request included an Cache-Control: no-store header
+	ReasonRequestNoStore
+
+	// The request included an Authorization header without an explicit Public or Expiration time: http://tools.ietf.org/html/rfc7234#section-3.2
+	ReasonRequestAuthorizationHeader
+
+	// The response included an Cache-Control: no-store header
+	ReasonResponseNoStore
+
+	// The response included an Cache-Control: private header and this is not a Private cache
+	ReasonResponsePrivate
+
+	// The response failed to meet at least one of the conditions specified in RFC 7234 section 3: http://tools.ietf.org/html/rfc7234#section-3
+	ReasonResponseUncachableByDefault
+)
+
+func (r Reason) String() string {
+	switch r {
+	case ReasonRequestMethodPOST:
+		return "ReasonRequestMethodPOST"
+	case ReasonRequestMethodPUT:
+		return "ReasonRequestMethodPUT"
+	case ReasonRequestMethodDELETE:
+		return "ReasonRequestMethodDELETE"
+	case ReasonRequestMethodCONNECT:
+		return "ReasonRequestMethodCONNECT"
+	case ReasonRequestMethodOPTIONS:
+		return "ReasonRequestMethodOPTIONS"
+	case ReasonRequestMethodTRACE:
+		return "ReasonRequestMethodTRACE"
+	case ReasonRequestMethodUnknown:
+		return "ReasonRequestMethodUnkown"
+	case ReasonRequestNoStore:
+		return "ReasonRequestNoStore"
+	case ReasonRequestAuthorizationHeader:
+		return "ReasonRequestAuthorizationHeader"
+	case ReasonResponseNoStore:
+		return "ReasonResponseNoStore"
+	case ReasonResponsePrivate:
+		return "ReasonResponsePrivate"
+	case ReasonResponseUncachableByDefault:
+		return "ReasonResponseUncachableByDefault"
+	}
+
+	panic(r)
+}
diff --git a/vendor/github.com/pquerna/cachecontrol/cacheobject/warning.go b/vendor/github.com/pquerna/cachecontrol/cacheobject/warning.go
new file mode 100644
index 00000000..82f89413
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/cacheobject/warning.go
@@ -0,0 +1,107 @@
+/**
+ *  Copyright 2015 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package cacheobject
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+)
+
+// Repersents an HTTP Warning: http://tools.ietf.org/html/rfc7234#section-5.5
+type Warning int
+
+const (
+	// Response is Stale
+	// A cache SHOULD generate this whenever the sent response is stale.
+	WarningResponseIsStale Warning = 110
+
+	// Revalidation Failed
+	// A cache SHOULD generate this when sending a stale
+	// response because an attempt to validate the response failed, due to an
+	// inability to reach the server.
+	WarningRevalidationFailed Warning = 111
+
+	// Disconnected Operation
+	// A cache SHOULD generate this if it is intentionally disconnected from
+	// the rest of the network for a period of time.
+	WarningDisconnectedOperation Warning = 112
+
+	// Heuristic Expiration
+	//
+	// A cache SHOULD generate this if it heuristically chose a freshness
+	// lifetime greater than 24 hours and the response's age is greater than
+	// 24 hours.
+	WarningHeuristicExpiration Warning = 113
+
+	// Miscellaneous Warning
+	//
+	// The warning text can include arbitrary information to be presented to
+	// a human user or logged.  A system receiving this warning MUST NOT
+	// take any automated action, besides presenting the warning to the
+	// user.
+	WarningMiscellaneousWarning Warning = 199
+
+	// Transformation Applied
+	//
+	// This Warning code MUST be added by a proxy if it applies any
+	// transformation to the representation, such as changing the
+	// content-coding, media-type, or modifying the representation data,
+	// unless this Warning code already appears in the response.
+	WarningTransformationApplied Warning = 214
+
+	// Miscellaneous Persistent Warning
+	//
+	// The warning text can include arbitrary information to be presented to
+	// a human user or logged.  A system receiving this warning MUST NOT
+	// take any automated action.
+	WarningMiscellaneousPersistentWarning Warning = 299
+)
+
+func (w Warning) HeaderString(agent string, date time.Time) string {
+	if agent == "" {
+		agent = "-"
+	} else {
+		// TODO(pquerna): this doesn't escape agent if it contains bad things.
+		agent = `"` + agent + `"`
+	}
+	return fmt.Sprintf(`%d %s "%s" %s`, w, agent, w.String(), date.Format(http.TimeFormat))
+}
+
+func (w Warning) String() string {
+	switch w {
+	case WarningResponseIsStale:
+		return "Response is Stale"
+	case WarningRevalidationFailed:
+		return "Revalidation Failed"
+	case WarningDisconnectedOperation:
+		return "Disconnected Operation"
+	case WarningHeuristicExpiration:
+		return "Heuristic Expiration"
+	case WarningMiscellaneousWarning:
+		// TODO(pquerna): ideally had a better way to override this one code.
+		return "Miscellaneous Warning"
+	case WarningTransformationApplied:
+		return "Transformation Applied"
+	case WarningMiscellaneousPersistentWarning:
+		// TODO(pquerna): same as WarningMiscellaneousWarning
+		return "Miscellaneous Persistent Warning"
+	}
+
+	panic(w)
+}
diff --git a/vendor/github.com/pquerna/cachecontrol/doc.go b/vendor/github.com/pquerna/cachecontrol/doc.go
new file mode 100644
index 00000000..3fe7ed0d
--- /dev/null
+++ b/vendor/github.com/pquerna/cachecontrol/doc.go
@@ -0,0 +1,25 @@
+/**
+ *  Copyright 2015 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+// Package cachecontrol implements the logic for HTTP Caching
+//
+// Deciding if an HTTP Response can be cached is often harder
+// and more bug prone than an actual cache storage backend.
+// cachecontrol provides a simple interface to determine if
+// request and response pairs are cachable as defined under
+// RFC 7234 http://tools.ietf.org/html/rfc7234
+package cachecontrol
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go
new file mode 100644
index 00000000..59b3a95a
--- /dev/null
+++ b/vendor/golang.org/x/crypto/ed25519/ed25519.go
@@ -0,0 +1,69 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ed25519 implements the Ed25519 signature algorithm. See
+// https://ed25519.cr.yp.to/.
+//
+// These functions are also compatible with the “Ed25519� function defined in
+// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
+// representation includes a public key suffix to make multiple signing
+// operations with the same key more efficient. This package refers to the RFC
+// 8032 private key as the “seed�.
+//
+// This package is a wrapper around the standard library crypto/ed25519 package.
+package ed25519
+
+import (
+	"crypto/ed25519"
+	"io"
+)
+
+const (
+	// PublicKeySize is the size, in bytes, of public keys as used in this package.
+	PublicKeySize = 32
+	// PrivateKeySize is the size, in bytes, of private keys as used in this package.
+	PrivateKeySize = 64
+	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
+	SignatureSize = 64
+	// SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
+	SeedSize = 32
+)
+
+// PublicKey is the type of Ed25519 public keys.
+//
+// This type is an alias for crypto/ed25519's PublicKey type.
+// See the crypto/ed25519 package for the methods on this type.
+type PublicKey = ed25519.PublicKey
+
+// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
+//
+// This type is an alias for crypto/ed25519's PrivateKey type.
+// See the crypto/ed25519 package for the methods on this type.
+type PrivateKey = ed25519.PrivateKey
+
+// GenerateKey generates a public/private key pair using entropy from rand.
+// If rand is nil, crypto/rand.Reader will be used.
+func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) {
+	return ed25519.GenerateKey(rand)
+}
+
+// NewKeyFromSeed calculates a private key from a seed. It will panic if
+// len(seed) is not SeedSize. This function is provided for interoperability
+// with RFC 8032. RFC 8032's private keys correspond to seeds in this
+// package.
+func NewKeyFromSeed(seed []byte) PrivateKey {
+	return ed25519.NewKeyFromSeed(seed)
+}
+
+// Sign signs the message with privateKey and returns a signature. It will
+// panic if len(privateKey) is not PrivateKeySize.
+func Sign(privateKey PrivateKey, message []byte) []byte {
+	return ed25519.Sign(privateKey, message)
+}
+
+// Verify reports whether sig is a valid signature of message by publicKey. It
+// will panic if len(publicKey) is not PublicKeySize.
+func Verify(publicKey PublicKey, message, sig []byte) bool {
+	return ed25519.Verify(publicKey, message, sig)
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc b/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
new file mode 100644
index 00000000..730e569b
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
@@ -0,0 +1 @@
+'|Ê&{tÄU|gGê(ì�Cy=+¨œòcû:u:/pœ#~žü["±4¤!­nÙAªDK<ŠufÿhÅa¿Â:ºü¸¡´B/£Ø¤¹¤ò_�hÎÛSãT*wÌx¼¯�¹-ç|�àÀÓƒÑÄäóÌ㣗A$$â6£ÁâG)8nÏpûÆË¡3ÌšœoïÏvŽB–3¿­]xÝ“Ó2l§G•|qRÞ¯
ö2
5R–Ó×Ç$´ñ½Yè¡ÞÝ™l‘Ë«yAI"ÛŒ˜®íû¹¼kÄ|Kåþ[9ÆâÒå=°úÿŸñ|@S•3ó#æ�x?¾V„,¾‚SÆÝõœwPíogÒ6&V6	©D.dBŠ7
\ No newline at end of file
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore b/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
new file mode 100644
index 00000000..95a85158
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
@@ -0,0 +1,8 @@
+*~
+.*.swp
+*.out
+*.test
+*.pem
+*.cov
+jose-util/jose-util
+jose-util.t.err
\ No newline at end of file
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml b/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
new file mode 100644
index 00000000..391b99a4
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
@@ -0,0 +1,45 @@
+language: go
+
+sudo: false
+
+matrix:
+  fast_finish: true
+  allow_failures:
+    - go: tip
+
+go:
+- '1.14.x'
+- '1.15.x'
+- tip
+
+go_import_path: gopkg.in/square/go-jose.v2
+
+before_script:
+- export PATH=$HOME/.local/bin:$PATH
+
+before_install:
+# Install encrypted gitcookies to get around bandwidth-limits
+# that is causing Travis-CI builds to fail. For more info, see
+# https://github.com/golang/go/issues/12933
+- openssl aes-256-cbc -K $encrypted_1528c3c2cafd_key -iv $encrypted_1528c3c2cafd_iv -in .gitcookies.sh.enc -out .gitcookies.sh -d || true
+- bash .gitcookies.sh || true
+- go get github.com/wadey/gocovmerge
+- go get github.com/mattn/goveralls
+- go get github.com/stretchr/testify/assert
+- go get github.com/stretchr/testify/require
+- go get github.com/google/go-cmp/cmp
+- go get golang.org/x/tools/cmd/cover || true
+- go get code.google.com/p/go.tools/cmd/cover || true
+- pip install cram --user
+
+script:
+- go test . -v -covermode=count -coverprofile=profile.cov
+- go test ./cipher -v -covermode=count -coverprofile=cipher/profile.cov
+- go test ./jwt -v -covermode=count -coverprofile=jwt/profile.cov
+- go test ./json -v # no coverage for forked encoding/json package
+- cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t # cram tests jose-util
+- cd ..
+
+after_success:
+- gocovmerge *.cov */*.cov > merged.coverprofile
+- $HOME/gopath/bin/goveralls -coverprofile merged.coverprofile -service=travis-ci
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
new file mode 100644
index 00000000..8e6e9132
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
@@ -0,0 +1,84 @@
+# v4.0.1
+
+## Fixed
+
+ - An attacker could send a JWE containing compressed data that used large
+   amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
+   Those functions now return an error if the decompressed data would exceed
+   250kB or 10x the compressed size (whichever is larger). Thanks to
+   Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
+   for reporting.
+
+# v4.0.0
+
+This release makes some breaking changes in order to more thoroughly
+address the vulnerabilities discussed in [Three New Attacks Against JSON Web
+Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
+token".
+
+## Changed
+
+ - Limit JWT encryption types (exclude password or public key types) (#78)
+ - Enforce minimum length for HMAC keys (#85)
+ - jwt: match any audience in a list, rather than requiring all audiences (#81)
+ - jwt: accept only Compact Serialization (#75)
+ - jws: Add expected algorithms for signatures (#74)
+ - Require specifying expected algorithms for ParseEncrypted,
+   ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
+   jwt.ParseSignedAndEncrypted (#69, #74)
+   - Usually there is a small, known set of appropriate algorithms for a program
+     to use and it's a mistake to allow unexpected algorithms. For instance the
+     "billion hash attack" relies in part on programs accepting the PBES2
+     encryption algorithm and doing the necessary work even if they weren't
+     specifically configured to allow PBES2.
+ - Revert "Strip padding off base64 strings" (#82)
+  - The specs require base64url encoding without padding.
+ - Minimum supported Go version is now 1.21
+
+## Added
+
+ - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
+   - These allow parsing a specific serialization, as opposed to ParseSigned and
+     ParseEncrypted, which try to automatically detect which serialization was
+     provided. It's common to require a specific serialization for a specific
+     protocol - for instance JWT requires Compact serialization.
+
+[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
+
+# v3.0.3
+
+## Fixed
+
+ - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
+
+# v3.0.2
+
+## Fixed
+
+ - DecryptMulti: handle decompression error (#19)
+
+## Changed
+
+ - jwe/CompactSerialize: improve performance (#67)
+ - Increase the default number of PBKDF2 iterations to 600k (#48)
+ - Return the proper algorithm for ECDSA keys (#45)
+
+## Added
+
+ - Add Thumbprint support for opaque signers (#38)
+
+# v3.0.1
+
+## Fixed
+
+ - Security issue: an attacker specifying a large "p2c" value can cause
+   JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
+   amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
+   disclosure and to Tom Tervoort for originally publishing the category of attack.
+   https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
+
+# v2.6.3
+
+## Fixed
+
+ - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md b/vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md
new file mode 100644
index 00000000..61b18365
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md
@@ -0,0 +1,14 @@
+# Contributing
+
+If you would like to contribute code to go-jose you can do so through GitHub by
+forking the repository and sending a pull request.
+
+When submitting code, please make every effort to follow existing conventions
+and style in order to keep the code as readable as possible. Please also make
+sure all tests pass by running `go test`, and format your code with `go fmt`.
+We also recommend using `golint` and `errcheck`.
+
+Before your code can be accepted into the project you must also sign the
+[Individual Contributor License Agreement][1].
+
+ [1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/LICENSE b/vendor/gopkg.in/go-jose/go-jose.v2/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/README.md b/vendor/gopkg.in/go-jose/go-jose.v2/README.md
new file mode 100644
index 00000000..b877f412
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/README.md
@@ -0,0 +1,4 @@
+# go-jose v2
+
+Version 2 of this library is no longer supported. [Please use v4
+instead](https://pkg.go.dev/github.com/go-jose/go-jose/v4).
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
new file mode 100644
index 00000000..43f9ce2f
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
@@ -0,0 +1,595 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"math/big"
+
+	"golang.org/x/crypto/ed25519"
+	josecipher "gopkg.in/go-jose/go-jose.v2/cipher"
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// A generic RSA-based encrypter/verifier
+type rsaEncrypterVerifier struct {
+	publicKey *rsa.PublicKey
+}
+
+// A generic RSA-based decrypter/signer
+type rsaDecrypterSigner struct {
+	privateKey *rsa.PrivateKey
+}
+
+// A generic EC-based encrypter/verifier
+type ecEncrypterVerifier struct {
+	publicKey *ecdsa.PublicKey
+}
+
+type edEncrypterVerifier struct {
+	publicKey ed25519.PublicKey
+}
+
+// A key generator for ECDH-ES
+type ecKeyGenerator struct {
+	size      int
+	algID     string
+	publicKey *ecdsa.PublicKey
+}
+
+// A generic EC-based decrypter/signer
+type ecDecrypterSigner struct {
+	privateKey *ecdsa.PrivateKey
+}
+
+type edDecrypterSigner struct {
+	privateKey ed25519.PrivateKey
+}
+
+// newRSARecipient creates recipientKeyInfo based on the given key.
+func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch keyAlg {
+	case RSA1_5, RSA_OAEP, RSA_OAEP_256:
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if publicKey == nil {
+		return recipientKeyInfo{}, errors.New("invalid public key")
+	}
+
+	return recipientKeyInfo{
+		keyAlg: keyAlg,
+		keyEncrypter: &rsaEncrypterVerifier{
+			publicKey: publicKey,
+		},
+	}, nil
+}
+
+// newRSASigner creates a recipientSigInfo based on the given key.
+func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipientSigInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch sigAlg {
+	case RS256, RS384, RS512, PS256, PS384, PS512:
+	default:
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		publicKey: staticPublicKey(&JSONWebKey{
+			Key: privateKey.Public(),
+		}),
+		signer: &rsaDecrypterSigner{
+			privateKey: privateKey,
+		},
+	}, nil
+}
+
+func newEd25519Signer(sigAlg SignatureAlgorithm, privateKey ed25519.PrivateKey) (recipientSigInfo, error) {
+	if sigAlg != EdDSA {
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		publicKey: staticPublicKey(&JSONWebKey{
+			Key: privateKey.Public(),
+		}),
+		signer: &edDecrypterSigner{
+			privateKey: privateKey,
+		},
+	}, nil
+}
+
+// newECDHRecipient creates recipientKeyInfo based on the given key.
+func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch keyAlg {
+	case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+		return recipientKeyInfo{}, errors.New("invalid public key")
+	}
+
+	return recipientKeyInfo{
+		keyAlg: keyAlg,
+		keyEncrypter: &ecEncrypterVerifier{
+			publicKey: publicKey,
+		},
+	}, nil
+}
+
+// newECDSASigner creates a recipientSigInfo based on the given key.
+func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (recipientSigInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch sigAlg {
+	case ES256, ES384, ES512:
+	default:
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		publicKey: staticPublicKey(&JSONWebKey{
+			Key: privateKey.Public(),
+		}),
+		signer: &ecDecrypterSigner{
+			privateKey: privateKey,
+		},
+	}, nil
+}
+
+// Encrypt the given payload and update the object.
+func (ctx rsaEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	encryptedKey, err := ctx.encrypt(cek, alg)
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	return recipientInfo{
+		encryptedKey: encryptedKey,
+		header:       &rawHeader{},
+	}, nil
+}
+
+// Encrypt the given payload. Based on the key encryption algorithm,
+// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
+func (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, error) {
+	switch alg {
+	case RSA1_5:
+		return rsa.EncryptPKCS1v15(RandReader, ctx.publicKey, cek)
+	case RSA_OAEP:
+		return rsa.EncryptOAEP(sha1.New(), RandReader, ctx.publicKey, cek, []byte{})
+	case RSA_OAEP_256:
+		return rsa.EncryptOAEP(sha256.New(), RandReader, ctx.publicKey, cek, []byte{})
+	}
+
+	return nil, ErrUnsupportedAlgorithm
+}
+
+// Decrypt the given payload and return the content encryption key.
+func (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	return ctx.decrypt(recipient.encryptedKey, headers.getAlgorithm(), generator)
+}
+
+// Decrypt the given payload. Based on the key encryption algorithm,
+// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
+func (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator keyGenerator) ([]byte, error) {
+	// Note: The random reader on decrypt operations is only used for blinding,
+	// so stubbing is meanlingless (hence the direct use of rand.Reader).
+	switch alg {
+	case RSA1_5:
+		defer func() {
+			// DecryptPKCS1v15SessionKey sometimes panics on an invalid payload
+			// because of an index out of bounds error, which we want to ignore.
+			// This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()
+			// only exists for preventing crashes with unpatched versions.
+			// See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k
+			// See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33
+			_ = recover()
+		}()
+
+		// Perform some input validation.
+		keyBytes := ctx.privateKey.PublicKey.N.BitLen() / 8
+		if keyBytes != len(jek) {
+			// Input size is incorrect, the encrypted payload should always match
+			// the size of the public modulus (e.g. using a 2048 bit key will
+			// produce 256 bytes of output). Reject this since it's invalid input.
+			return nil, ErrCryptoFailure
+		}
+
+		cek, _, err := generator.genKey()
+		if err != nil {
+			return nil, ErrCryptoFailure
+		}
+
+		// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
+		// prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
+		// the Million Message Attack on Cryptographic Message Syntax". We are
+		// therefore deliberately ignoring errors here.
+		_ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)
+
+		return cek, nil
+	case RSA_OAEP:
+		// Use rand.Reader for RSA blinding
+		return rsa.DecryptOAEP(sha1.New(), rand.Reader, ctx.privateKey, jek, []byte{})
+	case RSA_OAEP_256:
+		// Use rand.Reader for RSA blinding
+		return rsa.DecryptOAEP(sha256.New(), rand.Reader, ctx.privateKey, jek, []byte{})
+	}
+
+	return nil, ErrUnsupportedAlgorithm
+}
+
+// Sign the given payload
+func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	var hash crypto.Hash
+
+	switch alg {
+	case RS256, PS256:
+		hash = crypto.SHA256
+	case RS384, PS384:
+		hash = crypto.SHA384
+	case RS512, PS512:
+		hash = crypto.SHA512
+	default:
+		return Signature{}, ErrUnsupportedAlgorithm
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	var out []byte
+	var err error
+
+	switch alg {
+	case RS256, RS384, RS512:
+		// TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the
+		// random parameter is legacy and ignored, and it can be nil.
+		// https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1
+		out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed)
+	case PS256, PS384, PS512:
+		out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthEqualsHash,
+		})
+	}
+
+	if err != nil {
+		return Signature{}, err
+	}
+
+	return Signature{
+		Signature: out,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// Verify the given payload
+func (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	var hash crypto.Hash
+
+	switch alg {
+	case RS256, PS256:
+		hash = crypto.SHA256
+	case RS384, PS384:
+		hash = crypto.SHA384
+	case RS512, PS512:
+		hash = crypto.SHA512
+	default:
+		return ErrUnsupportedAlgorithm
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	switch alg {
+	case RS256, RS384, RS512:
+		return rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)
+	case PS256, PS384, PS512:
+		return rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)
+	}
+
+	return ErrUnsupportedAlgorithm
+}
+
+// Encrypt the given payload and update the object.
+func (ctx ecEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	switch alg {
+	case ECDH_ES:
+		// ECDH-ES mode doesn't wrap a key, the shared secret is used directly as the key.
+		return recipientInfo{
+			header: &rawHeader{},
+		}, nil
+	case ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
+	default:
+		return recipientInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	generator := ecKeyGenerator{
+		algID:     string(alg),
+		publicKey: ctx.publicKey,
+	}
+
+	switch alg {
+	case ECDH_ES_A128KW:
+		generator.size = 16
+	case ECDH_ES_A192KW:
+		generator.size = 24
+	case ECDH_ES_A256KW:
+		generator.size = 32
+	}
+
+	kek, header, err := generator.genKey()
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	block, err := aes.NewCipher(kek)
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	jek, err := josecipher.KeyWrap(block, cek)
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	return recipientInfo{
+		encryptedKey: jek,
+		header:       &header,
+	}, nil
+}
+
+// Get key size for EC key generator
+func (ctx ecKeyGenerator) keySize() int {
+	return ctx.size
+}
+
+// Get a content encryption key for ECDH-ES
+func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	priv, err := ecdsa.GenerateKey(ctx.publicKey.Curve, RandReader)
+	if err != nil {
+		return nil, rawHeader{}, err
+	}
+
+	out := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size)
+
+	b, err := json.Marshal(&JSONWebKey{
+		Key: &priv.PublicKey,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	headers := rawHeader{
+		headerEPK: makeRawMessage(b),
+	}
+
+	return out, headers, nil
+}
+
+// Decrypt the given payload and return the content encryption key.
+func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	epk, err := headers.getEPK()
+	if err != nil {
+		return nil, errors.New("go-jose/go-jose: invalid epk header")
+	}
+	if epk == nil {
+		return nil, errors.New("go-jose/go-jose: missing epk header")
+	}
+
+	publicKey, ok := epk.Key.(*ecdsa.PublicKey)
+	if publicKey == nil || !ok {
+		return nil, errors.New("go-jose/go-jose: invalid epk header")
+	}
+
+	if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+		return nil, errors.New("go-jose/go-jose: invalid public key in epk header")
+	}
+
+	apuData, err := headers.getAPU()
+	if err != nil {
+		return nil, errors.New("go-jose/go-jose: invalid apu header")
+	}
+	apvData, err := headers.getAPV()
+	if err != nil {
+		return nil, errors.New("go-jose/go-jose: invalid apv header")
+	}
+
+	deriveKey := func(algID string, size int) []byte {
+		return josecipher.DeriveECDHES(algID, apuData.bytes(), apvData.bytes(), ctx.privateKey, publicKey, size)
+	}
+
+	var keySize int
+
+	algorithm := headers.getAlgorithm()
+	switch algorithm {
+	case ECDH_ES:
+		// ECDH-ES uses direct key agreement, no key unwrapping necessary.
+		return deriveKey(string(headers.getEncryption()), generator.keySize()), nil
+	case ECDH_ES_A128KW:
+		keySize = 16
+	case ECDH_ES_A192KW:
+		keySize = 24
+	case ECDH_ES_A256KW:
+		keySize = 32
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	key := deriveKey(string(algorithm), keySize)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return josecipher.KeyUnwrap(block, recipient.encryptedKey)
+}
+
+func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	if alg != EdDSA {
+		return Signature{}, ErrUnsupportedAlgorithm
+	}
+
+	sig, err := ctx.privateKey.Sign(RandReader, payload, crypto.Hash(0))
+	if err != nil {
+		return Signature{}, err
+	}
+
+	return Signature{
+		Signature: sig,
+		protected: &rawHeader{},
+	}, nil
+}
+
+func (ctx edEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	if alg != EdDSA {
+		return ErrUnsupportedAlgorithm
+	}
+	ok := ed25519.Verify(ctx.publicKey, payload, signature)
+	if !ok {
+		return errors.New("go-jose/go-jose: ed25519 signature failed to verify")
+	}
+	return nil
+}
+
+// Sign the given payload
+func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	var expectedBitSize int
+	var hash crypto.Hash
+
+	switch alg {
+	case ES256:
+		expectedBitSize = 256
+		hash = crypto.SHA256
+	case ES384:
+		expectedBitSize = 384
+		hash = crypto.SHA384
+	case ES512:
+		expectedBitSize = 521
+		hash = crypto.SHA512
+	}
+
+	curveBits := ctx.privateKey.Curve.Params().BitSize
+	if expectedBitSize != curveBits {
+		return Signature{}, fmt.Errorf("go-jose/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	r, s, err := ecdsa.Sign(RandReader, ctx.privateKey, hashed)
+	if err != nil {
+		return Signature{}, err
+	}
+
+	keyBytes := curveBits / 8
+	if curveBits%8 > 0 {
+		keyBytes++
+	}
+
+	// We serialize the outputs (r and s) into big-endian byte arrays and pad
+	// them with zeros on the left to make sure the sizes work out. Both arrays
+	// must be keyBytes long, and the output must be 2*keyBytes long.
+	rBytes := r.Bytes()
+	rBytesPadded := make([]byte, keyBytes)
+	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+	sBytes := s.Bytes()
+	sBytesPadded := make([]byte, keyBytes)
+	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+	out := append(rBytesPadded, sBytesPadded...)
+
+	return Signature{
+		Signature: out,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// Verify the given payload
+func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	var keySize int
+	var hash crypto.Hash
+
+	switch alg {
+	case ES256:
+		keySize = 32
+		hash = crypto.SHA256
+	case ES384:
+		keySize = 48
+		hash = crypto.SHA384
+	case ES512:
+		keySize = 66
+		hash = crypto.SHA512
+	default:
+		return ErrUnsupportedAlgorithm
+	}
+
+	if len(signature) != 2*keySize {
+		return fmt.Errorf("go-jose/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	r := big.NewInt(0).SetBytes(signature[:keySize])
+	s := big.NewInt(0).SetBytes(signature[keySize:])
+
+	match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
+	if !match {
+		return errors.New("go-jose/go-jose: ecdsa signature failed to verify")
+	}
+
+	return nil
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go
new file mode 100644
index 00000000..87065a5b
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go
@@ -0,0 +1,196 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+	"hash"
+)
+
+const (
+	nonceBytes = 16
+)
+
+// NewCBCHMAC instantiates a new AEAD based on CBC+HMAC.
+func NewCBCHMAC(key []byte, newBlockCipher func([]byte) (cipher.Block, error)) (cipher.AEAD, error) {
+	keySize := len(key) / 2
+	integrityKey := key[:keySize]
+	encryptionKey := key[keySize:]
+
+	blockCipher, err := newBlockCipher(encryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	var hash func() hash.Hash
+	switch keySize {
+	case 16:
+		hash = sha256.New
+	case 24:
+		hash = sha512.New384
+	case 32:
+		hash = sha512.New
+	}
+
+	return &cbcAEAD{
+		hash:         hash,
+		blockCipher:  blockCipher,
+		authtagBytes: keySize,
+		integrityKey: integrityKey,
+	}, nil
+}
+
+// An AEAD based on CBC+HMAC
+type cbcAEAD struct {
+	hash         func() hash.Hash
+	authtagBytes int
+	integrityKey []byte
+	blockCipher  cipher.Block
+}
+
+func (ctx *cbcAEAD) NonceSize() int {
+	return nonceBytes
+}
+
+func (ctx *cbcAEAD) Overhead() int {
+	// Maximum overhead is block size (for padding) plus auth tag length, where
+	// the length of the auth tag is equivalent to the key size.
+	return ctx.blockCipher.BlockSize() + ctx.authtagBytes
+}
+
+// Seal encrypts and authenticates the plaintext.
+func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
+	// Output buffer -- must take care not to mangle plaintext input.
+	ciphertext := make([]byte, uint64(len(plaintext))+uint64(ctx.Overhead()))[:len(plaintext)]
+	copy(ciphertext, plaintext)
+	ciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())
+
+	cbc := cipher.NewCBCEncrypter(ctx.blockCipher, nonce)
+
+	cbc.CryptBlocks(ciphertext, ciphertext)
+	authtag := ctx.computeAuthTag(data, nonce, ciphertext)
+
+	ret, out := resize(dst, uint64(len(dst))+uint64(len(ciphertext))+uint64(len(authtag)))
+	copy(out, ciphertext)
+	copy(out[len(ciphertext):], authtag)
+
+	return ret
+}
+
+// Open decrypts and authenticates the ciphertext.
+func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
+	if len(ciphertext) < ctx.authtagBytes {
+		return nil, errors.New("go-jose/go-jose: invalid ciphertext (too short)")
+	}
+
+	offset := len(ciphertext) - ctx.authtagBytes
+	expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
+	match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
+	if match != 1 {
+		return nil, errors.New("go-jose/go-jose: invalid ciphertext (auth tag mismatch)")
+	}
+
+	cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
+
+	// Make copy of ciphertext buffer, don't want to modify in place
+	buffer := append([]byte{}, []byte(ciphertext[:offset])...)
+
+	if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
+		return nil, errors.New("go-jose/go-jose: invalid ciphertext (invalid length)")
+	}
+
+	cbc.CryptBlocks(buffer, buffer)
+
+	// Remove padding
+	plaintext, err := unpadBuffer(buffer, ctx.blockCipher.BlockSize())
+	if err != nil {
+		return nil, err
+	}
+
+	ret, out := resize(dst, uint64(len(dst))+uint64(len(plaintext)))
+	copy(out, plaintext)
+
+	return ret, nil
+}
+
+// Compute an authentication tag
+func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
+	buffer := make([]byte, uint64(len(aad))+uint64(len(nonce))+uint64(len(ciphertext))+8)
+	n := 0
+	n += copy(buffer, aad)
+	n += copy(buffer[n:], nonce)
+	n += copy(buffer[n:], ciphertext)
+	binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad))*8)
+
+	// According to documentation, Write() on hash.Hash never fails.
+	hmac := hmac.New(ctx.hash, ctx.integrityKey)
+	_, _ = hmac.Write(buffer)
+
+	return hmac.Sum(nil)[:ctx.authtagBytes]
+}
+
+// resize ensures that the given slice has a capacity of at least n bytes.
+// If the capacity of the slice is less than n, a new slice is allocated
+// and the existing data will be copied.
+func resize(in []byte, n uint64) (head, tail []byte) {
+	if uint64(cap(in)) >= n {
+		head = in[:n]
+	} else {
+		head = make([]byte, n)
+		copy(head, in)
+	}
+
+	tail = head[len(in):]
+	return
+}
+
+// Apply padding
+func padBuffer(buffer []byte, blockSize int) []byte {
+	missing := blockSize - (len(buffer) % blockSize)
+	ret, out := resize(buffer, uint64(len(buffer))+uint64(missing))
+	padding := bytes.Repeat([]byte{byte(missing)}, missing)
+	copy(out, padding)
+	return ret
+}
+
+// Remove padding
+func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
+	if len(buffer)%blockSize != 0 {
+		return nil, errors.New("go-jose/go-jose: invalid padding")
+	}
+
+	last := buffer[len(buffer)-1]
+	count := int(last)
+
+	if count == 0 || count > blockSize || count > len(buffer) {
+		return nil, errors.New("go-jose/go-jose: invalid padding")
+	}
+
+	padding := bytes.Repeat([]byte{last}, count)
+	if !bytes.HasSuffix(buffer, padding) {
+		return nil, errors.New("go-jose/go-jose: invalid padding")
+	}
+
+	return buffer[:len(buffer)-count], nil
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go
new file mode 100644
index 00000000..f62c3bdb
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go
@@ -0,0 +1,75 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"crypto"
+	"encoding/binary"
+	"hash"
+	"io"
+)
+
+type concatKDF struct {
+	z, info []byte
+	i       uint32
+	cache   []byte
+	hasher  hash.Hash
+}
+
+// NewConcatKDF builds a KDF reader based on the given inputs.
+func NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {
+	buffer := make([]byte, uint64(len(algID))+uint64(len(ptyUInfo))+uint64(len(ptyVInfo))+uint64(len(supPubInfo))+uint64(len(supPrivInfo)))
+	n := 0
+	n += copy(buffer, algID)
+	n += copy(buffer[n:], ptyUInfo)
+	n += copy(buffer[n:], ptyVInfo)
+	n += copy(buffer[n:], supPubInfo)
+	copy(buffer[n:], supPrivInfo)
+
+	hasher := hash.New()
+
+	return &concatKDF{
+		z:      z,
+		info:   buffer,
+		hasher: hasher,
+		cache:  []byte{},
+		i:      1,
+	}
+}
+
+func (ctx *concatKDF) Read(out []byte) (int, error) {
+	copied := copy(out, ctx.cache)
+	ctx.cache = ctx.cache[copied:]
+
+	for copied < len(out) {
+		ctx.hasher.Reset()
+
+		// Write on a hash.Hash never fails
+		_ = binary.Write(ctx.hasher, binary.BigEndian, ctx.i)
+		_, _ = ctx.hasher.Write(ctx.z)
+		_, _ = ctx.hasher.Write(ctx.info)
+
+		hash := ctx.hasher.Sum(nil)
+		chunkCopied := copy(out[copied:], hash)
+		copied += chunkCopied
+		ctx.cache = hash[chunkCopied:]
+
+		ctx.i++
+	}
+
+	return copied, nil
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go
new file mode 100644
index 00000000..093c6467
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go
@@ -0,0 +1,86 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"encoding/binary"
+)
+
+// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.
+// It is an error to call this function with a private/public key that are not on the same
+// curve. Callers must ensure that the keys are valid before calling this function. Output
+// size may be at most 1<<16 bytes (64 KiB).
+func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {
+	if size > 1<<16 {
+		panic("ECDH-ES output size too large, must be less than or equal to 1<<16")
+	}
+
+	// algId, partyUInfo, partyVInfo inputs must be prefixed with the length
+	algID := lengthPrefixed([]byte(alg))
+	ptyUInfo := lengthPrefixed(apuData)
+	ptyVInfo := lengthPrefixed(apvData)
+
+	// suppPubInfo is the encoded length of the output size in bits
+	supPubInfo := make([]byte, 4)
+	binary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)
+
+	if !priv.PublicKey.Curve.IsOnCurve(pub.X, pub.Y) {
+		panic("public key not on same curve as private key")
+	}
+
+	z, _ := priv.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())
+	zBytes := z.Bytes()
+
+	// Note that calling z.Bytes() on a big.Int may strip leading zero bytes from
+	// the returned byte array. This can lead to a problem where zBytes will be
+	// shorter than expected which breaks the key derivation. Therefore we must pad
+	// to the full length of the expected coordinate here before calling the KDF.
+	octSize := dSize(priv.Curve)
+	if len(zBytes) != octSize {
+		zBytes = append(bytes.Repeat([]byte{0}, octSize-len(zBytes)), zBytes...)
+	}
+
+	reader := NewConcatKDF(crypto.SHA256, zBytes, algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})
+	key := make([]byte, size)
+
+	// Read on the KDF will never fail
+	_, _ = reader.Read(key)
+
+	return key
+}
+
+// dSize returns the size in octets for a coordinate on a elliptic curve.
+func dSize(curve elliptic.Curve) int {
+	order := curve.Params().P
+	bitLen := order.BitLen()
+	size := bitLen / 8
+	if bitLen%8 != 0 {
+		size++
+	}
+	return size
+}
+
+func lengthPrefixed(data []byte) []byte {
+	out := make([]byte, len(data)+4)
+	binary.BigEndian.PutUint32(out, uint32(len(data)))
+	copy(out[4:], data)
+	return out
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go
new file mode 100644
index 00000000..668358f9
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go
@@ -0,0 +1,109 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+)
+
+var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
+
+// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
+func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
+	if len(cek)%8 != 0 {
+		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
+	}
+
+	n := len(cek) / 8
+	r := make([][]byte, n)
+
+	for i := range r {
+		r[i] = make([]byte, 8)
+		copy(r[i], cek[i*8:])
+	}
+
+	buffer := make([]byte, 16)
+	tBytes := make([]byte, 8)
+	copy(buffer, defaultIV)
+
+	for t := 0; t < 6*n; t++ {
+		copy(buffer[8:], r[t%n])
+
+		block.Encrypt(buffer, buffer)
+
+		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
+
+		for i := 0; i < 8; i++ {
+			buffer[i] = buffer[i] ^ tBytes[i]
+		}
+		copy(r[t%n], buffer[8:])
+	}
+
+	out := make([]byte, (n+1)*8)
+	copy(out, buffer[:8])
+	for i := range r {
+		copy(out[(i+1)*8:], r[i])
+	}
+
+	return out, nil
+}
+
+// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
+func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
+	if len(ciphertext)%8 != 0 {
+		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
+	}
+
+	n := (len(ciphertext) / 8) - 1
+	r := make([][]byte, n)
+
+	for i := range r {
+		r[i] = make([]byte, 8)
+		copy(r[i], ciphertext[(i+1)*8:])
+	}
+
+	buffer := make([]byte, 16)
+	tBytes := make([]byte, 8)
+	copy(buffer[:8], ciphertext[:8])
+
+	for t := 6*n - 1; t >= 0; t-- {
+		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
+
+		for i := 0; i < 8; i++ {
+			buffer[i] = buffer[i] ^ tBytes[i]
+		}
+		copy(buffer[8:], r[t%n])
+
+		block.Decrypt(buffer, buffer)
+
+		copy(r[t%n], buffer[8:])
+	}
+
+	if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
+		return nil, errors.New("go-jose/go-jose: failed to unwrap key")
+	}
+
+	out := make([]byte, n*8)
+	for i := range r {
+		copy(out[i*8:], r[i])
+	}
+
+	return out, nil
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
new file mode 100644
index 00000000..0ae2e5eb
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
@@ -0,0 +1,548 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// Encrypter represents an encrypter which produces an encrypted JWE object.
+type Encrypter interface {
+	Encrypt(plaintext []byte) (*JSONWebEncryption, error)
+	EncryptWithAuthData(plaintext []byte, aad []byte) (*JSONWebEncryption, error)
+	Options() EncrypterOptions
+}
+
+// A generic content cipher
+type contentCipher interface {
+	keySize() int
+	encrypt(cek []byte, aad, plaintext []byte) (*aeadParts, error)
+	decrypt(cek []byte, aad []byte, parts *aeadParts) ([]byte, error)
+}
+
+// A key generator (for generating/getting a CEK)
+type keyGenerator interface {
+	keySize() int
+	genKey() ([]byte, rawHeader, error)
+}
+
+// A generic key encrypter
+type keyEncrypter interface {
+	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) // Encrypt a key
+}
+
+// A generic key decrypter
+type keyDecrypter interface {
+	decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) // Decrypt a key
+}
+
+// A generic encrypter based on the given key encrypter and content cipher.
+type genericEncrypter struct {
+	contentAlg     ContentEncryption
+	compressionAlg CompressionAlgorithm
+	cipher         contentCipher
+	recipients     []recipientKeyInfo
+	keyGenerator   keyGenerator
+	extraHeaders   map[HeaderKey]interface{}
+}
+
+type recipientKeyInfo struct {
+	keyID        string
+	keyAlg       KeyAlgorithm
+	keyEncrypter keyEncrypter
+}
+
+// EncrypterOptions represents options that can be set on new encrypters.
+type EncrypterOptions struct {
+	Compression CompressionAlgorithm
+
+	// Optional map of additional keys to be inserted into the protected header
+	// of a JWS object. Some specifications which make use of JWS like to insert
+	// additional values here. All values must be JSON-serializable.
+	ExtraHeaders map[HeaderKey]interface{}
+}
+
+// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
+// if necessary. It returns itself and so can be used in a fluent style.
+func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions {
+	if eo.ExtraHeaders == nil {
+		eo.ExtraHeaders = map[HeaderKey]interface{}{}
+	}
+	eo.ExtraHeaders[k] = v
+	return eo
+}
+
+// WithContentType adds a content type ("cty") header and returns the updated
+// EncrypterOptions.
+func (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions {
+	return eo.WithHeader(HeaderContentType, contentType)
+}
+
+// WithType adds a type ("typ") header and returns the updated EncrypterOptions.
+func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions {
+	return eo.WithHeader(HeaderType, typ)
+}
+
+// Recipient represents an algorithm/key to encrypt messages to.
+//
+// PBES2Count and PBES2Salt correspond with the  "p2c" and "p2s" headers used
+// on the password-based encryption algorithms PBES2-HS256+A128KW,
+// PBES2-HS384+A192KW, and PBES2-HS512+A256KW. If they are not provided a safe
+// default of 100000 will be used for the count and a 128-bit random salt will
+// be generated.
+type Recipient struct {
+	Algorithm  KeyAlgorithm
+	Key        interface{}
+	KeyID      string
+	PBES2Count int
+	PBES2Salt  []byte
+}
+
+// NewEncrypter creates an appropriate encrypter based on the key type
+func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error) {
+	encrypter := &genericEncrypter{
+		contentAlg: enc,
+		recipients: []recipientKeyInfo{},
+		cipher:     getContentCipher(enc),
+	}
+	if opts != nil {
+		encrypter.compressionAlg = opts.Compression
+		encrypter.extraHeaders = opts.ExtraHeaders
+	}
+
+	if encrypter.cipher == nil {
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	var keyID string
+	var rawKey interface{}
+	switch encryptionKey := rcpt.Key.(type) {
+	case JSONWebKey:
+		keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key
+	case *JSONWebKey:
+		keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key
+	case OpaqueKeyEncrypter:
+		keyID, rawKey = encryptionKey.KeyID(), encryptionKey
+	default:
+		rawKey = encryptionKey
+	}
+
+	switch rcpt.Algorithm {
+	case DIRECT:
+		// Direct encryption mode must be treated differently
+		if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) {
+			return nil, ErrUnsupportedKeyType
+		}
+		if encrypter.cipher.keySize() != len(rawKey.([]byte)) {
+			return nil, ErrInvalidKeySize
+		}
+		encrypter.keyGenerator = staticKeyGenerator{
+			key: rawKey.([]byte),
+		}
+		recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, rawKey.([]byte))
+		recipientInfo.keyID = keyID
+		if rcpt.KeyID != "" {
+			recipientInfo.keyID = rcpt.KeyID
+		}
+		encrypter.recipients = []recipientKeyInfo{recipientInfo}
+		return encrypter, nil
+	case ECDH_ES:
+		// ECDH-ES (w/o key wrapping) is similar to DIRECT mode
+		typeOf := reflect.TypeOf(rawKey)
+		if typeOf != reflect.TypeOf(&ecdsa.PublicKey{}) {
+			return nil, ErrUnsupportedKeyType
+		}
+		encrypter.keyGenerator = ecKeyGenerator{
+			size:      encrypter.cipher.keySize(),
+			algID:     string(enc),
+			publicKey: rawKey.(*ecdsa.PublicKey),
+		}
+		recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, rawKey.(*ecdsa.PublicKey))
+		recipientInfo.keyID = keyID
+		if rcpt.KeyID != "" {
+			recipientInfo.keyID = rcpt.KeyID
+		}
+		encrypter.recipients = []recipientKeyInfo{recipientInfo}
+		return encrypter, nil
+	default:
+		// Can just add a standard recipient
+		encrypter.keyGenerator = randomKeyGenerator{
+			size: encrypter.cipher.keySize(),
+		}
+		err := encrypter.addRecipient(rcpt)
+		return encrypter, err
+	}
+}
+
+// NewMultiEncrypter creates a multi-encrypter based on the given parameters
+func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error) {
+	cipher := getContentCipher(enc)
+
+	if cipher == nil {
+		return nil, ErrUnsupportedAlgorithm
+	}
+	if rcpts == nil || len(rcpts) == 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: recipients is nil or empty")
+	}
+
+	encrypter := &genericEncrypter{
+		contentAlg: enc,
+		recipients: []recipientKeyInfo{},
+		cipher:     cipher,
+		keyGenerator: randomKeyGenerator{
+			size: cipher.keySize(),
+		},
+	}
+
+	if opts != nil {
+		encrypter.compressionAlg = opts.Compression
+		encrypter.extraHeaders = opts.ExtraHeaders
+	}
+
+	for _, recipient := range rcpts {
+		err := encrypter.addRecipient(recipient)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return encrypter, nil
+}
+
+func (ctx *genericEncrypter) addRecipient(recipient Recipient) (err error) {
+	var recipientInfo recipientKeyInfo
+
+	switch recipient.Algorithm {
+	case DIRECT, ECDH_ES:
+		return fmt.Errorf("go-jose/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
+	}
+
+	recipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key)
+	if recipient.KeyID != "" {
+		recipientInfo.keyID = recipient.KeyID
+	}
+
+	switch recipient.Algorithm {
+	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
+		if sr, ok := recipientInfo.keyEncrypter.(*symmetricKeyCipher); ok {
+			sr.p2c = recipient.PBES2Count
+			sr.p2s = recipient.PBES2Salt
+		}
+	}
+
+	if err == nil {
+		ctx.recipients = append(ctx.recipients, recipientInfo)
+	}
+	return err
+}
+
+func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKeyInfo, error) {
+	switch encryptionKey := encryptionKey.(type) {
+	case *rsa.PublicKey:
+		return newRSARecipient(alg, encryptionKey)
+	case *ecdsa.PublicKey:
+		return newECDHRecipient(alg, encryptionKey)
+	case []byte:
+		return newSymmetricRecipient(alg, encryptionKey)
+	case string:
+		return newSymmetricRecipient(alg, []byte(encryptionKey))
+	case *JSONWebKey:
+		recipient, err := makeJWERecipient(alg, encryptionKey.Key)
+		recipient.keyID = encryptionKey.KeyID
+		return recipient, err
+	}
+	if encrypter, ok := encryptionKey.(OpaqueKeyEncrypter); ok {
+		return newOpaqueKeyEncrypter(alg, encrypter)
+	}
+	return recipientKeyInfo{}, ErrUnsupportedKeyType
+}
+
+// newDecrypter creates an appropriate decrypter based on the key type
+func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {
+	switch decryptionKey := decryptionKey.(type) {
+	case *rsa.PrivateKey:
+		return &rsaDecrypterSigner{
+			privateKey: decryptionKey,
+		}, nil
+	case *ecdsa.PrivateKey:
+		return &ecDecrypterSigner{
+			privateKey: decryptionKey,
+		}, nil
+	case []byte:
+		return &symmetricKeyCipher{
+			key: decryptionKey,
+		}, nil
+	case string:
+		return &symmetricKeyCipher{
+			key: []byte(decryptionKey),
+		}, nil
+	case JSONWebKey:
+		return newDecrypter(decryptionKey.Key)
+	case *JSONWebKey:
+		return newDecrypter(decryptionKey.Key)
+	}
+	if okd, ok := decryptionKey.(OpaqueKeyDecrypter); ok {
+		return &opaqueKeyDecrypter{decrypter: okd}, nil
+	}
+	return nil, ErrUnsupportedKeyType
+}
+
+// Implementation of encrypt method producing a JWE object.
+func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JSONWebEncryption, error) {
+	return ctx.EncryptWithAuthData(plaintext, nil)
+}
+
+// Implementation of encrypt method producing a JWE object.
+func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error) {
+	obj := &JSONWebEncryption{}
+	obj.aad = aad
+
+	obj.protected = &rawHeader{}
+	err := obj.protected.set(headerEncryption, ctx.contentAlg)
+	if err != nil {
+		return nil, err
+	}
+
+	obj.recipients = make([]recipientInfo, len(ctx.recipients))
+
+	if len(ctx.recipients) == 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: no recipients to encrypt to")
+	}
+
+	cek, headers, err := ctx.keyGenerator.genKey()
+	if err != nil {
+		return nil, err
+	}
+
+	obj.protected.merge(&headers)
+
+	for i, info := range ctx.recipients {
+		recipient, err := info.keyEncrypter.encryptKey(cek, info.keyAlg)
+		if err != nil {
+			return nil, err
+		}
+
+		err = recipient.header.set(headerAlgorithm, info.keyAlg)
+		if err != nil {
+			return nil, err
+		}
+
+		if info.keyID != "" {
+			err = recipient.header.set(headerKeyID, info.keyID)
+			if err != nil {
+				return nil, err
+			}
+		}
+		obj.recipients[i] = recipient
+	}
+
+	if len(ctx.recipients) == 1 {
+		// Move per-recipient headers into main protected header if there's
+		// only a single recipient.
+		obj.protected.merge(obj.recipients[0].header)
+		obj.recipients[0].header = nil
+	}
+
+	if ctx.compressionAlg != NONE {
+		plaintext, err = compress(ctx.compressionAlg, plaintext)
+		if err != nil {
+			return nil, err
+		}
+
+		err = obj.protected.set(headerCompression, ctx.compressionAlg)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	for k, v := range ctx.extraHeaders {
+		b, err := json.Marshal(v)
+		if err != nil {
+			return nil, err
+		}
+		(*obj.protected)[k] = makeRawMessage(b)
+	}
+
+	authData := obj.computeAuthData()
+	parts, err := ctx.cipher.encrypt(cek, authData, plaintext)
+	if err != nil {
+		return nil, err
+	}
+
+	obj.iv = parts.iv
+	obj.ciphertext = parts.ciphertext
+	obj.tag = parts.tag
+
+	return obj, nil
+}
+
+func (ctx *genericEncrypter) Options() EncrypterOptions {
+	return EncrypterOptions{
+		Compression:  ctx.compressionAlg,
+		ExtraHeaders: ctx.extraHeaders,
+	}
+}
+
+// Decrypt and validate the object and return the plaintext. Note that this
+// function does not support multi-recipient, if you desire multi-recipient
+// decryption use DecryptMulti instead.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+	headers := obj.mergedHeaders(nil)
+
+	if len(obj.recipients) > 1 {
+		return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
+	}
+
+	critical, err := headers.getCritical()
+	if err != nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
+	}
+
+	if len(critical) > 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+	}
+
+	decrypter, err := newDecrypter(decryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	cipher := getContentCipher(headers.getEncryption())
+	if cipher == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
+	}
+
+	generator := randomKeyGenerator{
+		size: cipher.keySize(),
+	}
+
+	parts := &aeadParts{
+		iv:         obj.iv,
+		ciphertext: obj.ciphertext,
+		tag:        obj.tag,
+	}
+
+	authData := obj.computeAuthData()
+
+	var plaintext []byte
+	recipient := obj.recipients[0]
+	recipientHeaders := obj.mergedHeaders(&recipient)
+
+	cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
+	if err == nil {
+		// Found a valid CEK -- let's try to decrypt.
+		plaintext, err = cipher.decrypt(cek, authData, parts)
+	}
+
+	if plaintext == nil {
+		return nil, ErrCryptoFailure
+	}
+
+	// The "zip" header parameter may only be present in the protected header.
+	if comp := obj.protected.getCompression(); comp != "" {
+		plaintext, err = decompress(comp, plaintext)
+	}
+
+	return plaintext, err
+}
+
+// DecryptMulti decrypts and validates the object and returns the plaintexts,
+// with support for multiple recipients. It returns the index of the recipient
+// for which the decryption was successful, the merged headers for that recipient,
+// and the plaintext.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+	globalHeaders := obj.mergedHeaders(nil)
+
+	critical, err := globalHeaders.getCritical()
+	if err != nil {
+		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
+	}
+
+	if len(critical) > 0 {
+		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+	}
+
+	decrypter, err := newDecrypter(decryptionKey)
+	if err != nil {
+		return -1, Header{}, nil, err
+	}
+
+	encryption := globalHeaders.getEncryption()
+	cipher := getContentCipher(encryption)
+	if cipher == nil {
+		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(encryption))
+	}
+
+	generator := randomKeyGenerator{
+		size: cipher.keySize(),
+	}
+
+	parts := &aeadParts{
+		iv:         obj.iv,
+		ciphertext: obj.ciphertext,
+		tag:        obj.tag,
+	}
+
+	authData := obj.computeAuthData()
+
+	index := -1
+	var plaintext []byte
+	var headers rawHeader
+
+	for i, recipient := range obj.recipients {
+		recipientHeaders := obj.mergedHeaders(&recipient)
+
+		cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
+		if err == nil {
+			// Found a valid CEK -- let's try to decrypt.
+			plaintext, err = cipher.decrypt(cek, authData, parts)
+			if err == nil {
+				index = i
+				headers = recipientHeaders
+				break
+			}
+		}
+	}
+
+	if plaintext == nil || err != nil {
+		return -1, Header{}, nil, ErrCryptoFailure
+	}
+
+	// The "zip" header parameter may only be present in the protected header.
+	if comp := obj.protected.getCompression(); comp != "" {
+		plaintext, err = decompress(comp, plaintext)
+	}
+
+	sanitized, err := headers.sanitized()
+	if err != nil {
+		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to sanitize header: %v", err)
+	}
+
+	return index, sanitized, plaintext, err
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/doc.go b/vendor/gopkg.in/go-jose/go-jose.v2/doc.go
new file mode 100644
index 00000000..dd1387f3
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/doc.go
@@ -0,0 +1,27 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+
+Package jose aims to provide an implementation of the Javascript Object Signing
+and Encryption set of standards. It implements encryption and signing based on
+the JSON Web Encryption and JSON Web Signature standards, with optional JSON
+Web Token support available in a sub-package. The library supports both the
+compact and full serialization formats, and has optional support for multiple
+recipients.
+
+*/
+package jose
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
new file mode 100644
index 00000000..636f6c8f
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
@@ -0,0 +1,198 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"compress/flate"
+	"encoding/base64"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"math/big"
+	"strings"
+	"unicode"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// Helper function to serialize known-good objects.
+// Precondition: value is not a nil pointer.
+func mustSerializeJSON(value interface{}) []byte {
+	out, err := json.Marshal(value)
+	if err != nil {
+		panic(err)
+	}
+	// We never want to serialize the top-level value "null," since it's not a
+	// valid JOSE message. But if a caller passes in a nil pointer to this method,
+	// MarshalJSON will happily serialize it as the top-level value "null". If
+	// that value is then embedded in another operation, for instance by being
+	// base64-encoded and fed as input to a signing algorithm
+	// (https://github.com/go-jose/go-jose/issues/22), the result will be
+	// incorrect. Because this method is intended for known-good objects, and a nil
+	// pointer is not a known-good object, we are free to panic in this case.
+	// Note: It's not possible to directly check whether the data pointed at by an
+	// interface is a nil pointer, so we do this hacky workaround.
+	// https://groups.google.com/forum/#!topic/golang-nuts/wnH302gBa4I
+	if string(out) == "null" {
+		panic("Tried to serialize a nil pointer.")
+	}
+	return out
+}
+
+// Strip all newlines and whitespace
+func stripWhitespace(data string) string {
+	buf := strings.Builder{}
+	buf.Grow(len(data))
+	for _, r := range data {
+		if !unicode.IsSpace(r) {
+			buf.WriteRune(r)
+		}
+	}
+	return buf.String()
+}
+
+// Perform compression based on algorithm
+func compress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+	switch algorithm {
+	case DEFLATE:
+		return deflate(input)
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+}
+
+// Perform decompression based on algorithm
+func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+	switch algorithm {
+	case DEFLATE:
+		return inflate(input)
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+}
+
+// deflate compresses the input.
+func deflate(input []byte) ([]byte, error) {
+	output := new(bytes.Buffer)
+
+	// Writing to byte buffer, err is always nil
+	writer, _ := flate.NewWriter(output, 1)
+	_, _ = io.Copy(writer, bytes.NewBuffer(input))
+
+	err := writer.Close()
+	return output.Bytes(), err
+}
+
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger.
+func inflate(input []byte) ([]byte, error) {
+	output := new(bytes.Buffer)
+	reader := flate.NewReader(bytes.NewBuffer(input))
+
+	maxCompressedSize := 10 * int64(len(input))
+	if maxCompressedSize < 250000 {
+		maxCompressedSize = 250000
+	}
+
+	limit := maxCompressedSize + 1
+	n, err := io.CopyN(output, reader, limit)
+	if err != nil && err != io.EOF {
+		return nil, err
+	}
+	if n == limit {
+		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+	}
+
+	err = reader.Close()
+	return output.Bytes(), err
+}
+
+// byteBuffer represents a slice of bytes that can be serialized to url-safe base64.
+type byteBuffer struct {
+	data []byte
+}
+
+func newBuffer(data []byte) *byteBuffer {
+	if data == nil {
+		return nil
+	}
+	return &byteBuffer{
+		data: data,
+	}
+}
+
+func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
+	if len(data) > length {
+		panic("go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
+	}
+	pad := make([]byte, length-len(data))
+	return newBuffer(append(pad, data...))
+}
+
+func newBufferFromInt(num uint64) *byteBuffer {
+	data := make([]byte, 8)
+	binary.BigEndian.PutUint64(data, num)
+	return newBuffer(bytes.TrimLeft(data, "\x00"))
+}
+
+func (b *byteBuffer) MarshalJSON() ([]byte, error) {
+	return json.Marshal(b.base64())
+}
+
+func (b *byteBuffer) UnmarshalJSON(data []byte) error {
+	var encoded string
+	err := json.Unmarshal(data, &encoded)
+	if err != nil {
+		return err
+	}
+
+	if encoded == "" {
+		return nil
+	}
+
+	decoded, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return err
+	}
+
+	*b = *newBuffer(decoded)
+
+	return nil
+}
+
+func (b *byteBuffer) base64() string {
+	return base64.RawURLEncoding.EncodeToString(b.data)
+}
+
+func (b *byteBuffer) bytes() []byte {
+	// Handling nil here allows us to transparently handle nil slices when serializing.
+	if b == nil {
+		return nil
+	}
+	return b.data
+}
+
+func (b byteBuffer) bigInt() *big.Int {
+	return new(big.Int).SetBytes(b.data)
+}
+
+func (b byteBuffer) toInt() int {
+	return int(b.bigInt().Int64())
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE b/vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE
new file mode 100644
index 00000000..74487567
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2012 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/README.md b/vendor/gopkg.in/go-jose/go-jose.v2/json/README.md
new file mode 100644
index 00000000..86de5e55
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/README.md
@@ -0,0 +1,13 @@
+# Safe JSON
+
+This repository contains a fork of the `encoding/json` package from Go 1.6.
+
+The following changes were made:
+
+* Object deserialization uses case-sensitive member name matching instead of
+  [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html).
+  This is to avoid differences in the interpretation of JOSE messages between
+  go-jose and libraries written in other languages.
+* When deserializing a JSON object, we check for duplicate keys and reject the
+  input whenever we detect a duplicate. Rather than trying to work with malformed
+  data, we prefer to reject it right away.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go
new file mode 100644
index 00000000..4dbc4146
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go
@@ -0,0 +1,1217 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Represents JSON data structure using native Go types: booleans, floats,
+// strings, arrays, and maps.
+
+package json
+
+import (
+	"bytes"
+	"encoding"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"math"
+	"reflect"
+	"runtime"
+	"strconv"
+	"unicode"
+	"unicode/utf16"
+	"unicode/utf8"
+)
+
+// Unmarshal parses the JSON-encoded data and stores the result
+// in the value pointed to by v.
+//
+// Unmarshal uses the inverse of the encodings that
+// Marshal uses, allocating maps, slices, and pointers as necessary,
+// with the following additional rules:
+//
+// To unmarshal JSON into a pointer, Unmarshal first handles the case of
+// the JSON being the JSON literal null.  In that case, Unmarshal sets
+// the pointer to nil.  Otherwise, Unmarshal unmarshals the JSON into
+// the value pointed at by the pointer.  If the pointer is nil, Unmarshal
+// allocates a new value for it to point to.
+//
+// To unmarshal JSON into a struct, Unmarshal matches incoming object
+// keys to the keys used by Marshal (either the struct field name or its tag),
+// preferring an exact match but also accepting a case-insensitive match.
+// Unmarshal will only set exported fields of the struct.
+//
+// To unmarshal JSON into an interface value,
+// Unmarshal stores one of these in the interface value:
+//
+//	bool, for JSON booleans
+//	float64, for JSON numbers
+//	string, for JSON strings
+//	[]interface{}, for JSON arrays
+//	map[string]interface{}, for JSON objects
+//	nil for JSON null
+//
+// To unmarshal a JSON array into a slice, Unmarshal resets the slice length
+// to zero and then appends each element to the slice.
+// As a special case, to unmarshal an empty JSON array into a slice,
+// Unmarshal replaces the slice with a new empty slice.
+//
+// To unmarshal a JSON array into a Go array, Unmarshal decodes
+// JSON array elements into corresponding Go array elements.
+// If the Go array is smaller than the JSON array,
+// the additional JSON array elements are discarded.
+// If the JSON array is smaller than the Go array,
+// the additional Go array elements are set to zero values.
+//
+// To unmarshal a JSON object into a string-keyed map, Unmarshal first
+// establishes a map to use, If the map is nil, Unmarshal allocates a new map.
+// Otherwise Unmarshal reuses the existing map, keeping existing entries.
+// Unmarshal then stores key-value pairs from the JSON object into the map.
+//
+// If a JSON value is not appropriate for a given target type,
+// or if a JSON number overflows the target type, Unmarshal
+// skips that field and completes the unmarshaling as best it can.
+// If no more serious errors are encountered, Unmarshal returns
+// an UnmarshalTypeError describing the earliest such error.
+//
+// The JSON null value unmarshals into an interface, map, pointer, or slice
+// by setting that Go value to nil. Because null is often used in JSON to mean
+// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
+// on the value and produces no error.
+//
+// When unmarshaling quoted strings, invalid UTF-8 or
+// invalid UTF-16 surrogate pairs are not treated as an error.
+// Instead, they are replaced by the Unicode replacement
+// character U+FFFD.
+//
+func Unmarshal(data []byte, v interface{}) error {
+	// Check for well-formedness.
+	// Avoids filling out half a data structure
+	// before discovering a JSON syntax error.
+	var d decodeState
+	err := checkValid(data, &d.scan)
+	if err != nil {
+		return err
+	}
+
+	d.init(data)
+	return d.unmarshal(v)
+}
+
+// Unmarshaler is the interface implemented by objects
+// that can unmarshal a JSON description of themselves.
+// The input can be assumed to be a valid encoding of
+// a JSON value. UnmarshalJSON must copy the JSON data
+// if it wishes to retain the data after returning.
+type Unmarshaler interface {
+	UnmarshalJSON([]byte) error
+}
+
+// An UnmarshalTypeError describes a JSON value that was
+// not appropriate for a value of a specific Go type.
+type UnmarshalTypeError struct {
+	Value  string       // description of JSON value - "bool", "array", "number -5"
+	Type   reflect.Type // type of Go value it could not be assigned to
+	Offset int64        // error occurred after reading Offset bytes
+}
+
+func (e *UnmarshalTypeError) Error() string {
+	return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
+}
+
+// An UnmarshalFieldError describes a JSON object key that
+// led to an unexported (and therefore unwritable) struct field.
+// (No longer used; kept for compatibility.)
+type UnmarshalFieldError struct {
+	Key   string
+	Type  reflect.Type
+	Field reflect.StructField
+}
+
+func (e *UnmarshalFieldError) Error() string {
+	return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
+}
+
+// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
+// (The argument to Unmarshal must be a non-nil pointer.)
+type InvalidUnmarshalError struct {
+	Type reflect.Type
+}
+
+func (e *InvalidUnmarshalError) Error() string {
+	if e.Type == nil {
+		return "json: Unmarshal(nil)"
+	}
+
+	if e.Type.Kind() != reflect.Ptr {
+		return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
+	}
+	return "json: Unmarshal(nil " + e.Type.String() + ")"
+}
+
+func (d *decodeState) unmarshal(v interface{}) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			if _, ok := r.(runtime.Error); ok {
+				panic(r)
+			}
+			err = r.(error)
+		}
+	}()
+
+	rv := reflect.ValueOf(v)
+	if rv.Kind() != reflect.Ptr || rv.IsNil() {
+		return &InvalidUnmarshalError{reflect.TypeOf(v)}
+	}
+
+	d.scan.reset()
+	// We decode rv not rv.Elem because the Unmarshaler interface
+	// test must be applied at the top level of the value.
+	d.value(rv)
+	return d.savedError
+}
+
+// A Number represents a JSON number literal.
+type Number string
+
+// String returns the literal text of the number.
+func (n Number) String() string { return string(n) }
+
+// Float64 returns the number as a float64.
+func (n Number) Float64() (float64, error) {
+	return strconv.ParseFloat(string(n), 64)
+}
+
+// Int64 returns the number as an int64.
+func (n Number) Int64() (int64, error) {
+	return strconv.ParseInt(string(n), 10, 64)
+}
+
+// isValidNumber reports whether s is a valid JSON number literal.
+func isValidNumber(s string) bool {
+	// This function implements the JSON numbers grammar.
+	// See https://tools.ietf.org/html/rfc7159#section-6
+	// and http://json.org/number.gif
+
+	if s == "" {
+		return false
+	}
+
+	// Optional -
+	if s[0] == '-' {
+		s = s[1:]
+		if s == "" {
+			return false
+		}
+	}
+
+	// Digits
+	switch {
+	default:
+		return false
+
+	case s[0] == '0':
+		s = s[1:]
+
+	case '1' <= s[0] && s[0] <= '9':
+		s = s[1:]
+		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
+			s = s[1:]
+		}
+	}
+
+	// . followed by 1 or more digits.
+	if len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {
+		s = s[2:]
+		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
+			s = s[1:]
+		}
+	}
+
+	// e or E followed by an optional - or + and
+	// 1 or more digits.
+	if len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {
+		s = s[1:]
+		if s[0] == '+' || s[0] == '-' {
+			s = s[1:]
+			if s == "" {
+				return false
+			}
+		}
+		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
+			s = s[1:]
+		}
+	}
+
+	// Make sure we are at the end.
+	return s == ""
+}
+
+type NumberUnmarshalType int
+
+const (
+	// unmarshal a JSON number into an interface{} as a float64
+	UnmarshalFloat NumberUnmarshalType = iota
+	// unmarshal a JSON number into an interface{} as a `json.Number`
+	UnmarshalJSONNumber
+	// unmarshal a JSON number into an interface{} as a int64
+	// if value is an integer otherwise float64
+	UnmarshalIntOrFloat
+)
+
+// decodeState represents the state while decoding a JSON value.
+type decodeState struct {
+	data       []byte
+	off        int // read offset in data
+	scan       scanner
+	nextscan   scanner // for calls to nextValue
+	savedError error
+	numberType NumberUnmarshalType
+}
+
+// errPhase is used for errors that should not happen unless
+// there is a bug in the JSON decoder or something is editing
+// the data slice while the decoder executes.
+var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
+
+func (d *decodeState) init(data []byte) *decodeState {
+	d.data = data
+	d.off = 0
+	d.savedError = nil
+	return d
+}
+
+// error aborts the decoding by panicking with err.
+func (d *decodeState) error(err error) {
+	panic(err)
+}
+
+// saveError saves the first err it is called with,
+// for reporting at the end of the unmarshal.
+func (d *decodeState) saveError(err error) {
+	if d.savedError == nil {
+		d.savedError = err
+	}
+}
+
+// next cuts off and returns the next full JSON value in d.data[d.off:].
+// The next value is known to be an object or array, not a literal.
+func (d *decodeState) next() []byte {
+	c := d.data[d.off]
+	item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
+	if err != nil {
+		d.error(err)
+	}
+	d.off = len(d.data) - len(rest)
+
+	// Our scanner has seen the opening brace/bracket
+	// and thinks we're still in the middle of the object.
+	// invent a closing brace/bracket to get it out.
+	if c == '{' {
+		d.scan.step(&d.scan, '}')
+	} else {
+		d.scan.step(&d.scan, ']')
+	}
+
+	return item
+}
+
+// scanWhile processes bytes in d.data[d.off:] until it
+// receives a scan code not equal to op.
+// It updates d.off and returns the new scan code.
+func (d *decodeState) scanWhile(op int) int {
+	var newOp int
+	for {
+		if d.off >= len(d.data) {
+			newOp = d.scan.eof()
+			d.off = len(d.data) + 1 // mark processed EOF with len+1
+		} else {
+			c := d.data[d.off]
+			d.off++
+			newOp = d.scan.step(&d.scan, c)
+		}
+		if newOp != op {
+			break
+		}
+	}
+	return newOp
+}
+
+// value decodes a JSON value from d.data[d.off:] into the value.
+// it updates d.off to point past the decoded value.
+func (d *decodeState) value(v reflect.Value) {
+	if !v.IsValid() {
+		_, rest, err := nextValue(d.data[d.off:], &d.nextscan)
+		if err != nil {
+			d.error(err)
+		}
+		d.off = len(d.data) - len(rest)
+
+		// d.scan thinks we're still at the beginning of the item.
+		// Feed in an empty string - the shortest, simplest value -
+		// so that it knows we got to the end of the value.
+		if d.scan.redo {
+			// rewind.
+			d.scan.redo = false
+			d.scan.step = stateBeginValue
+		}
+		d.scan.step(&d.scan, '"')
+		d.scan.step(&d.scan, '"')
+
+		n := len(d.scan.parseState)
+		if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
+			// d.scan thinks we just read an object key; finish the object
+			d.scan.step(&d.scan, ':')
+			d.scan.step(&d.scan, '"')
+			d.scan.step(&d.scan, '"')
+			d.scan.step(&d.scan, '}')
+		}
+
+		return
+	}
+
+	switch op := d.scanWhile(scanSkipSpace); op {
+	default:
+		d.error(errPhase)
+
+	case scanBeginArray:
+		d.array(v)
+
+	case scanBeginObject:
+		d.object(v)
+
+	case scanBeginLiteral:
+		d.literal(v)
+	}
+}
+
+type unquotedValue struct{}
+
+// valueQuoted is like value but decodes a
+// quoted string literal or literal null into an interface value.
+// If it finds anything other than a quoted string literal or null,
+// valueQuoted returns unquotedValue{}.
+func (d *decodeState) valueQuoted() interface{} {
+	switch op := d.scanWhile(scanSkipSpace); op {
+	default:
+		d.error(errPhase)
+
+	case scanBeginArray:
+		d.array(reflect.Value{})
+
+	case scanBeginObject:
+		d.object(reflect.Value{})
+
+	case scanBeginLiteral:
+		switch v := d.literalInterface().(type) {
+		case nil, string:
+			return v
+		}
+	}
+	return unquotedValue{}
+}
+
+// indirect walks down v allocating pointers as needed,
+// until it gets to a non-pointer.
+// if it encounters an Unmarshaler, indirect stops and returns that.
+// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
+func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
+	// If v is a named type and is addressable,
+	// start with its address, so that if the type has pointer methods,
+	// we find them.
+	if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
+		v = v.Addr()
+	}
+	for {
+		// Load value from interface, but only if the result will be
+		// usefully addressable.
+		if v.Kind() == reflect.Interface && !v.IsNil() {
+			e := v.Elem()
+			if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
+				v = e
+				continue
+			}
+		}
+
+		if v.Kind() != reflect.Ptr {
+			break
+		}
+
+		if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
+			break
+		}
+		if v.IsNil() {
+			v.Set(reflect.New(v.Type().Elem()))
+		}
+		if v.Type().NumMethod() > 0 {
+			if u, ok := v.Interface().(Unmarshaler); ok {
+				return u, nil, reflect.Value{}
+			}
+			if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
+				return nil, u, reflect.Value{}
+			}
+		}
+		v = v.Elem()
+	}
+	return nil, nil, v
+}
+
+// array consumes an array from d.data[d.off-1:], decoding into the value v.
+// the first byte of the array ('[') has been read already.
+func (d *decodeState) array(v reflect.Value) {
+	// Check for unmarshaler.
+	u, ut, pv := d.indirect(v, false)
+	if u != nil {
+		d.off--
+		err := u.UnmarshalJSON(d.next())
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+	if ut != nil {
+		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
+		d.off--
+		d.next()
+		return
+	}
+
+	v = pv
+
+	// Check type of target.
+	switch v.Kind() {
+	case reflect.Interface:
+		if v.NumMethod() == 0 {
+			// Decoding into nil interface?  Switch to non-reflect code.
+			v.Set(reflect.ValueOf(d.arrayInterface()))
+			return
+		}
+		// Otherwise it's invalid.
+		fallthrough
+	default:
+		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
+		d.off--
+		d.next()
+		return
+	case reflect.Array:
+	case reflect.Slice:
+		break
+	}
+
+	i := 0
+	for {
+		// Look ahead for ] - can only happen on first iteration.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+
+		// Back up so d.value can have the byte we just read.
+		d.off--
+		d.scan.undo(op)
+
+		// Get element of array, growing if necessary.
+		if v.Kind() == reflect.Slice {
+			// Grow slice if necessary
+			if i >= v.Cap() {
+				newcap := v.Cap() + v.Cap()/2
+				if newcap < 4 {
+					newcap = 4
+				}
+				newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
+				reflect.Copy(newv, v)
+				v.Set(newv)
+			}
+			if i >= v.Len() {
+				v.SetLen(i + 1)
+			}
+		}
+
+		if i < v.Len() {
+			// Decode into element.
+			d.value(v.Index(i))
+		} else {
+			// Ran out of fixed array: skip.
+			d.value(reflect.Value{})
+		}
+		i++
+
+		// Next token must be , or ].
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+		if op != scanArrayValue {
+			d.error(errPhase)
+		}
+	}
+
+	if i < v.Len() {
+		if v.Kind() == reflect.Array {
+			// Array.  Zero the rest.
+			z := reflect.Zero(v.Type().Elem())
+			for ; i < v.Len(); i++ {
+				v.Index(i).Set(z)
+			}
+		} else {
+			v.SetLen(i)
+		}
+	}
+	if i == 0 && v.Kind() == reflect.Slice {
+		v.Set(reflect.MakeSlice(v.Type(), 0, 0))
+	}
+}
+
+var nullLiteral = []byte("null")
+
+// object consumes an object from d.data[d.off-1:], decoding into the value v.
+// the first byte ('{') of the object has been read already.
+func (d *decodeState) object(v reflect.Value) {
+	// Check for unmarshaler.
+	u, ut, pv := d.indirect(v, false)
+	if u != nil {
+		d.off--
+		err := u.UnmarshalJSON(d.next())
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+	if ut != nil {
+		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
+		d.off--
+		d.next() // skip over { } in input
+		return
+	}
+	v = pv
+
+	// Decoding into nil interface?  Switch to non-reflect code.
+	if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
+		v.Set(reflect.ValueOf(d.objectInterface()))
+		return
+	}
+
+	// Check type of target: struct or map[string]T
+	switch v.Kind() {
+	case reflect.Map:
+		// map must have string kind
+		t := v.Type()
+		if t.Key().Kind() != reflect.String {
+			d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
+			d.off--
+			d.next() // skip over { } in input
+			return
+		}
+		if v.IsNil() {
+			v.Set(reflect.MakeMap(t))
+		}
+	case reflect.Struct:
+
+	default:
+		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
+		d.off--
+		d.next() // skip over { } in input
+		return
+	}
+
+	var mapElem reflect.Value
+	keys := map[string]bool{}
+
+	for {
+		// Read opening " of string key or closing }.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			// closing } - can only happen on first iteration.
+			break
+		}
+		if op != scanBeginLiteral {
+			d.error(errPhase)
+		}
+
+		// Read key.
+		start := d.off - 1
+		op = d.scanWhile(scanContinue)
+		item := d.data[start : d.off-1]
+		key, ok := unquote(item)
+		if !ok {
+			d.error(errPhase)
+		}
+
+		// Check for duplicate keys.
+		_, ok = keys[key]
+		if !ok {
+			keys[key] = true
+		} else {
+			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
+		}
+
+		// Figure out field corresponding to key.
+		var subv reflect.Value
+		destring := false // whether the value is wrapped in a string to be decoded first
+
+		if v.Kind() == reflect.Map {
+			elemType := v.Type().Elem()
+			if !mapElem.IsValid() {
+				mapElem = reflect.New(elemType).Elem()
+			} else {
+				mapElem.Set(reflect.Zero(elemType))
+			}
+			subv = mapElem
+		} else {
+			var f *field
+			fields := cachedTypeFields(v.Type())
+			for i := range fields {
+				ff := &fields[i]
+				if bytes.Equal(ff.nameBytes, []byte(key)) {
+					f = ff
+					break
+				}
+			}
+			if f != nil {
+				subv = v
+				destring = f.quoted
+				for _, i := range f.index {
+					if subv.Kind() == reflect.Ptr {
+						if subv.IsNil() {
+							subv.Set(reflect.New(subv.Type().Elem()))
+						}
+						subv = subv.Elem()
+					}
+					subv = subv.Field(i)
+				}
+			}
+		}
+
+		// Read : before value.
+		if op == scanSkipSpace {
+			op = d.scanWhile(scanSkipSpace)
+		}
+		if op != scanObjectKey {
+			d.error(errPhase)
+		}
+
+		// Read value.
+		if destring {
+			switch qv := d.valueQuoted().(type) {
+			case nil:
+				d.literalStore(nullLiteral, subv, false)
+			case string:
+				d.literalStore([]byte(qv), subv, true)
+			default:
+				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
+			}
+		} else {
+			d.value(subv)
+		}
+
+		// Write value back to map;
+		// if using struct, subv points into struct already.
+		if v.Kind() == reflect.Map {
+			kv := reflect.ValueOf(key).Convert(v.Type().Key())
+			v.SetMapIndex(kv, subv)
+		}
+
+		// Next token must be , or }.
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			break
+		}
+		if op != scanObjectValue {
+			d.error(errPhase)
+		}
+	}
+}
+
+// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
+// The first byte of the literal has been read already
+// (that's how the caller knows it's a literal).
+func (d *decodeState) literal(v reflect.Value) {
+	// All bytes inside literal return scanContinue op code.
+	start := d.off - 1
+	op := d.scanWhile(scanContinue)
+
+	// Scan read one byte too far; back up.
+	d.off--
+	d.scan.undo(op)
+
+	d.literalStore(d.data[start:d.off], v, false)
+}
+
+// convertNumber converts the number literal s to a float64, int64 or a Number
+// depending on d.numberDecodeType.
+func (d *decodeState) convertNumber(s string) (interface{}, error) {
+	switch d.numberType {
+
+	case UnmarshalJSONNumber:
+		return Number(s), nil
+	case UnmarshalIntOrFloat:
+		v, err := strconv.ParseInt(s, 10, 64)
+		if err == nil {
+			return v, nil
+		}
+
+		// tries to parse integer number in scientific notation
+		f, err := strconv.ParseFloat(s, 64)
+		if err != nil {
+			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
+		}
+
+		// if it has no decimal value use int64
+		if fi, fd := math.Modf(f); fd == 0.0 {
+			return int64(fi), nil
+		}
+		return f, nil
+	default:
+		f, err := strconv.ParseFloat(s, 64)
+		if err != nil {
+			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
+		}
+		return f, nil
+	}
+
+}
+
+var numberType = reflect.TypeOf(Number(""))
+
+// literalStore decodes a literal stored in item into v.
+//
+// fromQuoted indicates whether this literal came from unwrapping a
+// string from the ",string" struct tag option. this is used only to
+// produce more helpful error messages.
+func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
+	// Check for unmarshaler.
+	if len(item) == 0 {
+		//Empty string given
+		d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+		return
+	}
+	wantptr := item[0] == 'n' // null
+	u, ut, pv := d.indirect(v, wantptr)
+	if u != nil {
+		err := u.UnmarshalJSON(item)
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+	if ut != nil {
+		if item[0] != '"' {
+			if fromQuoted {
+				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+			}
+			return
+		}
+		s, ok := unquoteBytes(item)
+		if !ok {
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(errPhase)
+			}
+		}
+		err := ut.UnmarshalText(s)
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+
+	v = pv
+
+	switch c := item[0]; c {
+	case 'n': // null
+		switch v.Kind() {
+		case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
+			v.Set(reflect.Zero(v.Type()))
+			// otherwise, ignore null for primitives/string
+		}
+	case 't', 'f': // true, false
+		value := c == 't'
+		switch v.Kind() {
+		default:
+			if fromQuoted {
+				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
+			}
+		case reflect.Bool:
+			v.SetBool(value)
+		case reflect.Interface:
+			if v.NumMethod() == 0 {
+				v.Set(reflect.ValueOf(value))
+			} else {
+				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
+			}
+		}
+
+	case '"': // string
+		s, ok := unquoteBytes(item)
+		if !ok {
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(errPhase)
+			}
+		}
+		switch v.Kind() {
+		default:
+			d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+		case reflect.Slice:
+			if v.Type().Elem().Kind() != reflect.Uint8 {
+				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+				break
+			}
+			b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
+			n, err := base64.StdEncoding.Decode(b, s)
+			if err != nil {
+				d.saveError(err)
+				break
+			}
+			v.SetBytes(b[:n])
+		case reflect.String:
+			v.SetString(string(s))
+		case reflect.Interface:
+			if v.NumMethod() == 0 {
+				v.Set(reflect.ValueOf(string(s)))
+			} else {
+				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+			}
+		}
+
+	default: // number
+		if c != '-' && (c < '0' || c > '9') {
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(errPhase)
+			}
+		}
+		s := string(item)
+		switch v.Kind() {
+		default:
+			if v.Kind() == reflect.String && v.Type() == numberType {
+				v.SetString(s)
+				if !isValidNumber(s) {
+					d.error(fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item))
+				}
+				break
+			}
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
+			}
+		case reflect.Interface:
+			n, err := d.convertNumber(s)
+			if err != nil {
+				d.saveError(err)
+				break
+			}
+			if v.NumMethod() != 0 {
+				d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
+				break
+			}
+			v.Set(reflect.ValueOf(n))
+
+		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+			n, err := strconv.ParseInt(s, 10, 64)
+			if err != nil || v.OverflowInt(n) {
+				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
+				break
+			}
+			v.SetInt(n)
+
+		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+			n, err := strconv.ParseUint(s, 10, 64)
+			if err != nil || v.OverflowUint(n) {
+				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
+				break
+			}
+			v.SetUint(n)
+
+		case reflect.Float32, reflect.Float64:
+			n, err := strconv.ParseFloat(s, v.Type().Bits())
+			if err != nil || v.OverflowFloat(n) {
+				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
+				break
+			}
+			v.SetFloat(n)
+		}
+	}
+}
+
+// The xxxInterface routines build up a value to be stored
+// in an empty interface.  They are not strictly necessary,
+// but they avoid the weight of reflection in this common case.
+
+// valueInterface is like value but returns interface{}
+func (d *decodeState) valueInterface() interface{} {
+	switch d.scanWhile(scanSkipSpace) {
+	default:
+		d.error(errPhase)
+		panic("unreachable")
+	case scanBeginArray:
+		return d.arrayInterface()
+	case scanBeginObject:
+		return d.objectInterface()
+	case scanBeginLiteral:
+		return d.literalInterface()
+	}
+}
+
+// arrayInterface is like array but returns []interface{}.
+func (d *decodeState) arrayInterface() []interface{} {
+	var v = make([]interface{}, 0)
+	for {
+		// Look ahead for ] - can only happen on first iteration.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+
+		// Back up so d.value can have the byte we just read.
+		d.off--
+		d.scan.undo(op)
+
+		v = append(v, d.valueInterface())
+
+		// Next token must be , or ].
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+		if op != scanArrayValue {
+			d.error(errPhase)
+		}
+	}
+	return v
+}
+
+// objectInterface is like object but returns map[string]interface{}.
+func (d *decodeState) objectInterface() map[string]interface{} {
+	m := make(map[string]interface{})
+	keys := map[string]bool{}
+
+	for {
+		// Read opening " of string key or closing }.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			// closing } - can only happen on first iteration.
+			break
+		}
+		if op != scanBeginLiteral {
+			d.error(errPhase)
+		}
+
+		// Read string key.
+		start := d.off - 1
+		op = d.scanWhile(scanContinue)
+		item := d.data[start : d.off-1]
+		key, ok := unquote(item)
+		if !ok {
+			d.error(errPhase)
+		}
+
+		// Check for duplicate keys.
+		_, ok = keys[key]
+		if !ok {
+			keys[key] = true
+		} else {
+			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
+		}
+
+		// Read : before value.
+		if op == scanSkipSpace {
+			op = d.scanWhile(scanSkipSpace)
+		}
+		if op != scanObjectKey {
+			d.error(errPhase)
+		}
+
+		// Read value.
+		m[key] = d.valueInterface()
+
+		// Next token must be , or }.
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			break
+		}
+		if op != scanObjectValue {
+			d.error(errPhase)
+		}
+	}
+	return m
+}
+
+// literalInterface is like literal but returns an interface value.
+func (d *decodeState) literalInterface() interface{} {
+	// All bytes inside literal return scanContinue op code.
+	start := d.off - 1
+	op := d.scanWhile(scanContinue)
+
+	// Scan read one byte too far; back up.
+	d.off--
+	d.scan.undo(op)
+	item := d.data[start:d.off]
+
+	switch c := item[0]; c {
+	case 'n': // null
+		return nil
+
+	case 't', 'f': // true, false
+		return c == 't'
+
+	case '"': // string
+		s, ok := unquote(item)
+		if !ok {
+			d.error(errPhase)
+		}
+		return s
+
+	default: // number
+		if c != '-' && (c < '0' || c > '9') {
+			d.error(errPhase)
+		}
+		n, err := d.convertNumber(string(item))
+		if err != nil {
+			d.saveError(err)
+		}
+		return n
+	}
+}
+
+// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
+// or it returns -1.
+func getu4(s []byte) rune {
+	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
+		return -1
+	}
+	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
+	if err != nil {
+		return -1
+	}
+	return rune(r)
+}
+
+// unquote converts a quoted JSON string literal s into an actual string t.
+// The rules are different than for Go, so cannot use strconv.Unquote.
+func unquote(s []byte) (t string, ok bool) {
+	s, ok = unquoteBytes(s)
+	t = string(s)
+	return
+}
+
+func unquoteBytes(s []byte) (t []byte, ok bool) {
+	if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
+		return
+	}
+	s = s[1 : len(s)-1]
+
+	// Check for unusual characters. If there are none,
+	// then no unquoting is needed, so return a slice of the
+	// original bytes.
+	r := 0
+	for r < len(s) {
+		c := s[r]
+		if c == '\\' || c == '"' || c < ' ' {
+			break
+		}
+		if c < utf8.RuneSelf {
+			r++
+			continue
+		}
+		rr, size := utf8.DecodeRune(s[r:])
+		if rr == utf8.RuneError && size == 1 {
+			break
+		}
+		r += size
+	}
+	if r == len(s) {
+		return s, true
+	}
+
+	b := make([]byte, len(s)+2*utf8.UTFMax)
+	w := copy(b, s[0:r])
+	for r < len(s) {
+		// Out of room?  Can only happen if s is full of
+		// malformed UTF-8 and we're replacing each
+		// byte with RuneError.
+		if w >= len(b)-2*utf8.UTFMax {
+			nb := make([]byte, (len(b)+utf8.UTFMax)*2)
+			copy(nb, b[0:w])
+			b = nb
+		}
+		switch c := s[r]; {
+		case c == '\\':
+			r++
+			if r >= len(s) {
+				return
+			}
+			switch s[r] {
+			default:
+				return
+			case '"', '\\', '/', '\'':
+				b[w] = s[r]
+				r++
+				w++
+			case 'b':
+				b[w] = '\b'
+				r++
+				w++
+			case 'f':
+				b[w] = '\f'
+				r++
+				w++
+			case 'n':
+				b[w] = '\n'
+				r++
+				w++
+			case 'r':
+				b[w] = '\r'
+				r++
+				w++
+			case 't':
+				b[w] = '\t'
+				r++
+				w++
+			case 'u':
+				r--
+				rr := getu4(s[r:])
+				if rr < 0 {
+					return
+				}
+				r += 6
+				if utf16.IsSurrogate(rr) {
+					rr1 := getu4(s[r:])
+					if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
+						// A valid pair; consume.
+						r += 6
+						w += utf8.EncodeRune(b[w:], dec)
+						break
+					}
+					// Invalid surrogate; fall back to replacement rune.
+					rr = unicode.ReplacementChar
+				}
+				w += utf8.EncodeRune(b[w:], rr)
+			}
+
+		// Quote, control characters are invalid.
+		case c == '"', c < ' ':
+			return
+
+		// ASCII
+		case c < utf8.RuneSelf:
+			b[w] = c
+			r++
+			w++
+
+		// Coerce to well-formed UTF-8.
+		default:
+			rr, size := utf8.DecodeRune(s[r:])
+			r += size
+			w += utf8.EncodeRune(b[w:], rr)
+		}
+	}
+	return b[0:w], true
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go
new file mode 100644
index 00000000..1dae8bb7
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go
@@ -0,0 +1,1197 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package json implements encoding and decoding of JSON objects as defined in
+// RFC 4627. The mapping between JSON objects and Go values is described
+// in the documentation for the Marshal and Unmarshal functions.
+//
+// See "JSON and Go" for an introduction to this package:
+// https://golang.org/doc/articles/json_and_go.html
+package json
+
+import (
+	"bytes"
+	"encoding"
+	"encoding/base64"
+	"fmt"
+	"math"
+	"reflect"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"unicode"
+	"unicode/utf8"
+)
+
+// Marshal returns the JSON encoding of v.
+//
+// Marshal traverses the value v recursively.
+// If an encountered value implements the Marshaler interface
+// and is not a nil pointer, Marshal calls its MarshalJSON method
+// to produce JSON. If no MarshalJSON method is present but the
+// value implements encoding.TextMarshaler instead, Marshal calls
+// its MarshalText method.
+// The nil pointer exception is not strictly necessary
+// but mimics a similar, necessary exception in the behavior of
+// UnmarshalJSON.
+//
+// Otherwise, Marshal uses the following type-dependent default encodings:
+//
+// Boolean values encode as JSON booleans.
+//
+// Floating point, integer, and Number values encode as JSON numbers.
+//
+// String values encode as JSON strings coerced to valid UTF-8,
+// replacing invalid bytes with the Unicode replacement rune.
+// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
+// to keep some browsers from misinterpreting JSON output as HTML.
+// Ampersand "&" is also escaped to "\u0026" for the same reason.
+//
+// Array and slice values encode as JSON arrays, except that
+// []byte encodes as a base64-encoded string, and a nil slice
+// encodes as the null JSON object.
+//
+// Struct values encode as JSON objects. Each exported struct field
+// becomes a member of the object unless
+//   - the field's tag is "-", or
+//   - the field is empty and its tag specifies the "omitempty" option.
+// The empty values are false, 0, any
+// nil pointer or interface value, and any array, slice, map, or string of
+// length zero. The object's default key string is the struct field name
+// but can be specified in the struct field's tag value. The "json" key in
+// the struct field's tag value is the key name, followed by an optional comma
+// and options. Examples:
+//
+//   // Field is ignored by this package.
+//   Field int `json:"-"`
+//
+//   // Field appears in JSON as key "myName".
+//   Field int `json:"myName"`
+//
+//   // Field appears in JSON as key "myName" and
+//   // the field is omitted from the object if its value is empty,
+//   // as defined above.
+//   Field int `json:"myName,omitempty"`
+//
+//   // Field appears in JSON as key "Field" (the default), but
+//   // the field is skipped if empty.
+//   // Note the leading comma.
+//   Field int `json:",omitempty"`
+//
+// The "string" option signals that a field is stored as JSON inside a
+// JSON-encoded string. It applies only to fields of string, floating point,
+// integer, or boolean types. This extra level of encoding is sometimes used
+// when communicating with JavaScript programs:
+//
+//    Int64String int64 `json:",string"`
+//
+// The key name will be used if it's a non-empty string consisting of
+// only Unicode letters, digits, dollar signs, percent signs, hyphens,
+// underscores and slashes.
+//
+// Anonymous struct fields are usually marshaled as if their inner exported fields
+// were fields in the outer struct, subject to the usual Go visibility rules amended
+// as described in the next paragraph.
+// An anonymous struct field with a name given in its JSON tag is treated as
+// having that name, rather than being anonymous.
+// An anonymous struct field of interface type is treated the same as having
+// that type as its name, rather than being anonymous.
+//
+// The Go visibility rules for struct fields are amended for JSON when
+// deciding which field to marshal or unmarshal. If there are
+// multiple fields at the same level, and that level is the least
+// nested (and would therefore be the nesting level selected by the
+// usual Go rules), the following extra rules apply:
+//
+// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
+// even if there are multiple untagged fields that would otherwise conflict.
+// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
+// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
+//
+// Handling of anonymous struct fields is new in Go 1.1.
+// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
+// an anonymous struct field in both current and earlier versions, give the field
+// a JSON tag of "-".
+//
+// Map values encode as JSON objects.
+// The map's key type must be string; the map keys are used as JSON object
+// keys, subject to the UTF-8 coercion described for string values above.
+//
+// Pointer values encode as the value pointed to.
+// A nil pointer encodes as the null JSON object.
+//
+// Interface values encode as the value contained in the interface.
+// A nil interface value encodes as the null JSON object.
+//
+// Channel, complex, and function values cannot be encoded in JSON.
+// Attempting to encode such a value causes Marshal to return
+// an UnsupportedTypeError.
+//
+// JSON cannot represent cyclic data structures and Marshal does not
+// handle them.  Passing cyclic structures to Marshal will result in
+// an infinite recursion.
+//
+func Marshal(v interface{}) ([]byte, error) {
+	e := &encodeState{}
+	err := e.marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	return e.Bytes(), nil
+}
+
+// MarshalIndent is like Marshal but applies Indent to format the output.
+func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
+	b, err := Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	var buf bytes.Buffer
+	err = Indent(&buf, b, prefix, indent)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
+// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
+// so that the JSON will be safe to embed inside HTML <script> tags.
+// For historical reasons, web browsers don't honor standard HTML
+// escaping within <script> tags, so an alternative JSON encoding must
+// be used.
+func HTMLEscape(dst *bytes.Buffer, src []byte) {
+	// The characters can only appear in string literals,
+	// so just scan the string one byte at a time.
+	start := 0
+	for i, c := range src {
+		if c == '<' || c == '>' || c == '&' {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u00`)
+			dst.WriteByte(hex[c>>4])
+			dst.WriteByte(hex[c&0xF])
+			start = i + 1
+		}
+		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
+		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u202`)
+			dst.WriteByte(hex[src[i+2]&0xF])
+			start = i + 3
+		}
+	}
+	if start < len(src) {
+		dst.Write(src[start:])
+	}
+}
+
+// Marshaler is the interface implemented by objects that
+// can marshal themselves into valid JSON.
+type Marshaler interface {
+	MarshalJSON() ([]byte, error)
+}
+
+// An UnsupportedTypeError is returned by Marshal when attempting
+// to encode an unsupported value type.
+type UnsupportedTypeError struct {
+	Type reflect.Type
+}
+
+func (e *UnsupportedTypeError) Error() string {
+	return "json: unsupported type: " + e.Type.String()
+}
+
+type UnsupportedValueError struct {
+	Value reflect.Value
+	Str   string
+}
+
+func (e *UnsupportedValueError) Error() string {
+	return "json: unsupported value: " + e.Str
+}
+
+// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
+// attempting to encode a string value with invalid UTF-8 sequences.
+// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
+// replacing invalid bytes with the Unicode replacement rune U+FFFD.
+// This error is no longer generated but is kept for backwards compatibility
+// with programs that might mention it.
+type InvalidUTF8Error struct {
+	S string // the whole string value that caused the error
+}
+
+func (e *InvalidUTF8Error) Error() string {
+	return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
+}
+
+type MarshalerError struct {
+	Type reflect.Type
+	Err  error
+}
+
+func (e *MarshalerError) Error() string {
+	return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
+}
+
+var hex = "0123456789abcdef"
+
+// An encodeState encodes JSON into a bytes.Buffer.
+type encodeState struct {
+	bytes.Buffer // accumulated output
+	scratch      [64]byte
+}
+
+var encodeStatePool sync.Pool
+
+func newEncodeState() *encodeState {
+	if v := encodeStatePool.Get(); v != nil {
+		e := v.(*encodeState)
+		e.Reset()
+		return e
+	}
+	return new(encodeState)
+}
+
+func (e *encodeState) marshal(v interface{}) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			if _, ok := r.(runtime.Error); ok {
+				panic(r)
+			}
+			if s, ok := r.(string); ok {
+				panic(s)
+			}
+			err = r.(error)
+		}
+	}()
+	e.reflectValue(reflect.ValueOf(v))
+	return nil
+}
+
+func (e *encodeState) error(err error) {
+	panic(err)
+}
+
+func isEmptyValue(v reflect.Value) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Interface, reflect.Ptr:
+		return v.IsNil()
+	}
+	return false
+}
+
+func (e *encodeState) reflectValue(v reflect.Value) {
+	valueEncoder(v)(e, v, false)
+}
+
+type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
+
+var encoderCache struct {
+	sync.RWMutex
+	m map[reflect.Type]encoderFunc
+}
+
+func valueEncoder(v reflect.Value) encoderFunc {
+	if !v.IsValid() {
+		return invalidValueEncoder
+	}
+	return typeEncoder(v.Type())
+}
+
+func typeEncoder(t reflect.Type) encoderFunc {
+	encoderCache.RLock()
+	f := encoderCache.m[t]
+	encoderCache.RUnlock()
+	if f != nil {
+		return f
+	}
+
+	// To deal with recursive types, populate the map with an
+	// indirect func before we build it. This type waits on the
+	// real func (f) to be ready and then calls it.  This indirect
+	// func is only used for recursive types.
+	encoderCache.Lock()
+	if encoderCache.m == nil {
+		encoderCache.m = make(map[reflect.Type]encoderFunc)
+	}
+	var wg sync.WaitGroup
+	wg.Add(1)
+	encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
+		wg.Wait()
+		f(e, v, quoted)
+	}
+	encoderCache.Unlock()
+
+	// Compute fields without lock.
+	// Might duplicate effort but won't hold other computations back.
+	f = newTypeEncoder(t, true)
+	wg.Done()
+	encoderCache.Lock()
+	encoderCache.m[t] = f
+	encoderCache.Unlock()
+	return f
+}
+
+var (
+	marshalerType     = reflect.TypeOf(new(Marshaler)).Elem()
+	textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
+)
+
+// newTypeEncoder constructs an encoderFunc for a type.
+// The returned encoder only checks CanAddr when allowAddr is true.
+func newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
+	if t.Implements(marshalerType) {
+		return marshalerEncoder
+	}
+	if t.Kind() != reflect.Ptr && allowAddr {
+		if reflect.PtrTo(t).Implements(marshalerType) {
+			return newCondAddrEncoder(addrMarshalerEncoder, newTypeEncoder(t, false))
+		}
+	}
+
+	if t.Implements(textMarshalerType) {
+		return textMarshalerEncoder
+	}
+	if t.Kind() != reflect.Ptr && allowAddr {
+		if reflect.PtrTo(t).Implements(textMarshalerType) {
+			return newCondAddrEncoder(addrTextMarshalerEncoder, newTypeEncoder(t, false))
+		}
+	}
+
+	switch t.Kind() {
+	case reflect.Bool:
+		return boolEncoder
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return intEncoder
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return uintEncoder
+	case reflect.Float32:
+		return float32Encoder
+	case reflect.Float64:
+		return float64Encoder
+	case reflect.String:
+		return stringEncoder
+	case reflect.Interface:
+		return interfaceEncoder
+	case reflect.Struct:
+		return newStructEncoder(t)
+	case reflect.Map:
+		return newMapEncoder(t)
+	case reflect.Slice:
+		return newSliceEncoder(t)
+	case reflect.Array:
+		return newArrayEncoder(t)
+	case reflect.Ptr:
+		return newPtrEncoder(t)
+	default:
+		return unsupportedTypeEncoder
+	}
+}
+
+func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	e.WriteString("null")
+}
+
+func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.Kind() == reflect.Ptr && v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := v.Interface().(Marshaler)
+	b, err := m.MarshalJSON()
+	if err == nil {
+		// copy JSON into buffer, checking validity.
+		err = compact(&e.Buffer, b, true)
+	}
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+}
+
+func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	va := v.Addr()
+	if va.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := va.Interface().(Marshaler)
+	b, err := m.MarshalJSON()
+	if err == nil {
+		// copy JSON into buffer, checking validity.
+		err = compact(&e.Buffer, b, true)
+	}
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+}
+
+func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.Kind() == reflect.Ptr && v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := v.Interface().(encoding.TextMarshaler)
+	b, err := m.MarshalText()
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+	e.stringBytes(b)
+}
+
+func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	va := v.Addr()
+	if va.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := va.Interface().(encoding.TextMarshaler)
+	b, err := m.MarshalText()
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+	e.stringBytes(b)
+}
+
+func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if quoted {
+		e.WriteByte('"')
+	}
+	if v.Bool() {
+		e.WriteString("true")
+	} else {
+		e.WriteString("false")
+	}
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
+	if quoted {
+		e.WriteByte('"')
+	}
+	e.Write(b)
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
+	if quoted {
+		e.WriteByte('"')
+	}
+	e.Write(b)
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+type floatEncoder int // number of bits
+
+func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	f := v.Float()
+	if math.IsInf(f, 0) || math.IsNaN(f) {
+		e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
+	}
+	b := strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
+	if quoted {
+		e.WriteByte('"')
+	}
+	e.Write(b)
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+var (
+	float32Encoder = (floatEncoder(32)).encode
+	float64Encoder = (floatEncoder(64)).encode
+)
+
+func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.Type() == numberType {
+		numStr := v.String()
+		// In Go1.5 the empty string encodes to "0", while this is not a valid number literal
+		// we keep compatibility so check validity after this.
+		if numStr == "" {
+			numStr = "0" // Number's zero-val
+		}
+		if !isValidNumber(numStr) {
+			e.error(fmt.Errorf("json: invalid number literal %q", numStr))
+		}
+		e.WriteString(numStr)
+		return
+	}
+	if quoted {
+		sb, err := Marshal(v.String())
+		if err != nil {
+			e.error(err)
+		}
+		e.string(string(sb))
+	} else {
+		e.string(v.String())
+	}
+}
+
+func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	e.reflectValue(v.Elem())
+}
+
+func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	e.error(&UnsupportedTypeError{v.Type()})
+}
+
+type structEncoder struct {
+	fields    []field
+	fieldEncs []encoderFunc
+}
+
+func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	e.WriteByte('{')
+	first := true
+	for i, f := range se.fields {
+		fv := fieldByIndex(v, f.index)
+		if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
+			continue
+		}
+		if first {
+			first = false
+		} else {
+			e.WriteByte(',')
+		}
+		e.string(f.name)
+		e.WriteByte(':')
+		se.fieldEncs[i](e, fv, f.quoted)
+	}
+	e.WriteByte('}')
+}
+
+func newStructEncoder(t reflect.Type) encoderFunc {
+	fields := cachedTypeFields(t)
+	se := &structEncoder{
+		fields:    fields,
+		fieldEncs: make([]encoderFunc, len(fields)),
+	}
+	for i, f := range fields {
+		se.fieldEncs[i] = typeEncoder(typeByIndex(t, f.index))
+	}
+	return se.encode
+}
+
+type mapEncoder struct {
+	elemEnc encoderFunc
+}
+
+func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	e.WriteByte('{')
+	var sv stringValues = v.MapKeys()
+	sort.Sort(sv)
+	for i, k := range sv {
+		if i > 0 {
+			e.WriteByte(',')
+		}
+		e.string(k.String())
+		e.WriteByte(':')
+		me.elemEnc(e, v.MapIndex(k), false)
+	}
+	e.WriteByte('}')
+}
+
+func newMapEncoder(t reflect.Type) encoderFunc {
+	if t.Key().Kind() != reflect.String {
+		return unsupportedTypeEncoder
+	}
+	me := &mapEncoder{typeEncoder(t.Elem())}
+	return me.encode
+}
+
+func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	s := v.Bytes()
+	e.WriteByte('"')
+	if len(s) < 1024 {
+		// for small buffers, using Encode directly is much faster.
+		dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
+		base64.StdEncoding.Encode(dst, s)
+		e.Write(dst)
+	} else {
+		// for large buffers, avoid unnecessary extra temporary
+		// buffer space.
+		enc := base64.NewEncoder(base64.StdEncoding, e)
+		enc.Write(s)
+		enc.Close()
+	}
+	e.WriteByte('"')
+}
+
+// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
+type sliceEncoder struct {
+	arrayEnc encoderFunc
+}
+
+func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	se.arrayEnc(e, v, false)
+}
+
+func newSliceEncoder(t reflect.Type) encoderFunc {
+	// Byte slices get special treatment; arrays don't.
+	if t.Elem().Kind() == reflect.Uint8 {
+		return encodeByteSlice
+	}
+	enc := &sliceEncoder{newArrayEncoder(t)}
+	return enc.encode
+}
+
+type arrayEncoder struct {
+	elemEnc encoderFunc
+}
+
+func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
+	e.WriteByte('[')
+	n := v.Len()
+	for i := 0; i < n; i++ {
+		if i > 0 {
+			e.WriteByte(',')
+		}
+		ae.elemEnc(e, v.Index(i), false)
+	}
+	e.WriteByte(']')
+}
+
+func newArrayEncoder(t reflect.Type) encoderFunc {
+	enc := &arrayEncoder{typeEncoder(t.Elem())}
+	return enc.encode
+}
+
+type ptrEncoder struct {
+	elemEnc encoderFunc
+}
+
+func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	pe.elemEnc(e, v.Elem(), quoted)
+}
+
+func newPtrEncoder(t reflect.Type) encoderFunc {
+	enc := &ptrEncoder{typeEncoder(t.Elem())}
+	return enc.encode
+}
+
+type condAddrEncoder struct {
+	canAddrEnc, elseEnc encoderFunc
+}
+
+func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	if v.CanAddr() {
+		ce.canAddrEnc(e, v, quoted)
+	} else {
+		ce.elseEnc(e, v, quoted)
+	}
+}
+
+// newCondAddrEncoder returns an encoder that checks whether its value
+// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
+func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
+	enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
+	return enc.encode
+}
+
+func isValidTag(s string) bool {
+	if s == "" {
+		return false
+	}
+	for _, c := range s {
+		switch {
+		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
+			// Backslash and quote chars are reserved, but
+			// otherwise any punctuation chars are allowed
+			// in a tag name.
+		default:
+			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func fieldByIndex(v reflect.Value, index []int) reflect.Value {
+	for _, i := range index {
+		if v.Kind() == reflect.Ptr {
+			if v.IsNil() {
+				return reflect.Value{}
+			}
+			v = v.Elem()
+		}
+		v = v.Field(i)
+	}
+	return v
+}
+
+func typeByIndex(t reflect.Type, index []int) reflect.Type {
+	for _, i := range index {
+		if t.Kind() == reflect.Ptr {
+			t = t.Elem()
+		}
+		t = t.Field(i).Type
+	}
+	return t
+}
+
+// stringValues is a slice of reflect.Value holding *reflect.StringValue.
+// It implements the methods to sort by string.
+type stringValues []reflect.Value
+
+func (sv stringValues) Len() int           { return len(sv) }
+func (sv stringValues) Swap(i, j int)      { sv[i], sv[j] = sv[j], sv[i] }
+func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
+func (sv stringValues) get(i int) string   { return sv[i].String() }
+
+// NOTE: keep in sync with stringBytes below.
+func (e *encodeState) string(s string) int {
+	len0 := e.Len()
+	e.WriteByte('"')
+	start := 0
+	for i := 0; i < len(s); {
+		if b := s[i]; b < utf8.RuneSelf {
+			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
+				i++
+				continue
+			}
+			if start < i {
+				e.WriteString(s[start:i])
+			}
+			switch b {
+			case '\\', '"':
+				e.WriteByte('\\')
+				e.WriteByte(b)
+			case '\n':
+				e.WriteByte('\\')
+				e.WriteByte('n')
+			case '\r':
+				e.WriteByte('\\')
+				e.WriteByte('r')
+			case '\t':
+				e.WriteByte('\\')
+				e.WriteByte('t')
+			default:
+				// This encodes bytes < 0x20 except for \n and \r,
+				// as well as <, > and &. The latter are escaped because they
+				// can lead to security holes when user-controlled strings
+				// are rendered into JSON and served to some browsers.
+				e.WriteString(`\u00`)
+				e.WriteByte(hex[b>>4])
+				e.WriteByte(hex[b&0xF])
+			}
+			i++
+			start = i
+			continue
+		}
+		c, size := utf8.DecodeRuneInString(s[i:])
+		if c == utf8.RuneError && size == 1 {
+			if start < i {
+				e.WriteString(s[start:i])
+			}
+			e.WriteString(`\ufffd`)
+			i += size
+			start = i
+			continue
+		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
+		if c == '\u2028' || c == '\u2029' {
+			if start < i {
+				e.WriteString(s[start:i])
+			}
+			e.WriteString(`\u202`)
+			e.WriteByte(hex[c&0xF])
+			i += size
+			start = i
+			continue
+		}
+		i += size
+	}
+	if start < len(s) {
+		e.WriteString(s[start:])
+	}
+	e.WriteByte('"')
+	return e.Len() - len0
+}
+
+// NOTE: keep in sync with string above.
+func (e *encodeState) stringBytes(s []byte) int {
+	len0 := e.Len()
+	e.WriteByte('"')
+	start := 0
+	for i := 0; i < len(s); {
+		if b := s[i]; b < utf8.RuneSelf {
+			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
+				i++
+				continue
+			}
+			if start < i {
+				e.Write(s[start:i])
+			}
+			switch b {
+			case '\\', '"':
+				e.WriteByte('\\')
+				e.WriteByte(b)
+			case '\n':
+				e.WriteByte('\\')
+				e.WriteByte('n')
+			case '\r':
+				e.WriteByte('\\')
+				e.WriteByte('r')
+			case '\t':
+				e.WriteByte('\\')
+				e.WriteByte('t')
+			default:
+				// This encodes bytes < 0x20 except for \n and \r,
+				// as well as <, >, and &. The latter are escaped because they
+				// can lead to security holes when user-controlled strings
+				// are rendered into JSON and served to some browsers.
+				e.WriteString(`\u00`)
+				e.WriteByte(hex[b>>4])
+				e.WriteByte(hex[b&0xF])
+			}
+			i++
+			start = i
+			continue
+		}
+		c, size := utf8.DecodeRune(s[i:])
+		if c == utf8.RuneError && size == 1 {
+			if start < i {
+				e.Write(s[start:i])
+			}
+			e.WriteString(`\ufffd`)
+			i += size
+			start = i
+			continue
+		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
+		if c == '\u2028' || c == '\u2029' {
+			if start < i {
+				e.Write(s[start:i])
+			}
+			e.WriteString(`\u202`)
+			e.WriteByte(hex[c&0xF])
+			i += size
+			start = i
+			continue
+		}
+		i += size
+	}
+	if start < len(s) {
+		e.Write(s[start:])
+	}
+	e.WriteByte('"')
+	return e.Len() - len0
+}
+
+// A field represents a single field found in a struct.
+type field struct {
+	name      string
+	nameBytes []byte // []byte(name)
+
+	tag       bool
+	index     []int
+	typ       reflect.Type
+	omitEmpty bool
+	quoted    bool
+}
+
+func fillField(f field) field {
+	f.nameBytes = []byte(f.name)
+	return f
+}
+
+// byName sorts field by name, breaking ties with depth,
+// then breaking ties with "name came from json tag", then
+// breaking ties with index sequence.
+type byName []field
+
+func (x byName) Len() int { return len(x) }
+
+func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+
+func (x byName) Less(i, j int) bool {
+	if x[i].name != x[j].name {
+		return x[i].name < x[j].name
+	}
+	if len(x[i].index) != len(x[j].index) {
+		return len(x[i].index) < len(x[j].index)
+	}
+	if x[i].tag != x[j].tag {
+		return x[i].tag
+	}
+	return byIndex(x).Less(i, j)
+}
+
+// byIndex sorts field by index sequence.
+type byIndex []field
+
+func (x byIndex) Len() int { return len(x) }
+
+func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+
+func (x byIndex) Less(i, j int) bool {
+	for k, xik := range x[i].index {
+		if k >= len(x[j].index) {
+			return false
+		}
+		if xik != x[j].index[k] {
+			return xik < x[j].index[k]
+		}
+	}
+	return len(x[i].index) < len(x[j].index)
+}
+
+// typeFields returns a list of fields that JSON should recognize for the given type.
+// The algorithm is breadth-first search over the set of structs to include - the top struct
+// and then any reachable anonymous structs.
+func typeFields(t reflect.Type) []field {
+	// Anonymous fields to explore at the current level and the next.
+	current := []field{}
+	next := []field{{typ: t}}
+
+	// Count of queued names for current level and the next.
+	count := map[reflect.Type]int{}
+	nextCount := map[reflect.Type]int{}
+
+	// Types already visited at an earlier level.
+	visited := map[reflect.Type]bool{}
+
+	// Fields found.
+	var fields []field
+
+	for len(next) > 0 {
+		current, next = next, current[:0]
+		count, nextCount = nextCount, map[reflect.Type]int{}
+
+		for _, f := range current {
+			if visited[f.typ] {
+				continue
+			}
+			visited[f.typ] = true
+
+			// Scan f.typ for fields to include.
+			for i := 0; i < f.typ.NumField(); i++ {
+				sf := f.typ.Field(i)
+				if sf.PkgPath != "" && !sf.Anonymous { // unexported
+					continue
+				}
+				tag := sf.Tag.Get("json")
+				if tag == "-" {
+					continue
+				}
+				name, opts := parseTag(tag)
+				if !isValidTag(name) {
+					name = ""
+				}
+				index := make([]int, len(f.index)+1)
+				copy(index, f.index)
+				index[len(f.index)] = i
+
+				ft := sf.Type
+				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
+					// Follow pointer.
+					ft = ft.Elem()
+				}
+
+				// Only strings, floats, integers, and booleans can be quoted.
+				quoted := false
+				if opts.Contains("string") {
+					switch ft.Kind() {
+					case reflect.Bool,
+						reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+						reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
+						reflect.Float32, reflect.Float64,
+						reflect.String:
+						quoted = true
+					}
+				}
+
+				// Record found field and index sequence.
+				if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
+					tagged := name != ""
+					if name == "" {
+						name = sf.Name
+					}
+					fields = append(fields, fillField(field{
+						name:      name,
+						tag:       tagged,
+						index:     index,
+						typ:       ft,
+						omitEmpty: opts.Contains("omitempty"),
+						quoted:    quoted,
+					}))
+					if count[f.typ] > 1 {
+						// If there were multiple instances, add a second,
+						// so that the annihilation code will see a duplicate.
+						// It only cares about the distinction between 1 or 2,
+						// so don't bother generating any more copies.
+						fields = append(fields, fields[len(fields)-1])
+					}
+					continue
+				}
+
+				// Record new anonymous struct to explore in next round.
+				nextCount[ft]++
+				if nextCount[ft] == 1 {
+					next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
+				}
+			}
+		}
+	}
+
+	sort.Sort(byName(fields))
+
+	// Delete all fields that are hidden by the Go rules for embedded fields,
+	// except that fields with JSON tags are promoted.
+
+	// The fields are sorted in primary order of name, secondary order
+	// of field index length. Loop over names; for each name, delete
+	// hidden fields by choosing the one dominant field that survives.
+	out := fields[:0]
+	for advance, i := 0, 0; i < len(fields); i += advance {
+		// One iteration per name.
+		// Find the sequence of fields with the name of this first field.
+		fi := fields[i]
+		name := fi.name
+		for advance = 1; i+advance < len(fields); advance++ {
+			fj := fields[i+advance]
+			if fj.name != name {
+				break
+			}
+		}
+		if advance == 1 { // Only one field with this name
+			out = append(out, fi)
+			continue
+		}
+		dominant, ok := dominantField(fields[i : i+advance])
+		if ok {
+			out = append(out, dominant)
+		}
+	}
+
+	fields = out
+	sort.Sort(byIndex(fields))
+
+	return fields
+}
+
+// dominantField looks through the fields, all of which are known to
+// have the same name, to find the single field that dominates the
+// others using Go's embedding rules, modified by the presence of
+// JSON tags. If there are multiple top-level fields, the boolean
+// will be false: This condition is an error in Go and we skip all
+// the fields.
+func dominantField(fields []field) (field, bool) {
+	// The fields are sorted in increasing index-length order. The winner
+	// must therefore be one with the shortest index length. Drop all
+	// longer entries, which is easy: just truncate the slice.
+	length := len(fields[0].index)
+	tagged := -1 // Index of first tagged field.
+	for i, f := range fields {
+		if len(f.index) > length {
+			fields = fields[:i]
+			break
+		}
+		if f.tag {
+			if tagged >= 0 {
+				// Multiple tagged fields at the same level: conflict.
+				// Return no field.
+				return field{}, false
+			}
+			tagged = i
+		}
+	}
+	if tagged >= 0 {
+		return fields[tagged], true
+	}
+	// All remaining fields have the same length. If there's more than one,
+	// we have a conflict (two fields named "X" at the same level) and we
+	// return no field.
+	if len(fields) > 1 {
+		return field{}, false
+	}
+	return fields[0], true
+}
+
+var fieldCache struct {
+	sync.RWMutex
+	m map[reflect.Type][]field
+}
+
+// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
+func cachedTypeFields(t reflect.Type) []field {
+	fieldCache.RLock()
+	f := fieldCache.m[t]
+	fieldCache.RUnlock()
+	if f != nil {
+		return f
+	}
+
+	// Compute fields without lock.
+	// Might duplicate effort but won't hold other computations back.
+	f = typeFields(t)
+	if f == nil {
+		f = []field{}
+	}
+
+	fieldCache.Lock()
+	if fieldCache.m == nil {
+		fieldCache.m = map[reflect.Type][]field{}
+	}
+	fieldCache.m[t] = f
+	fieldCache.Unlock()
+	return f
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go
new file mode 100644
index 00000000..7cd9f4db
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go
@@ -0,0 +1,141 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import "bytes"
+
+// Compact appends to dst the JSON-encoded src with
+// insignificant space characters elided.
+func Compact(dst *bytes.Buffer, src []byte) error {
+	return compact(dst, src, false)
+}
+
+func compact(dst *bytes.Buffer, src []byte, escape bool) error {
+	origLen := dst.Len()
+	var scan scanner
+	scan.reset()
+	start := 0
+	for i, c := range src {
+		if escape && (c == '<' || c == '>' || c == '&') {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u00`)
+			dst.WriteByte(hex[c>>4])
+			dst.WriteByte(hex[c&0xF])
+			start = i + 1
+		}
+		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
+		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u202`)
+			dst.WriteByte(hex[src[i+2]&0xF])
+			start = i + 3
+		}
+		v := scan.step(&scan, c)
+		if v >= scanSkipSpace {
+			if v == scanError {
+				break
+			}
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			start = i + 1
+		}
+	}
+	if scan.eof() == scanError {
+		dst.Truncate(origLen)
+		return scan.err
+	}
+	if start < len(src) {
+		dst.Write(src[start:])
+	}
+	return nil
+}
+
+func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
+	dst.WriteByte('\n')
+	dst.WriteString(prefix)
+	for i := 0; i < depth; i++ {
+		dst.WriteString(indent)
+	}
+}
+
+// Indent appends to dst an indented form of the JSON-encoded src.
+// Each element in a JSON object or array begins on a new,
+// indented line beginning with prefix followed by one or more
+// copies of indent according to the indentation nesting.
+// The data appended to dst does not begin with the prefix nor
+// any indentation, to make it easier to embed inside other formatted JSON data.
+// Although leading space characters (space, tab, carriage return, newline)
+// at the beginning of src are dropped, trailing space characters
+// at the end of src are preserved and copied to dst.
+// For example, if src has no trailing spaces, neither will dst;
+// if src ends in a trailing newline, so will dst.
+func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
+	origLen := dst.Len()
+	var scan scanner
+	scan.reset()
+	needIndent := false
+	depth := 0
+	for _, c := range src {
+		scan.bytes++
+		v := scan.step(&scan, c)
+		if v == scanSkipSpace {
+			continue
+		}
+		if v == scanError {
+			break
+		}
+		if needIndent && v != scanEndObject && v != scanEndArray {
+			needIndent = false
+			depth++
+			newline(dst, prefix, indent, depth)
+		}
+
+		// Emit semantically uninteresting bytes
+		// (in particular, punctuation in strings) unmodified.
+		if v == scanContinue {
+			dst.WriteByte(c)
+			continue
+		}
+
+		// Add spacing around real punctuation.
+		switch c {
+		case '{', '[':
+			// delay indent so that empty object and array are formatted as {} and [].
+			needIndent = true
+			dst.WriteByte(c)
+
+		case ',':
+			dst.WriteByte(c)
+			newline(dst, prefix, indent, depth)
+
+		case ':':
+			dst.WriteByte(c)
+			dst.WriteByte(' ')
+
+		case '}', ']':
+			if needIndent {
+				// suppress indent in empty object/array
+				needIndent = false
+			} else {
+				depth--
+				newline(dst, prefix, indent, depth)
+			}
+			dst.WriteByte(c)
+
+		default:
+			dst.WriteByte(c)
+		}
+	}
+	if scan.eof() == scanError {
+		dst.Truncate(origLen)
+		return scan.err
+	}
+	return nil
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go
new file mode 100644
index 00000000..ee6622e8
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go
@@ -0,0 +1,623 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+// JSON value parser state machine.
+// Just about at the limit of what is reasonable to write by hand.
+// Some parts are a bit tedious, but overall it nicely factors out the
+// otherwise common code from the multiple scanning functions
+// in this package (Compact, Indent, checkValid, nextValue, etc).
+//
+// This file starts with two simple examples using the scanner
+// before diving into the scanner itself.
+
+import "strconv"
+
+// checkValid verifies that data is valid JSON-encoded data.
+// scan is passed in for use by checkValid to avoid an allocation.
+func checkValid(data []byte, scan *scanner) error {
+	scan.reset()
+	for _, c := range data {
+		scan.bytes++
+		if scan.step(scan, c) == scanError {
+			return scan.err
+		}
+	}
+	if scan.eof() == scanError {
+		return scan.err
+	}
+	return nil
+}
+
+// nextValue splits data after the next whole JSON value,
+// returning that value and the bytes that follow it as separate slices.
+// scan is passed in for use by nextValue to avoid an allocation.
+func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
+	scan.reset()
+	for i, c := range data {
+		v := scan.step(scan, c)
+		if v >= scanEndObject {
+			switch v {
+			// probe the scanner with a space to determine whether we will
+			// get scanEnd on the next character. Otherwise, if the next character
+			// is not a space, scanEndTop allocates a needless error.
+			case scanEndObject, scanEndArray:
+				if scan.step(scan, ' ') == scanEnd {
+					return data[:i+1], data[i+1:], nil
+				}
+			case scanError:
+				return nil, nil, scan.err
+			case scanEnd:
+				return data[:i], data[i:], nil
+			}
+		}
+	}
+	if scan.eof() == scanError {
+		return nil, nil, scan.err
+	}
+	return data, nil, nil
+}
+
+// A SyntaxError is a description of a JSON syntax error.
+type SyntaxError struct {
+	msg    string // description of error
+	Offset int64  // error occurred after reading Offset bytes
+}
+
+func (e *SyntaxError) Error() string { return e.msg }
+
+// A scanner is a JSON scanning state machine.
+// Callers call scan.reset() and then pass bytes in one at a time
+// by calling scan.step(&scan, c) for each byte.
+// The return value, referred to as an opcode, tells the
+// caller about significant parsing events like beginning
+// and ending literals, objects, and arrays, so that the
+// caller can follow along if it wishes.
+// The return value scanEnd indicates that a single top-level
+// JSON value has been completed, *before* the byte that
+// just got passed in.  (The indication must be delayed in order
+// to recognize the end of numbers: is 123 a whole value or
+// the beginning of 12345e+6?).
+type scanner struct {
+	// The step is a func to be called to execute the next transition.
+	// Also tried using an integer constant and a single func
+	// with a switch, but using the func directly was 10% faster
+	// on a 64-bit Mac Mini, and it's nicer to read.
+	step func(*scanner, byte) int
+
+	// Reached end of top-level value.
+	endTop bool
+
+	// Stack of what we're in the middle of - array values, object keys, object values.
+	parseState []int
+
+	// Error that happened, if any.
+	err error
+
+	// 1-byte redo (see undo method)
+	redo      bool
+	redoCode  int
+	redoState func(*scanner, byte) int
+
+	// total bytes consumed, updated by decoder.Decode
+	bytes int64
+}
+
+// These values are returned by the state transition functions
+// assigned to scanner.state and the method scanner.eof.
+// They give details about the current state of the scan that
+// callers might be interested to know about.
+// It is okay to ignore the return value of any particular
+// call to scanner.state: if one call returns scanError,
+// every subsequent call will return scanError too.
+const (
+	// Continue.
+	scanContinue     = iota // uninteresting byte
+	scanBeginLiteral        // end implied by next result != scanContinue
+	scanBeginObject         // begin object
+	scanObjectKey           // just finished object key (string)
+	scanObjectValue         // just finished non-last object value
+	scanEndObject           // end object (implies scanObjectValue if possible)
+	scanBeginArray          // begin array
+	scanArrayValue          // just finished array value
+	scanEndArray            // end array (implies scanArrayValue if possible)
+	scanSkipSpace           // space byte; can skip; known to be last "continue" result
+
+	// Stop.
+	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
+	scanError // hit an error, scanner.err.
+)
+
+// These values are stored in the parseState stack.
+// They give the current state of a composite value
+// being scanned.  If the parser is inside a nested value
+// the parseState describes the nested state, outermost at entry 0.
+const (
+	parseObjectKey   = iota // parsing object key (before colon)
+	parseObjectValue        // parsing object value (after colon)
+	parseArrayValue         // parsing array value
+)
+
+// reset prepares the scanner for use.
+// It must be called before calling s.step.
+func (s *scanner) reset() {
+	s.step = stateBeginValue
+	s.parseState = s.parseState[0:0]
+	s.err = nil
+	s.redo = false
+	s.endTop = false
+}
+
+// eof tells the scanner that the end of input has been reached.
+// It returns a scan status just as s.step does.
+func (s *scanner) eof() int {
+	if s.err != nil {
+		return scanError
+	}
+	if s.endTop {
+		return scanEnd
+	}
+	s.step(s, ' ')
+	if s.endTop {
+		return scanEnd
+	}
+	if s.err == nil {
+		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
+	}
+	return scanError
+}
+
+// pushParseState pushes a new parse state p onto the parse stack.
+func (s *scanner) pushParseState(p int) {
+	s.parseState = append(s.parseState, p)
+}
+
+// popParseState pops a parse state (already obtained) off the stack
+// and updates s.step accordingly.
+func (s *scanner) popParseState() {
+	n := len(s.parseState) - 1
+	s.parseState = s.parseState[0:n]
+	s.redo = false
+	if n == 0 {
+		s.step = stateEndTop
+		s.endTop = true
+	} else {
+		s.step = stateEndValue
+	}
+}
+
+func isSpace(c byte) bool {
+	return c == ' ' || c == '\t' || c == '\r' || c == '\n'
+}
+
+// stateBeginValueOrEmpty is the state after reading `[`.
+func stateBeginValueOrEmpty(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	if c == ']' {
+		return stateEndValue(s, c)
+	}
+	return stateBeginValue(s, c)
+}
+
+// stateBeginValue is the state at the beginning of the input.
+func stateBeginValue(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	switch c {
+	case '{':
+		s.step = stateBeginStringOrEmpty
+		s.pushParseState(parseObjectKey)
+		return scanBeginObject
+	case '[':
+		s.step = stateBeginValueOrEmpty
+		s.pushParseState(parseArrayValue)
+		return scanBeginArray
+	case '"':
+		s.step = stateInString
+		return scanBeginLiteral
+	case '-':
+		s.step = stateNeg
+		return scanBeginLiteral
+	case '0': // beginning of 0.123
+		s.step = state0
+		return scanBeginLiteral
+	case 't': // beginning of true
+		s.step = stateT
+		return scanBeginLiteral
+	case 'f': // beginning of false
+		s.step = stateF
+		return scanBeginLiteral
+	case 'n': // beginning of null
+		s.step = stateN
+		return scanBeginLiteral
+	}
+	if '1' <= c && c <= '9' { // beginning of 1234.5
+		s.step = state1
+		return scanBeginLiteral
+	}
+	return s.error(c, "looking for beginning of value")
+}
+
+// stateBeginStringOrEmpty is the state after reading `{`.
+func stateBeginStringOrEmpty(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	if c == '}' {
+		n := len(s.parseState)
+		s.parseState[n-1] = parseObjectValue
+		return stateEndValue(s, c)
+	}
+	return stateBeginString(s, c)
+}
+
+// stateBeginString is the state after reading `{"key": value,`.
+func stateBeginString(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	if c == '"' {
+		s.step = stateInString
+		return scanBeginLiteral
+	}
+	return s.error(c, "looking for beginning of object key string")
+}
+
+// stateEndValue is the state after completing a value,
+// such as after reading `{}` or `true` or `["x"`.
+func stateEndValue(s *scanner, c byte) int {
+	n := len(s.parseState)
+	if n == 0 {
+		// Completed top-level before the current byte.
+		s.step = stateEndTop
+		s.endTop = true
+		return stateEndTop(s, c)
+	}
+	if c <= ' ' && isSpace(c) {
+		s.step = stateEndValue
+		return scanSkipSpace
+	}
+	ps := s.parseState[n-1]
+	switch ps {
+	case parseObjectKey:
+		if c == ':' {
+			s.parseState[n-1] = parseObjectValue
+			s.step = stateBeginValue
+			return scanObjectKey
+		}
+		return s.error(c, "after object key")
+	case parseObjectValue:
+		if c == ',' {
+			s.parseState[n-1] = parseObjectKey
+			s.step = stateBeginString
+			return scanObjectValue
+		}
+		if c == '}' {
+			s.popParseState()
+			return scanEndObject
+		}
+		return s.error(c, "after object key:value pair")
+	case parseArrayValue:
+		if c == ',' {
+			s.step = stateBeginValue
+			return scanArrayValue
+		}
+		if c == ']' {
+			s.popParseState()
+			return scanEndArray
+		}
+		return s.error(c, "after array element")
+	}
+	return s.error(c, "")
+}
+
+// stateEndTop is the state after finishing the top-level value,
+// such as after reading `{}` or `[1,2,3]`.
+// Only space characters should be seen now.
+func stateEndTop(s *scanner, c byte) int {
+	if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
+		// Complain about non-space byte on next call.
+		s.error(c, "after top-level value")
+	}
+	return scanEnd
+}
+
+// stateInString is the state after reading `"`.
+func stateInString(s *scanner, c byte) int {
+	if c == '"' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	if c == '\\' {
+		s.step = stateInStringEsc
+		return scanContinue
+	}
+	if c < 0x20 {
+		return s.error(c, "in string literal")
+	}
+	return scanContinue
+}
+
+// stateInStringEsc is the state after reading `"\` during a quoted string.
+func stateInStringEsc(s *scanner, c byte) int {
+	switch c {
+	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
+		s.step = stateInString
+		return scanContinue
+	case 'u':
+		s.step = stateInStringEscU
+		return scanContinue
+	}
+	return s.error(c, "in string escape code")
+}
+
+// stateInStringEscU is the state after reading `"\u` during a quoted string.
+func stateInStringEscU(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInStringEscU1
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
+func stateInStringEscU1(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInStringEscU12
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
+func stateInStringEscU12(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInStringEscU123
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
+func stateInStringEscU123(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInString
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateNeg is the state after reading `-` during a number.
+func stateNeg(s *scanner, c byte) int {
+	if c == '0' {
+		s.step = state0
+		return scanContinue
+	}
+	if '1' <= c && c <= '9' {
+		s.step = state1
+		return scanContinue
+	}
+	return s.error(c, "in numeric literal")
+}
+
+// state1 is the state after reading a non-zero integer during a number,
+// such as after reading `1` or `100` but not `0`.
+func state1(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		s.step = state1
+		return scanContinue
+	}
+	return state0(s, c)
+}
+
+// state0 is the state after reading `0` during a number.
+func state0(s *scanner, c byte) int {
+	if c == '.' {
+		s.step = stateDot
+		return scanContinue
+	}
+	if c == 'e' || c == 'E' {
+		s.step = stateE
+		return scanContinue
+	}
+	return stateEndValue(s, c)
+}
+
+// stateDot is the state after reading the integer and decimal point in a number,
+// such as after reading `1.`.
+func stateDot(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		s.step = stateDot0
+		return scanContinue
+	}
+	return s.error(c, "after decimal point in numeric literal")
+}
+
+// stateDot0 is the state after reading the integer, decimal point, and subsequent
+// digits of a number, such as after reading `3.14`.
+func stateDot0(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		return scanContinue
+	}
+	if c == 'e' || c == 'E' {
+		s.step = stateE
+		return scanContinue
+	}
+	return stateEndValue(s, c)
+}
+
+// stateE is the state after reading the mantissa and e in a number,
+// such as after reading `314e` or `0.314e`.
+func stateE(s *scanner, c byte) int {
+	if c == '+' || c == '-' {
+		s.step = stateESign
+		return scanContinue
+	}
+	return stateESign(s, c)
+}
+
+// stateESign is the state after reading the mantissa, e, and sign in a number,
+// such as after reading `314e-` or `0.314e+`.
+func stateESign(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		s.step = stateE0
+		return scanContinue
+	}
+	return s.error(c, "in exponent of numeric literal")
+}
+
+// stateE0 is the state after reading the mantissa, e, optional sign,
+// and at least one digit of the exponent in a number,
+// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
+func stateE0(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		return scanContinue
+	}
+	return stateEndValue(s, c)
+}
+
+// stateT is the state after reading `t`.
+func stateT(s *scanner, c byte) int {
+	if c == 'r' {
+		s.step = stateTr
+		return scanContinue
+	}
+	return s.error(c, "in literal true (expecting 'r')")
+}
+
+// stateTr is the state after reading `tr`.
+func stateTr(s *scanner, c byte) int {
+	if c == 'u' {
+		s.step = stateTru
+		return scanContinue
+	}
+	return s.error(c, "in literal true (expecting 'u')")
+}
+
+// stateTru is the state after reading `tru`.
+func stateTru(s *scanner, c byte) int {
+	if c == 'e' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	return s.error(c, "in literal true (expecting 'e')")
+}
+
+// stateF is the state after reading `f`.
+func stateF(s *scanner, c byte) int {
+	if c == 'a' {
+		s.step = stateFa
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 'a')")
+}
+
+// stateFa is the state after reading `fa`.
+func stateFa(s *scanner, c byte) int {
+	if c == 'l' {
+		s.step = stateFal
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 'l')")
+}
+
+// stateFal is the state after reading `fal`.
+func stateFal(s *scanner, c byte) int {
+	if c == 's' {
+		s.step = stateFals
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 's')")
+}
+
+// stateFals is the state after reading `fals`.
+func stateFals(s *scanner, c byte) int {
+	if c == 'e' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 'e')")
+}
+
+// stateN is the state after reading `n`.
+func stateN(s *scanner, c byte) int {
+	if c == 'u' {
+		s.step = stateNu
+		return scanContinue
+	}
+	return s.error(c, "in literal null (expecting 'u')")
+}
+
+// stateNu is the state after reading `nu`.
+func stateNu(s *scanner, c byte) int {
+	if c == 'l' {
+		s.step = stateNul
+		return scanContinue
+	}
+	return s.error(c, "in literal null (expecting 'l')")
+}
+
+// stateNul is the state after reading `nul`.
+func stateNul(s *scanner, c byte) int {
+	if c == 'l' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	return s.error(c, "in literal null (expecting 'l')")
+}
+
+// stateError is the state after reaching a syntax error,
+// such as after reading `[1}` or `5.1.2`.
+func stateError(s *scanner, c byte) int {
+	return scanError
+}
+
+// error records an error and switches to the error state.
+func (s *scanner) error(c byte, context string) int {
+	s.step = stateError
+	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
+	return scanError
+}
+
+// quoteChar formats c as a quoted character literal
+func quoteChar(c byte) string {
+	// special cases - different from quoted strings
+	if c == '\'' {
+		return `'\''`
+	}
+	if c == '"' {
+		return `'"'`
+	}
+
+	// use quoted string with different quotation marks
+	s := strconv.Quote(string(c))
+	return "'" + s[1:len(s)-1] + "'"
+}
+
+// undo causes the scanner to return scanCode from the next state transition.
+// This gives callers a simple 1-byte undo mechanism.
+func (s *scanner) undo(scanCode int) {
+	if s.redo {
+		panic("json: invalid use of scanner")
+	}
+	s.redoCode = scanCode
+	s.redoState = s.step
+	s.step = stateRedo
+	s.redo = true
+}
+
+// stateRedo helps implement the scanner's 1-byte undo.
+func stateRedo(s *scanner, c byte) int {
+	s.redo = false
+	s.step = s.redoState
+	return s.redoCode
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go
new file mode 100644
index 00000000..9b2b926b
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go
@@ -0,0 +1,485 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"errors"
+	"io"
+)
+
+// A Decoder reads and decodes JSON objects from an input stream.
+type Decoder struct {
+	r     io.Reader
+	buf   []byte
+	d     decodeState
+	scanp int // start of unread data in buf
+	scan  scanner
+	err   error
+
+	tokenState int
+	tokenStack []int
+}
+
+// NewDecoder returns a new decoder that reads from r.
+//
+// The decoder introduces its own buffering and may
+// read data from r beyond the JSON values requested.
+func NewDecoder(r io.Reader) *Decoder {
+	return &Decoder{r: r}
+}
+
+// Deprecated: Use `SetNumberType` instead
+// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
+// Number instead of as a float64.
+func (dec *Decoder) UseNumber() { dec.d.numberType = UnmarshalJSONNumber }
+
+// SetNumberType causes the Decoder to unmarshal a number into an interface{} as a
+// Number, float64 or int64 depending on `t` enum value.
+func (dec *Decoder) SetNumberType(t NumberUnmarshalType) { dec.d.numberType = t }
+
+// Decode reads the next JSON-encoded value from its
+// input and stores it in the value pointed to by v.
+//
+// See the documentation for Unmarshal for details about
+// the conversion of JSON into a Go value.
+func (dec *Decoder) Decode(v interface{}) error {
+	if dec.err != nil {
+		return dec.err
+	}
+
+	if err := dec.tokenPrepareForDecode(); err != nil {
+		return err
+	}
+
+	if !dec.tokenValueAllowed() {
+		return &SyntaxError{msg: "not at beginning of value"}
+	}
+
+	// Read whole value into buffer.
+	n, err := dec.readValue()
+	if err != nil {
+		return err
+	}
+	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
+	dec.scanp += n
+
+	// Don't save err from unmarshal into dec.err:
+	// the connection is still usable since we read a complete JSON
+	// object from it before the error happened.
+	err = dec.d.unmarshal(v)
+
+	// fixup token streaming state
+	dec.tokenValueEnd()
+
+	return err
+}
+
+// Buffered returns a reader of the data remaining in the Decoder's
+// buffer. The reader is valid until the next call to Decode.
+func (dec *Decoder) Buffered() io.Reader {
+	return bytes.NewReader(dec.buf[dec.scanp:])
+}
+
+// readValue reads a JSON value into dec.buf.
+// It returns the length of the encoding.
+func (dec *Decoder) readValue() (int, error) {
+	dec.scan.reset()
+
+	scanp := dec.scanp
+	var err error
+Input:
+	for {
+		// Look in the buffer for a new value.
+		for i, c := range dec.buf[scanp:] {
+			dec.scan.bytes++
+			v := dec.scan.step(&dec.scan, c)
+			if v == scanEnd {
+				scanp += i
+				break Input
+			}
+			// scanEnd is delayed one byte.
+			// We might block trying to get that byte from src,
+			// so instead invent a space byte.
+			if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
+				scanp += i + 1
+				break Input
+			}
+			if v == scanError {
+				dec.err = dec.scan.err
+				return 0, dec.scan.err
+			}
+		}
+		scanp = len(dec.buf)
+
+		// Did the last read have an error?
+		// Delayed until now to allow buffer scan.
+		if err != nil {
+			if err == io.EOF {
+				if dec.scan.step(&dec.scan, ' ') == scanEnd {
+					break Input
+				}
+				if nonSpace(dec.buf) {
+					err = io.ErrUnexpectedEOF
+				}
+			}
+			dec.err = err
+			return 0, err
+		}
+
+		n := scanp - dec.scanp
+		err = dec.refill()
+		scanp = dec.scanp + n
+	}
+	return scanp - dec.scanp, nil
+}
+
+func (dec *Decoder) refill() error {
+	// Make room to read more into the buffer.
+	// First slide down data already consumed.
+	if dec.scanp > 0 {
+		n := copy(dec.buf, dec.buf[dec.scanp:])
+		dec.buf = dec.buf[:n]
+		dec.scanp = 0
+	}
+
+	// Grow buffer if not large enough.
+	const minRead = 512
+	if cap(dec.buf)-len(dec.buf) < minRead {
+		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
+		copy(newBuf, dec.buf)
+		dec.buf = newBuf
+	}
+
+	// Read.  Delay error for next iteration (after scan).
+	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
+	dec.buf = dec.buf[0 : len(dec.buf)+n]
+
+	return err
+}
+
+func nonSpace(b []byte) bool {
+	for _, c := range b {
+		if !isSpace(c) {
+			return true
+		}
+	}
+	return false
+}
+
+// An Encoder writes JSON objects to an output stream.
+type Encoder struct {
+	w   io.Writer
+	err error
+}
+
+// NewEncoder returns a new encoder that writes to w.
+func NewEncoder(w io.Writer) *Encoder {
+	return &Encoder{w: w}
+}
+
+// Encode writes the JSON encoding of v to the stream,
+// followed by a newline character.
+//
+// See the documentation for Marshal for details about the
+// conversion of Go values to JSON.
+func (enc *Encoder) Encode(v interface{}) error {
+	if enc.err != nil {
+		return enc.err
+	}
+	e := newEncodeState()
+	err := e.marshal(v)
+	if err != nil {
+		return err
+	}
+
+	// Terminate each value with a newline.
+	// This makes the output look a little nicer
+	// when debugging, and some kind of space
+	// is required if the encoded value was a number,
+	// so that the reader knows there aren't more
+	// digits coming.
+	e.WriteByte('\n')
+
+	if _, err = enc.w.Write(e.Bytes()); err != nil {
+		enc.err = err
+	}
+	encodeStatePool.Put(e)
+	return err
+}
+
+// RawMessage is a raw encoded JSON object.
+// It implements Marshaler and Unmarshaler and can
+// be used to delay JSON decoding or precompute a JSON encoding.
+type RawMessage []byte
+
+// MarshalJSON returns *m as the JSON encoding of m.
+func (m *RawMessage) MarshalJSON() ([]byte, error) {
+	return *m, nil
+}
+
+// UnmarshalJSON sets *m to a copy of data.
+func (m *RawMessage) UnmarshalJSON(data []byte) error {
+	if m == nil {
+		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
+	}
+	*m = append((*m)[0:0], data...)
+	return nil
+}
+
+var _ Marshaler = (*RawMessage)(nil)
+var _ Unmarshaler = (*RawMessage)(nil)
+
+// A Token holds a value of one of these types:
+//
+//	Delim, for the four JSON delimiters [ ] { }
+//	bool, for JSON booleans
+//	float64, for JSON numbers
+//	Number, for JSON numbers
+//	string, for JSON string literals
+//	nil, for JSON null
+//
+type Token interface{}
+
+const (
+	tokenTopValue = iota
+	tokenArrayStart
+	tokenArrayValue
+	tokenArrayComma
+	tokenObjectStart
+	tokenObjectKey
+	tokenObjectColon
+	tokenObjectValue
+	tokenObjectComma
+)
+
+// advance tokenstate from a separator state to a value state
+func (dec *Decoder) tokenPrepareForDecode() error {
+	// Note: Not calling peek before switch, to avoid
+	// putting peek into the standard Decode path.
+	// peek is only called when using the Token API.
+	switch dec.tokenState {
+	case tokenArrayComma:
+		c, err := dec.peek()
+		if err != nil {
+			return err
+		}
+		if c != ',' {
+			return &SyntaxError{"expected comma after array element", 0}
+		}
+		dec.scanp++
+		dec.tokenState = tokenArrayValue
+	case tokenObjectColon:
+		c, err := dec.peek()
+		if err != nil {
+			return err
+		}
+		if c != ':' {
+			return &SyntaxError{"expected colon after object key", 0}
+		}
+		dec.scanp++
+		dec.tokenState = tokenObjectValue
+	}
+	return nil
+}
+
+func (dec *Decoder) tokenValueAllowed() bool {
+	switch dec.tokenState {
+	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
+		return true
+	}
+	return false
+}
+
+func (dec *Decoder) tokenValueEnd() {
+	switch dec.tokenState {
+	case tokenArrayStart, tokenArrayValue:
+		dec.tokenState = tokenArrayComma
+	case tokenObjectValue:
+		dec.tokenState = tokenObjectComma
+	}
+}
+
+// A Delim is a JSON array or object delimiter, one of [ ] { or }.
+type Delim rune
+
+func (d Delim) String() string {
+	return string(d)
+}
+
+// Token returns the next JSON token in the input stream.
+// At the end of the input stream, Token returns nil, io.EOF.
+//
+// Token guarantees that the delimiters [ ] { } it returns are
+// properly nested and matched: if Token encounters an unexpected
+// delimiter in the input, it will return an error.
+//
+// The input stream consists of basic JSON values—bool, string,
+// number, and null—along with delimiters [ ] { } of type Delim
+// to mark the start and end of arrays and objects.
+// Commas and colons are elided.
+func (dec *Decoder) Token() (Token, error) {
+	for {
+		c, err := dec.peek()
+		if err != nil {
+			return nil, err
+		}
+		switch c {
+		case '[':
+			if !dec.tokenValueAllowed() {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
+			dec.tokenState = tokenArrayStart
+			return Delim('['), nil
+
+		case ']':
+			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
+			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
+			dec.tokenValueEnd()
+			return Delim(']'), nil
+
+		case '{':
+			if !dec.tokenValueAllowed() {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
+			dec.tokenState = tokenObjectStart
+			return Delim('{'), nil
+
+		case '}':
+			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
+			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
+			dec.tokenValueEnd()
+			return Delim('}'), nil
+
+		case ':':
+			if dec.tokenState != tokenObjectColon {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenState = tokenObjectValue
+			continue
+
+		case ',':
+			if dec.tokenState == tokenArrayComma {
+				dec.scanp++
+				dec.tokenState = tokenArrayValue
+				continue
+			}
+			if dec.tokenState == tokenObjectComma {
+				dec.scanp++
+				dec.tokenState = tokenObjectKey
+				continue
+			}
+			return dec.tokenError(c)
+
+		case '"':
+			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
+				var x string
+				old := dec.tokenState
+				dec.tokenState = tokenTopValue
+				err := dec.Decode(&x)
+				dec.tokenState = old
+				if err != nil {
+					clearOffset(err)
+					return nil, err
+				}
+				dec.tokenState = tokenObjectColon
+				return x, nil
+			}
+			fallthrough
+
+		default:
+			if !dec.tokenValueAllowed() {
+				return dec.tokenError(c)
+			}
+			var x interface{}
+			if err := dec.Decode(&x); err != nil {
+				clearOffset(err)
+				return nil, err
+			}
+			return x, nil
+		}
+	}
+}
+
+func clearOffset(err error) {
+	if s, ok := err.(*SyntaxError); ok {
+		s.Offset = 0
+	}
+}
+
+func (dec *Decoder) tokenError(c byte) (Token, error) {
+	var context string
+	switch dec.tokenState {
+	case tokenTopValue:
+		context = " looking for beginning of value"
+	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
+		context = " looking for beginning of value"
+	case tokenArrayComma:
+		context = " after array element"
+	case tokenObjectKey:
+		context = " looking for beginning of object key string"
+	case tokenObjectColon:
+		context = " after object key"
+	case tokenObjectComma:
+		context = " after object key:value pair"
+	}
+	return nil, &SyntaxError{"invalid character " + quoteChar(c) + " " + context, 0}
+}
+
+// More reports whether there is another element in the
+// current array or object being parsed.
+func (dec *Decoder) More() bool {
+	c, err := dec.peek()
+	return err == nil && c != ']' && c != '}'
+}
+
+func (dec *Decoder) peek() (byte, error) {
+	var err error
+	for {
+		for i := dec.scanp; i < len(dec.buf); i++ {
+			c := dec.buf[i]
+			if isSpace(c) {
+				continue
+			}
+			dec.scanp = i
+			return c, nil
+		}
+		// buffer has been scanned, now report any error
+		if err != nil {
+			return 0, err
+		}
+		err = dec.refill()
+	}
+}
+
+/*
+TODO
+
+// EncodeToken writes the given JSON token to the stream.
+// It returns an error if the delimiters [ ] { } are not properly used.
+//
+// EncodeToken does not call Flush, because usually it is part of
+// a larger operation such as Encode, and those will call Flush when finished.
+// Callers that create an Encoder and then invoke EncodeToken directly,
+// without using Encode, need to call Flush when finished to ensure that
+// the JSON is written to the underlying writer.
+func (e *Encoder) EncodeToken(t Token) error  {
+	...
+}
+
+*/
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go
new file mode 100644
index 00000000..c38fd510
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go
@@ -0,0 +1,44 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"strings"
+)
+
+// tagOptions is the string following a comma in a struct field's "json"
+// tag, or the empty string. It does not include the leading comma.
+type tagOptions string
+
+// parseTag splits a struct field's json tag into its name and
+// comma-separated options.
+func parseTag(tag string) (string, tagOptions) {
+	if idx := strings.Index(tag, ","); idx != -1 {
+		return tag[:idx], tagOptions(tag[idx+1:])
+	}
+	return tag, tagOptions("")
+}
+
+// Contains reports whether a comma-separated list of options
+// contains a particular substr flag. substr must be surrounded by a
+// string boundary or commas.
+func (o tagOptions) Contains(optionName string) bool {
+	if len(o) == 0 {
+		return false
+	}
+	s := string(o)
+	for s != "" {
+		var next string
+		i := strings.Index(s, ",")
+		if i >= 0 {
+			s, next = s[:i], s[i+1:]
+		}
+		if s == optionName {
+			return true
+		}
+		s = next
+	}
+	return false
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
new file mode 100644
index 00000000..a8966ab8
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
@@ -0,0 +1,294 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
+type rawJSONWebEncryption struct {
+	Protected    *byteBuffer        `json:"protected,omitempty"`
+	Unprotected  *rawHeader         `json:"unprotected,omitempty"`
+	Header       *rawHeader         `json:"header,omitempty"`
+	Recipients   []rawRecipientInfo `json:"recipients,omitempty"`
+	Aad          *byteBuffer        `json:"aad,omitempty"`
+	EncryptedKey *byteBuffer        `json:"encrypted_key,omitempty"`
+	Iv           *byteBuffer        `json:"iv,omitempty"`
+	Ciphertext   *byteBuffer        `json:"ciphertext,omitempty"`
+	Tag          *byteBuffer        `json:"tag,omitempty"`
+}
+
+// rawRecipientInfo represents a raw JWE Per-Recipient header JSON object. Used for parsing/serializing.
+type rawRecipientInfo struct {
+	Header       *rawHeader `json:"header,omitempty"`
+	EncryptedKey string     `json:"encrypted_key,omitempty"`
+}
+
+// JSONWebEncryption represents an encrypted JWE object after parsing.
+type JSONWebEncryption struct {
+	Header                   Header
+	protected, unprotected   *rawHeader
+	recipients               []recipientInfo
+	aad, iv, ciphertext, tag []byte
+	original                 *rawJSONWebEncryption
+}
+
+// recipientInfo represents a raw JWE Per-Recipient header JSON object after parsing.
+type recipientInfo struct {
+	header       *rawHeader
+	encryptedKey []byte
+}
+
+// GetAuthData retrieves the (optional) authenticated data attached to the object.
+func (obj JSONWebEncryption) GetAuthData() []byte {
+	if obj.aad != nil {
+		out := make([]byte, len(obj.aad))
+		copy(out, obj.aad)
+		return out
+	}
+
+	return nil
+}
+
+// Get the merged header values
+func (obj JSONWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader {
+	out := rawHeader{}
+	out.merge(obj.protected)
+	out.merge(obj.unprotected)
+
+	if recipient != nil {
+		out.merge(recipient.header)
+	}
+
+	return out
+}
+
+// Get the additional authenticated data from a JWE object.
+func (obj JSONWebEncryption) computeAuthData() []byte {
+	var protected string
+
+	if obj.original != nil && obj.original.Protected != nil {
+		protected = obj.original.Protected.base64()
+	} else if obj.protected != nil {
+		protected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON((obj.protected)))
+	} else {
+		protected = ""
+	}
+
+	output := []byte(protected)
+	if obj.aad != nil {
+		output = append(output, '.')
+		output = append(output, []byte(base64.RawURLEncoding.EncodeToString(obj.aad))...)
+	}
+
+	return output
+}
+
+// ParseEncrypted parses an encrypted message in compact or full serialization format.
+func ParseEncrypted(input string) (*JSONWebEncryption, error) {
+	input = stripWhitespace(input)
+	if strings.HasPrefix(input, "{") {
+		return parseEncryptedFull(input)
+	}
+
+	return parseEncryptedCompact(input)
+}
+
+// parseEncryptedFull parses a message in compact format.
+func parseEncryptedFull(input string) (*JSONWebEncryption, error) {
+	var parsed rawJSONWebEncryption
+	err := json.Unmarshal([]byte(input), &parsed)
+	if err != nil {
+		return nil, err
+	}
+
+	return parsed.sanitized()
+}
+
+// sanitized produces a cleaned-up JWE object from the raw JSON.
+func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+	obj := &JSONWebEncryption{
+		original:    parsed,
+		unprotected: parsed.Unprotected,
+	}
+
+	// Check that there is not a nonce in the unprotected headers
+	if parsed.Unprotected != nil {
+		if nonce := parsed.Unprotected.getNonce(); nonce != "" {
+			return nil, ErrUnprotectedNonce
+		}
+	}
+	if parsed.Header != nil {
+		if nonce := parsed.Header.getNonce(); nonce != "" {
+			return nil, ErrUnprotectedNonce
+		}
+	}
+
+	if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
+		err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
+		}
+	}
+
+	// Note: this must be called _after_ we parse the protected header,
+	// otherwise fields from the protected header will not get picked up.
+	var err error
+	mergedHeaders := obj.mergedHeaders(nil)
+	obj.Header, err = mergedHeaders.sanitized()
+	if err != nil {
+		return nil, fmt.Errorf("go-jose/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
+	}
+
+	if len(parsed.Recipients) == 0 {
+		obj.recipients = []recipientInfo{
+			{
+				header:       parsed.Header,
+				encryptedKey: parsed.EncryptedKey.bytes(),
+			},
+		}
+	} else {
+		obj.recipients = make([]recipientInfo, len(parsed.Recipients))
+		for r := range parsed.Recipients {
+			encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
+			if err != nil {
+				return nil, err
+			}
+
+			// Check that there is not a nonce in the unprotected header
+			if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.getNonce() != "" {
+				return nil, ErrUnprotectedNonce
+			}
+
+			obj.recipients[r].header = parsed.Recipients[r].Header
+			obj.recipients[r].encryptedKey = encryptedKey
+		}
+	}
+
+	for _, recipient := range obj.recipients {
+		headers := obj.mergedHeaders(&recipient)
+		if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
+			return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
+		}
+	}
+
+	obj.iv = parsed.Iv.bytes()
+	obj.ciphertext = parsed.Ciphertext.bytes()
+	obj.tag = parsed.Tag.bytes()
+	obj.aad = parsed.Aad.bytes()
+
+	return obj, nil
+}
+
+// parseEncryptedCompact parses a message in compact format.
+func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+	parts := strings.Split(input, ".")
+	if len(parts) != 5 {
+		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+	}
+
+	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+	if err != nil {
+		return nil, err
+	}
+
+	encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, err
+	}
+
+	iv, err := base64.RawURLEncoding.DecodeString(parts[2])
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
+	if err != nil {
+		return nil, err
+	}
+
+	tag, err := base64.RawURLEncoding.DecodeString(parts[4])
+	if err != nil {
+		return nil, err
+	}
+
+	raw := &rawJSONWebEncryption{
+		Protected:    newBuffer(rawProtected),
+		EncryptedKey: newBuffer(encryptedKey),
+		Iv:           newBuffer(iv),
+		Ciphertext:   newBuffer(ciphertext),
+		Tag:          newBuffer(tag),
+	}
+
+	return raw.sanitized()
+}
+
+// CompactSerialize serializes an object using the compact serialization format.
+func (obj JSONWebEncryption) CompactSerialize() (string, error) {
+	if len(obj.recipients) != 1 || obj.unprotected != nil ||
+		obj.protected == nil || obj.recipients[0].header != nil {
+		return "", ErrNotSupported
+	}
+
+	serializedProtected := mustSerializeJSON(obj.protected)
+
+	return fmt.Sprintf(
+		"%s.%s.%s.%s.%s",
+		base64.RawURLEncoding.EncodeToString(serializedProtected),
+		base64.RawURLEncoding.EncodeToString(obj.recipients[0].encryptedKey),
+		base64.RawURLEncoding.EncodeToString(obj.iv),
+		base64.RawURLEncoding.EncodeToString(obj.ciphertext),
+		base64.RawURLEncoding.EncodeToString(obj.tag)), nil
+}
+
+// FullSerialize serializes an object using the full JSON serialization format.
+func (obj JSONWebEncryption) FullSerialize() string {
+	raw := rawJSONWebEncryption{
+		Unprotected:  obj.unprotected,
+		Iv:           newBuffer(obj.iv),
+		Ciphertext:   newBuffer(obj.ciphertext),
+		EncryptedKey: newBuffer(obj.recipients[0].encryptedKey),
+		Tag:          newBuffer(obj.tag),
+		Aad:          newBuffer(obj.aad),
+		Recipients:   []rawRecipientInfo{},
+	}
+
+	if len(obj.recipients) > 1 {
+		for _, recipient := range obj.recipients {
+			info := rawRecipientInfo{
+				Header:       recipient.header,
+				EncryptedKey: base64.RawURLEncoding.EncodeToString(recipient.encryptedKey),
+			}
+			raw.Recipients = append(raw.Recipients, info)
+		}
+	} else {
+		// Use flattened serialization
+		raw.Header = obj.recipients[0].header
+		raw.EncryptedKey = newBuffer(obj.recipients[0].encryptedKey)
+	}
+
+	if obj.protected != nil {
+		raw.Protected = newBuffer(mustSerializeJSON(obj.protected))
+	}
+
+	return string(mustSerializeJSON(raw))
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwk.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwk.go
new file mode 100644
index 00000000..ea3d8634
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwk.go
@@ -0,0 +1,760 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"math/big"
+	"net/url"
+	"reflect"
+	"strings"
+
+	"golang.org/x/crypto/ed25519"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
+type rawJSONWebKey struct {
+	Use string      `json:"use,omitempty"`
+	Kty string      `json:"kty,omitempty"`
+	Kid string      `json:"kid,omitempty"`
+	Crv string      `json:"crv,omitempty"`
+	Alg string      `json:"alg,omitempty"`
+	K   *byteBuffer `json:"k,omitempty"`
+	X   *byteBuffer `json:"x,omitempty"`
+	Y   *byteBuffer `json:"y,omitempty"`
+	N   *byteBuffer `json:"n,omitempty"`
+	E   *byteBuffer `json:"e,omitempty"`
+	// -- Following fields are only used for private keys --
+	// RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
+	// completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
+	// we have a private key whereas D == nil means we have only a public key.
+	D  *byteBuffer `json:"d,omitempty"`
+	P  *byteBuffer `json:"p,omitempty"`
+	Q  *byteBuffer `json:"q,omitempty"`
+	Dp *byteBuffer `json:"dp,omitempty"`
+	Dq *byteBuffer `json:"dq,omitempty"`
+	Qi *byteBuffer `json:"qi,omitempty"`
+	// Certificates
+	X5c       []string `json:"x5c,omitempty"`
+	X5u       *url.URL `json:"x5u,omitempty"`
+	X5tSHA1   string   `json:"x5t,omitempty"`
+	X5tSHA256 string   `json:"x5t#S256,omitempty"`
+}
+
+// JSONWebKey represents a public or private key in JWK format.
+type JSONWebKey struct {
+	// Cryptographic key, can be a symmetric or asymmetric key.
+	Key interface{}
+	// Key identifier, parsed from `kid` header.
+	KeyID string
+	// Key algorithm, parsed from `alg` header.
+	Algorithm string
+	// Key use, parsed from `use` header.
+	Use string
+
+	// X.509 certificate chain, parsed from `x5c` header.
+	Certificates []*x509.Certificate
+	// X.509 certificate URL, parsed from `x5u` header.
+	CertificatesURL *url.URL
+	// X.509 certificate thumbprint (SHA-1), parsed from `x5t` header.
+	CertificateThumbprintSHA1 []byte
+	// X.509 certificate thumbprint (SHA-256), parsed from `x5t#S256` header.
+	CertificateThumbprintSHA256 []byte
+}
+
+// MarshalJSON serializes the given key to its JSON representation.
+func (k JSONWebKey) MarshalJSON() ([]byte, error) {
+	var raw *rawJSONWebKey
+	var err error
+
+	switch key := k.Key.(type) {
+	case ed25519.PublicKey:
+		raw = fromEdPublicKey(key)
+	case *ecdsa.PublicKey:
+		raw, err = fromEcPublicKey(key)
+	case *rsa.PublicKey:
+		raw = fromRsaPublicKey(key)
+	case ed25519.PrivateKey:
+		raw, err = fromEdPrivateKey(key)
+	case *ecdsa.PrivateKey:
+		raw, err = fromEcPrivateKey(key)
+	case *rsa.PrivateKey:
+		raw, err = fromRsaPrivateKey(key)
+	case []byte:
+		raw, err = fromSymmetricKey(key)
+	default:
+		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	raw.Kid = k.KeyID
+	raw.Alg = k.Algorithm
+	raw.Use = k.Use
+
+	for _, cert := range k.Certificates {
+		raw.X5c = append(raw.X5c, base64.StdEncoding.EncodeToString(cert.Raw))
+	}
+
+	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
+	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
+	if x5tSHA1Len > 0 {
+		if x5tSHA1Len != sha1.Size {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
+		}
+		raw.X5tSHA1 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA1)
+	}
+	if x5tSHA256Len > 0 {
+		if x5tSHA256Len != sha256.Size {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
+		}
+		raw.X5tSHA256 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA256)
+	}
+
+	// If cert chain is attached (as opposed to being behind a URL), check the
+	// keys thumbprints to make sure they match what is expected. This is to
+	// ensure we don't accidentally produce a JWK with semantically inconsistent
+	// data in the headers.
+	if len(k.Certificates) > 0 {
+		expectedSHA1 := sha1.Sum(k.Certificates[0].Raw)
+		expectedSHA256 := sha256.Sum256(k.Certificates[0].Raw)
+
+		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(k.CertificateThumbprintSHA1, expectedSHA1[:]) {
+			return nil, errors.New("go-jose/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
+		}
+		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(k.CertificateThumbprintSHA256, expectedSHA256[:]) {
+			return nil, errors.New("go-jose/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
+		}
+	}
+
+	raw.X5u = k.CertificatesURL
+
+	return json.Marshal(raw)
+}
+
+// UnmarshalJSON reads a key from its JSON representation.
+func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
+	var raw rawJSONWebKey
+	err = json.Unmarshal(data, &raw)
+	if err != nil {
+		return err
+	}
+
+	certs, err := parseCertificateChain(raw.X5c)
+	if err != nil {
+		return fmt.Errorf("go-jose/go-jose: failed to unmarshal x5c field: %s", err)
+	}
+
+	var key interface{}
+	var certPub interface{}
+	var keyPub interface{}
+
+	if len(certs) > 0 {
+		// We need to check that leaf public key matches the key embedded in this
+		// JWK, as required by the standard (see RFC 7517, Section 4.7). Otherwise
+		// the JWK parsed could be semantically invalid. Technically, should also
+		// check key usage fields and other extensions on the cert here, but the
+		// standard doesn't exactly explain how they're supposed to map from the
+		// JWK representation to the X.509 extensions.
+		certPub = certs[0].PublicKey
+	}
+
+	switch raw.Kty {
+	case "EC":
+		if raw.D != nil {
+			key, err = raw.ecPrivateKey()
+			if err == nil {
+				keyPub = key.(*ecdsa.PrivateKey).Public()
+			}
+		} else {
+			key, err = raw.ecPublicKey()
+			keyPub = key
+		}
+	case "RSA":
+		if raw.D != nil {
+			key, err = raw.rsaPrivateKey()
+			if err == nil {
+				keyPub = key.(*rsa.PrivateKey).Public()
+			}
+		} else {
+			key, err = raw.rsaPublicKey()
+			keyPub = key
+		}
+	case "oct":
+		if certPub != nil {
+			return errors.New("go-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
+		}
+		key, err = raw.symmetricKey()
+	case "OKP":
+		if raw.Crv == "Ed25519" && raw.X != nil {
+			if raw.D != nil {
+				key, err = raw.edPrivateKey()
+				if err == nil {
+					keyPub = key.(ed25519.PrivateKey).Public()
+				}
+			} else {
+				key, err = raw.edPublicKey()
+				keyPub = key
+			}
+		} else {
+			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
+		}
+	default:
+		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+	}
+
+	if err != nil {
+		return
+	}
+
+	if certPub != nil && keyPub != nil {
+		if !reflect.DeepEqual(certPub, keyPub) {
+			return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields to not match")
+		}
+	}
+
+	*k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use, Certificates: certs}
+
+	k.CertificatesURL = raw.X5u
+
+	// x5t parameters are base64url-encoded SHA thumbprints
+	// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
+	x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
+	if err != nil {
+		return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
+	}
+
+	// RFC 7517, Section 4.8 is ambiguous as to whether the digest output should be byte or hex,
+	// for this reason, after base64 decoding, if the size is sha1.Size it's likely that the value is a byte encoded
+	// checksum so we skip this. Otherwise if the checksum was hex encoded we expect a 40 byte sized array so we'll
+	// try to hex decode it. When Marshalling this value we'll always use a base64 encoded version of byte format checksum.
+	if len(x5tSHA1bytes) == 2*sha1.Size {
+		hx, err := hex.DecodeString(string(x5tSHA1bytes))
+		if err != nil {
+			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
+
+		}
+		x5tSHA1bytes = hx
+	}
+
+	k.CertificateThumbprintSHA1 = x5tSHA1bytes
+
+	x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
+	if err != nil {
+		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
+	}
+
+	if len(x5tSHA256bytes) == 2*sha256.Size {
+		hx256, err := hex.DecodeString(string(x5tSHA256bytes))
+		if err != nil {
+			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
+		}
+		x5tSHA256bytes = hx256
+	}
+
+	k.CertificateThumbprintSHA256 = x5tSHA256bytes
+
+	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
+	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
+	if x5tSHA1Len > 0 && x5tSHA1Len != sha1.Size {
+		return errors.New("go-jose/go-jose: invalid JWK, x5t header is of incorrect size")
+	}
+	if x5tSHA256Len > 0 && x5tSHA256Len != sha256.Size {
+		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
+	}
+
+	// If certificate chain *and* thumbprints are set, verify correctness.
+	if len(k.Certificates) > 0 {
+		leaf := k.Certificates[0]
+		sha1sum := sha1.Sum(leaf.Raw)
+		sha256sum := sha256.Sum256(leaf.Raw)
+
+		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(sha1sum[:], k.CertificateThumbprintSHA1) {
+			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
+		}
+
+		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(sha256sum[:], k.CertificateThumbprintSHA256) {
+			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
+		}
+	}
+
+	return
+}
+
+// JSONWebKeySet represents a JWK Set object.
+type JSONWebKeySet struct {
+	Keys []JSONWebKey `json:"keys"`
+}
+
+// Key convenience method returns keys by key ID. Specification states
+// that a JWK Set "SHOULD" use distinct key IDs, but allows for some
+// cases where they are not distinct. Hence method returns a slice
+// of JSONWebKeys.
+func (s *JSONWebKeySet) Key(kid string) []JSONWebKey {
+	var keys []JSONWebKey
+	for _, key := range s.Keys {
+		if key.KeyID == kid {
+			keys = append(keys, key)
+		}
+	}
+
+	return keys
+}
+
+const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
+const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
+const edThumbprintTemplate = `{"crv":"%s","kty":"OKP","x":"%s"}`
+
+func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
+	coordLength := curveSize(curve)
+	crv, err := curveName(curve)
+	if err != nil {
+		return "", err
+	}
+
+	if len(x.Bytes()) > coordLength || len(y.Bytes()) > coordLength {
+		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
+	}
+
+	return fmt.Sprintf(ecThumbprintTemplate, crv,
+		newFixedSizeBuffer(x.Bytes(), coordLength).base64(),
+		newFixedSizeBuffer(y.Bytes(), coordLength).base64()), nil
+}
+
+func rsaThumbprintInput(n *big.Int, e int) (string, error) {
+	return fmt.Sprintf(rsaThumbprintTemplate,
+		newBufferFromInt(uint64(e)).base64(),
+		newBuffer(n.Bytes()).base64()), nil
+}
+
+func edThumbprintInput(ed ed25519.PublicKey) (string, error) {
+	crv := "Ed25519"
+	if len(ed) > 32 {
+		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
+	}
+	return fmt.Sprintf(edThumbprintTemplate, crv,
+		newFixedSizeBuffer(ed, 32).base64()), nil
+}
+
+// Thumbprint computes the JWK Thumbprint of a key using the
+// indicated hash algorithm.
+func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
+	var input string
+	var err error
+	switch key := k.Key.(type) {
+	case ed25519.PublicKey:
+		input, err = edThumbprintInput(key)
+	case *ecdsa.PublicKey:
+		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
+	case *ecdsa.PrivateKey:
+		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
+	case *rsa.PublicKey:
+		input, err = rsaThumbprintInput(key.N, key.E)
+	case *rsa.PrivateKey:
+		input, err = rsaThumbprintInput(key.N, key.E)
+	case ed25519.PrivateKey:
+		input, err = edThumbprintInput(ed25519.PublicKey(key[32:]))
+	default:
+		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	h := hash.New()
+	h.Write([]byte(input))
+	return h.Sum(nil), nil
+}
+
+// IsPublic returns true if the JWK represents a public key (not symmetric, not private).
+func (k *JSONWebKey) IsPublic() bool {
+	switch k.Key.(type) {
+	case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
+		return true
+	default:
+		return false
+	}
+}
+
+// Public creates JSONWebKey with corresponding public key if JWK represents asymmetric private key.
+func (k *JSONWebKey) Public() JSONWebKey {
+	if k.IsPublic() {
+		return *k
+	}
+	ret := *k
+	switch key := k.Key.(type) {
+	case *ecdsa.PrivateKey:
+		ret.Key = key.Public()
+	case *rsa.PrivateKey:
+		ret.Key = key.Public()
+	case ed25519.PrivateKey:
+		ret.Key = key.Public()
+	default:
+		return JSONWebKey{} // returning invalid key
+	}
+	return ret
+}
+
+// Valid checks that the key contains the expected parameters.
+func (k *JSONWebKey) Valid() bool {
+	if k.Key == nil {
+		return false
+	}
+	switch key := k.Key.(type) {
+	case *ecdsa.PublicKey:
+		if key.Curve == nil || key.X == nil || key.Y == nil {
+			return false
+		}
+	case *ecdsa.PrivateKey:
+		if key.Curve == nil || key.X == nil || key.Y == nil || key.D == nil {
+			return false
+		}
+	case *rsa.PublicKey:
+		if key.N == nil || key.E == 0 {
+			return false
+		}
+	case *rsa.PrivateKey:
+		if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 {
+			return false
+		}
+	case ed25519.PublicKey:
+		if len(key) != 32 {
+			return false
+		}
+	case ed25519.PrivateKey:
+		if len(key) != 64 {
+			return false
+		}
+	default:
+		return false
+	}
+	return true
+}
+
+func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
+	if key.N == nil || key.E == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA key, missing n/e values")
+	}
+
+	return &rsa.PublicKey{
+		N: key.N.bigInt(),
+		E: key.E.toInt(),
+	}, nil
+}
+
+func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey {
+	return &rawJSONWebKey{
+		Kty: "OKP",
+		Crv: "Ed25519",
+		X:   newBuffer(pub),
+	}
+}
+
+func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey {
+	return &rawJSONWebKey{
+		Kty: "RSA",
+		N:   newBuffer(pub.N.Bytes()),
+		E:   newBufferFromInt(uint64(pub.E)),
+	}
+}
+
+func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
+	var curve elliptic.Curve
+	switch key.Crv {
+	case "P-256":
+		curve = elliptic.P256()
+	case "P-384":
+		curve = elliptic.P384()
+	case "P-521":
+		curve = elliptic.P521()
+	default:
+		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
+	}
+
+	if key.X == nil || key.Y == nil {
+		return nil, errors.New("go-jose/go-jose: invalid EC key, missing x/y values")
+	}
+
+	// The length of this octet string MUST be the full size of a coordinate for
+	// the curve specified in the "crv" parameter.
+	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
+	if curveSize(curve) != len(key.X.data) {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for x")
+	}
+
+	if curveSize(curve) != len(key.Y.data) {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for y")
+	}
+
+	x := key.X.bigInt()
+	y := key.Y.bigInt()
+
+	if !curve.IsOnCurve(x, y) {
+		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
+	}
+
+	return &ecdsa.PublicKey{
+		Curve: curve,
+		X:     x,
+		Y:     y,
+	}, nil
+}
+
+func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
+	if pub == nil || pub.X == nil || pub.Y == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (nil, or X/Y missing)")
+	}
+
+	name, err := curveName(pub.Curve)
+	if err != nil {
+		return nil, err
+	}
+
+	size := curveSize(pub.Curve)
+
+	xBytes := pub.X.Bytes()
+	yBytes := pub.Y.Bytes()
+
+	if len(xBytes) > size || len(yBytes) > size {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (X/Y too large)")
+	}
+
+	key := &rawJSONWebKey{
+		Kty: "EC",
+		Crv: name,
+		X:   newFixedSizeBuffer(xBytes, size),
+		Y:   newFixedSizeBuffer(yBytes, size),
+	}
+
+	return key, nil
+}
+
+func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
+	var missing []string
+	switch {
+	case key.D == nil:
+		missing = append(missing, "D")
+	case key.X == nil:
+		missing = append(missing, "X")
+	}
+
+	if len(missing) > 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
+	}
+
+	privateKey := make([]byte, ed25519.PrivateKeySize)
+	copy(privateKey[0:32], key.D.bytes())
+	copy(privateKey[32:], key.X.bytes())
+	rv := ed25519.PrivateKey(privateKey)
+	return rv, nil
+}
+
+func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
+	if key.X == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed key, missing x value")
+	}
+	publicKey := make([]byte, ed25519.PublicKeySize)
+	copy(publicKey[0:32], key.X.bytes())
+	rv := ed25519.PublicKey(publicKey)
+	return rv, nil
+}
+
+func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
+	var missing []string
+	switch {
+	case key.N == nil:
+		missing = append(missing, "N")
+	case key.E == nil:
+		missing = append(missing, "E")
+	case key.D == nil:
+		missing = append(missing, "D")
+	case key.P == nil:
+		missing = append(missing, "P")
+	case key.Q == nil:
+		missing = append(missing, "Q")
+	}
+
+	if len(missing) > 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
+	}
+
+	rv := &rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{
+			N: key.N.bigInt(),
+			E: key.E.toInt(),
+		},
+		D: key.D.bigInt(),
+		Primes: []*big.Int{
+			key.P.bigInt(),
+			key.Q.bigInt(),
+		},
+	}
+
+	if key.Dp != nil {
+		rv.Precomputed.Dp = key.Dp.bigInt()
+	}
+	if key.Dq != nil {
+		rv.Precomputed.Dq = key.Dq.bigInt()
+	}
+	if key.Qi != nil {
+		rv.Precomputed.Qinv = key.Qi.bigInt()
+	}
+
+	err := rv.Validate()
+	return rv, err
+}
+
+func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) {
+	raw := fromEdPublicKey(ed25519.PublicKey(ed[32:]))
+
+	raw.D = newBuffer(ed[0:32])
+	return raw, nil
+}
+
+func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) {
+	if len(rsa.Primes) != 2 {
+		return nil, ErrUnsupportedKeyType
+	}
+
+	raw := fromRsaPublicKey(&rsa.PublicKey)
+
+	raw.D = newBuffer(rsa.D.Bytes())
+	raw.P = newBuffer(rsa.Primes[0].Bytes())
+	raw.Q = newBuffer(rsa.Primes[1].Bytes())
+
+	if rsa.Precomputed.Dp != nil {
+		raw.Dp = newBuffer(rsa.Precomputed.Dp.Bytes())
+	}
+	if rsa.Precomputed.Dq != nil {
+		raw.Dq = newBuffer(rsa.Precomputed.Dq.Bytes())
+	}
+	if rsa.Precomputed.Qinv != nil {
+		raw.Qi = newBuffer(rsa.Precomputed.Qinv.Bytes())
+	}
+
+	return raw, nil
+}
+
+func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
+	var curve elliptic.Curve
+	switch key.Crv {
+	case "P-256":
+		curve = elliptic.P256()
+	case "P-384":
+		curve = elliptic.P384()
+	case "P-521":
+		curve = elliptic.P521()
+	default:
+		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
+	}
+
+	if key.X == nil || key.Y == nil || key.D == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
+	}
+
+	// The length of this octet string MUST be the full size of a coordinate for
+	// the curve specified in the "crv" parameter.
+	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
+	if curveSize(curve) != len(key.X.data) {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for x")
+	}
+
+	if curveSize(curve) != len(key.Y.data) {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for y")
+	}
+
+	// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
+	if dSize(curve) != len(key.D.data) {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for d")
+	}
+
+	x := key.X.bigInt()
+	y := key.Y.bigInt()
+
+	if !curve.IsOnCurve(x, y) {
+		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
+	}
+
+	return &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     x,
+			Y:     y,
+		},
+		D: key.D.bigInt(),
+	}, nil
+}
+
+func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJSONWebKey, error) {
+	raw, err := fromEcPublicKey(&ec.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	if ec.D == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key")
+	}
+
+	raw.D = newFixedSizeBuffer(ec.D.Bytes(), dSize(ec.PublicKey.Curve))
+
+	return raw, nil
+}
+
+// dSize returns the size in octets for the "d" member of an elliptic curve
+// private key.
+// The length of this octet string MUST be ceiling(log-base-2(n)/8)
+// octets (where n is the order of the curve).
+// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
+func dSize(curve elliptic.Curve) int {
+	order := curve.Params().P
+	bitLen := order.BitLen()
+	size := bitLen / 8
+	if bitLen%8 != 0 {
+		size = size + 1
+	}
+	return size
+}
+
+func fromSymmetricKey(key []byte) (*rawJSONWebKey, error) {
+	return &rawJSONWebKey{
+		Kty: "oct",
+		K:   newBuffer(key),
+	}, nil
+}
+
+func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
+	if key.K == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid OCT (symmetric) key, missing k value")
+	}
+	return key.K.bytes(), nil
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
new file mode 100644
index 00000000..1a24fa46
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
@@ -0,0 +1,366 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strings"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
+type rawJSONWebSignature struct {
+	Payload    *byteBuffer        `json:"payload,omitempty"`
+	Signatures []rawSignatureInfo `json:"signatures,omitempty"`
+	Protected  *byteBuffer        `json:"protected,omitempty"`
+	Header     *rawHeader         `json:"header,omitempty"`
+	Signature  *byteBuffer        `json:"signature,omitempty"`
+}
+
+// rawSignatureInfo represents a single JWS signature over the JWS payload and protected header.
+type rawSignatureInfo struct {
+	Protected *byteBuffer `json:"protected,omitempty"`
+	Header    *rawHeader  `json:"header,omitempty"`
+	Signature *byteBuffer `json:"signature,omitempty"`
+}
+
+// JSONWebSignature represents a signed JWS object after parsing.
+type JSONWebSignature struct {
+	payload []byte
+	// Signatures attached to this object (may be more than one for multi-sig).
+	// Be careful about accessing these directly, prefer to use Verify() or
+	// VerifyMulti() to ensure that the data you're getting is verified.
+	Signatures []Signature
+}
+
+// Signature represents a single signature over the JWS payload and protected header.
+type Signature struct {
+	// Merged header fields. Contains both protected and unprotected header
+	// values. Prefer using Protected and Unprotected fields instead of this.
+	// Values in this header may or may not have been signed and in general
+	// should not be trusted.
+	Header Header
+
+	// Protected header. Values in this header were signed and
+	// will be verified as part of the signature verification process.
+	Protected Header
+
+	// Unprotected header. Values in this header were not signed
+	// and in general should not be trusted.
+	Unprotected Header
+
+	// The actual signature value
+	Signature []byte
+
+	protected *rawHeader
+	header    *rawHeader
+	original  *rawSignatureInfo
+}
+
+// ParseSigned parses a signed message in compact or full serialization format.
+func ParseSigned(signature string) (*JSONWebSignature, error) {
+	signature = stripWhitespace(signature)
+	if strings.HasPrefix(signature, "{") {
+		return parseSignedFull(signature)
+	}
+
+	return parseSignedCompact(signature, nil)
+}
+
+// ParseDetached parses a signed message in compact serialization format with detached payload.
+func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
+	if payload == nil {
+		return nil, errors.New("go-jose/go-jose: nil payload")
+	}
+	return parseSignedCompact(stripWhitespace(signature), payload)
+}
+
+// Get a header value
+func (sig Signature) mergedHeaders() rawHeader {
+	out := rawHeader{}
+	out.merge(sig.protected)
+	out.merge(sig.header)
+	return out
+}
+
+// Compute data to be signed
+func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature) ([]byte, error) {
+	var authData bytes.Buffer
+
+	protectedHeader := new(rawHeader)
+
+	if signature.original != nil && signature.original.Protected != nil {
+		if err := json.Unmarshal(signature.original.Protected.bytes(), protectedHeader); err != nil {
+			return nil, err
+		}
+		authData.WriteString(signature.original.Protected.base64())
+	} else if signature.protected != nil {
+		protectedHeader = signature.protected
+		authData.WriteString(base64.RawURLEncoding.EncodeToString(mustSerializeJSON(protectedHeader)))
+	}
+
+	needsBase64 := true
+
+	if protectedHeader != nil {
+		var err error
+		if needsBase64, err = protectedHeader.getB64(); err != nil {
+			needsBase64 = true
+		}
+	}
+
+	authData.WriteByte('.')
+
+	if needsBase64 {
+		authData.WriteString(base64.RawURLEncoding.EncodeToString(payload))
+	} else {
+		authData.Write(payload)
+	}
+
+	return authData.Bytes(), nil
+}
+
+// parseSignedFull parses a message in full format.
+func parseSignedFull(input string) (*JSONWebSignature, error) {
+	var parsed rawJSONWebSignature
+	err := json.Unmarshal([]byte(input), &parsed)
+	if err != nil {
+		return nil, err
+	}
+
+	return parsed.sanitized()
+}
+
+// sanitized produces a cleaned-up JWS object from the raw JSON.
+func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+	if parsed.Payload == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
+	}
+
+	obj := &JSONWebSignature{
+		payload:    parsed.Payload.bytes(),
+		Signatures: make([]Signature, len(parsed.Signatures)),
+	}
+
+	if len(parsed.Signatures) == 0 {
+		// No signatures array, must be flattened serialization
+		signature := Signature{}
+		if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
+			signature.protected = &rawHeader{}
+			err := json.Unmarshal(parsed.Protected.bytes(), signature.protected)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Check that there is not a nonce in the unprotected header
+		if parsed.Header != nil && parsed.Header.getNonce() != "" {
+			return nil, ErrUnprotectedNonce
+		}
+
+		signature.header = parsed.Header
+		signature.Signature = parsed.Signature.bytes()
+		// Make a fake "original" rawSignatureInfo to store the unprocessed
+		// Protected header. This is necessary because the Protected header can
+		// contain arbitrary fields not registered as part of the spec. See
+		// https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
+		// If we unmarshal Protected into a rawHeader with its explicit list of fields,
+		// we cannot marshal losslessly. So we have to keep around the original bytes.
+		// This is used in computeAuthData, which will first attempt to use
+		// the original bytes of a protected header, and fall back on marshaling the
+		// header struct only if those bytes are not available.
+		signature.original = &rawSignatureInfo{
+			Protected: parsed.Protected,
+			Header:    parsed.Header,
+			Signature: parsed.Signature,
+		}
+
+		var err error
+		signature.Header, err = signature.mergedHeaders().sanitized()
+		if err != nil {
+			return nil, err
+		}
+
+		if signature.header != nil {
+			signature.Unprotected, err = signature.header.sanitized()
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if signature.protected != nil {
+			signature.Protected, err = signature.protected.sanitized()
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
+		jwk := signature.Header.JSONWebKey
+		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
+			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
+		}
+
+		obj.Signatures = append(obj.Signatures, signature)
+	}
+
+	for i, sig := range parsed.Signatures {
+		if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
+			obj.Signatures[i].protected = &rawHeader{}
+			err := json.Unmarshal(sig.Protected.bytes(), obj.Signatures[i].protected)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Check that there is not a nonce in the unprotected header
+		if sig.Header != nil && sig.Header.getNonce() != "" {
+			return nil, ErrUnprotectedNonce
+		}
+
+		var err error
+		obj.Signatures[i].Header, err = obj.Signatures[i].mergedHeaders().sanitized()
+		if err != nil {
+			return nil, err
+		}
+
+		if obj.Signatures[i].header != nil {
+			obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if obj.Signatures[i].protected != nil {
+			obj.Signatures[i].Protected, err = obj.Signatures[i].protected.sanitized()
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		obj.Signatures[i].Signature = sig.Signature.bytes()
+
+		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
+		jwk := obj.Signatures[i].Header.JSONWebKey
+		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
+			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
+		}
+
+		// Copy value of sig
+		original := sig
+
+		obj.Signatures[i].header = sig.Header
+		obj.Signatures[i].original = &original
+	}
+
+	return obj, nil
+}
+
+// parseSignedCompact parses a message in compact format.
+func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+	parts := strings.Split(input, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+	}
+
+	if parts[1] != "" && payload != nil {
+		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+	}
+
+	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+	if err != nil {
+		return nil, err
+	}
+
+	if payload == nil {
+		payload, err = base64.RawURLEncoding.DecodeString(parts[1])
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	signature, err := base64.RawURLEncoding.DecodeString(parts[2])
+	if err != nil {
+		return nil, err
+	}
+
+	raw := &rawJSONWebSignature{
+		Payload:   newBuffer(payload),
+		Protected: newBuffer(rawProtected),
+		Signature: newBuffer(signature),
+	}
+	return raw.sanitized()
+}
+
+func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {
+	if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil {
+		return "", ErrNotSupported
+	}
+
+	serializedProtected := base64.RawURLEncoding.EncodeToString(mustSerializeJSON(obj.Signatures[0].protected))
+	payload := ""
+	signature := base64.RawURLEncoding.EncodeToString(obj.Signatures[0].Signature)
+
+	if !detached {
+		payload = base64.RawURLEncoding.EncodeToString(obj.payload)
+	}
+
+	return fmt.Sprintf("%s.%s.%s", serializedProtected, payload, signature), nil
+}
+
+// CompactSerialize serializes an object using the compact serialization format.
+func (obj JSONWebSignature) CompactSerialize() (string, error) {
+	return obj.compactSerialize(false)
+}
+
+// DetachedCompactSerialize serializes an object using the compact serialization format with detached payload.
+func (obj JSONWebSignature) DetachedCompactSerialize() (string, error) {
+	return obj.compactSerialize(true)
+}
+
+// FullSerialize serializes an object using the full JSON serialization format.
+func (obj JSONWebSignature) FullSerialize() string {
+	raw := rawJSONWebSignature{
+		Payload: newBuffer(obj.payload),
+	}
+
+	if len(obj.Signatures) == 1 {
+		if obj.Signatures[0].protected != nil {
+			serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
+			raw.Protected = newBuffer(serializedProtected)
+		}
+		raw.Header = obj.Signatures[0].header
+		raw.Signature = newBuffer(obj.Signatures[0].Signature)
+	} else {
+		raw.Signatures = make([]rawSignatureInfo, len(obj.Signatures))
+		for i, signature := range obj.Signatures {
+			raw.Signatures[i] = rawSignatureInfo{
+				Header:    signature.header,
+				Signature: newBuffer(signature.Signature),
+			}
+
+			if signature.protected != nil {
+				raw.Signatures[i].Protected = newBuffer(mustSerializeJSON(signature.protected))
+			}
+		}
+	}
+
+	return string(mustSerializeJSON(raw))
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/opaque.go b/vendor/gopkg.in/go-jose/go-jose.v2/opaque.go
new file mode 100644
index 00000000..fc3e8d2e
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/opaque.go
@@ -0,0 +1,144 @@
+/*-
+ * Copyright 2018 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+// OpaqueSigner is an interface that supports signing payloads with opaque
+// private key(s). Private key operations performed by implementers may, for
+// example, occur in a hardware module. An OpaqueSigner may rotate signing keys
+// transparently to the user of this interface.
+type OpaqueSigner interface {
+	// Public returns the public key of the current signing key.
+	Public() *JSONWebKey
+	// Algs returns a list of supported signing algorithms.
+	Algs() []SignatureAlgorithm
+	// SignPayload signs a payload with the current signing key using the given
+	// algorithm.
+	SignPayload(payload []byte, alg SignatureAlgorithm) ([]byte, error)
+}
+
+type opaqueSigner struct {
+	signer OpaqueSigner
+}
+
+func newOpaqueSigner(alg SignatureAlgorithm, signer OpaqueSigner) (recipientSigInfo, error) {
+	var algSupported bool
+	for _, salg := range signer.Algs() {
+		if alg == salg {
+			algSupported = true
+			break
+		}
+	}
+	if !algSupported {
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	return recipientSigInfo{
+		sigAlg:    alg,
+		publicKey: signer.Public,
+		signer: &opaqueSigner{
+			signer: signer,
+		},
+	}, nil
+}
+
+func (o *opaqueSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	out, err := o.signer.SignPayload(payload, alg)
+	if err != nil {
+		return Signature{}, err
+	}
+
+	return Signature{
+		Signature: out,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// OpaqueVerifier is an interface that supports verifying payloads with opaque
+// public key(s). An OpaqueSigner may rotate signing keys transparently to the
+// user of this interface.
+type OpaqueVerifier interface {
+	VerifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
+}
+
+type opaqueVerifier struct {
+	verifier OpaqueVerifier
+}
+
+func (o *opaqueVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	return o.verifier.VerifyPayload(payload, signature, alg)
+}
+
+// OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
+type OpaqueKeyEncrypter interface {
+	// KeyID returns the kid
+	KeyID() string
+	// Algs returns a list of supported key encryption algorithms.
+	Algs() []KeyAlgorithm
+	// encryptKey encrypts the CEK using the given algorithm.
+	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error)
+}
+
+type opaqueKeyEncrypter struct {
+	encrypter OpaqueKeyEncrypter
+}
+
+func newOpaqueKeyEncrypter(alg KeyAlgorithm, encrypter OpaqueKeyEncrypter) (recipientKeyInfo, error) {
+	var algSupported bool
+	for _, salg := range encrypter.Algs() {
+		if alg == salg {
+			algSupported = true
+			break
+		}
+	}
+	if !algSupported {
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	return recipientKeyInfo{
+		keyID:  encrypter.KeyID(),
+		keyAlg: alg,
+		keyEncrypter: &opaqueKeyEncrypter{
+			encrypter: encrypter,
+		},
+	}, nil
+}
+
+func (oke *opaqueKeyEncrypter) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	return oke.encrypter.encryptKey(cek, alg)
+}
+
+//OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key.
+type OpaqueKeyDecrypter interface {
+	DecryptKey(encryptedKey []byte, header Header) ([]byte, error)
+}
+
+type opaqueKeyDecrypter struct {
+	decrypter OpaqueKeyDecrypter
+}
+
+func (okd *opaqueKeyDecrypter) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	mergedHeaders := rawHeader{}
+	mergedHeaders.merge(&headers)
+	mergedHeaders.merge(recipient.header)
+
+	header, err := mergedHeaders.sanitized()
+	if err != nil {
+		return nil, err
+	}
+
+	return okd.decrypter.DecryptKey(recipient.encryptedKey, header)
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/shared.go b/vendor/gopkg.in/go-jose/go-jose.v2/shared.go
new file mode 100644
index 00000000..0fa66a44
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/shared.go
@@ -0,0 +1,520 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/elliptic"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// KeyAlgorithm represents a key management algorithm.
+type KeyAlgorithm string
+
+// SignatureAlgorithm represents a signature (or MAC) algorithm.
+type SignatureAlgorithm string
+
+// ContentEncryption represents a content encryption algorithm.
+type ContentEncryption string
+
+// CompressionAlgorithm represents an algorithm used for plaintext compression.
+type CompressionAlgorithm string
+
+// ContentType represents type of the contained data.
+type ContentType string
+
+var (
+	// ErrCryptoFailure represents an error in cryptographic primitive. This
+	// occurs when, for example, a message had an invalid authentication tag or
+	// could not be decrypted.
+	ErrCryptoFailure = errors.New("go-jose/go-jose: error in cryptographic primitive")
+
+	// ErrUnsupportedAlgorithm indicates that a selected algorithm is not
+	// supported. This occurs when trying to instantiate an encrypter for an
+	// algorithm that is not yet implemented.
+	ErrUnsupportedAlgorithm = errors.New("go-jose/go-jose: unknown/unsupported algorithm")
+
+	// ErrUnsupportedKeyType indicates that the given key type/format is not
+	// supported. This occurs when trying to instantiate an encrypter and passing
+	// it a key of an unrecognized type or with unsupported parameters, such as
+	// an RSA private key with more than two primes.
+	ErrUnsupportedKeyType = errors.New("go-jose/go-jose: unsupported key type/format")
+
+	// ErrInvalidKeySize indicates that the given key is not the correct size
+	// for the selected algorithm. This can occur, for example, when trying to
+	// encrypt with AES-256 but passing only a 128-bit key as input.
+	ErrInvalidKeySize = errors.New("go-jose/go-jose: invalid key size for algorithm")
+
+	// ErrNotSupported serialization of object is not supported. This occurs when
+	// trying to compact-serialize an object which can't be represented in
+	// compact form.
+	ErrNotSupported = errors.New("go-jose/go-jose: compact serialization not supported for object")
+
+	// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
+	// nonce header parameter was included in an unprotected header object.
+	ErrUnprotectedNonce = errors.New("go-jose/go-jose: Nonce parameter included in unprotected header")
+)
+
+// Key management algorithms
+const (
+	ED25519            = KeyAlgorithm("ED25519")
+	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
+	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
+	RSA_OAEP_256       = KeyAlgorithm("RSA-OAEP-256")       // RSA-OAEP-SHA256
+	A128KW             = KeyAlgorithm("A128KW")             // AES key wrap (128)
+	A192KW             = KeyAlgorithm("A192KW")             // AES key wrap (192)
+	A256KW             = KeyAlgorithm("A256KW")             // AES key wrap (256)
+	DIRECT             = KeyAlgorithm("dir")                // Direct encryption
+	ECDH_ES            = KeyAlgorithm("ECDH-ES")            // ECDH-ES
+	ECDH_ES_A128KW     = KeyAlgorithm("ECDH-ES+A128KW")     // ECDH-ES + AES key wrap (128)
+	ECDH_ES_A192KW     = KeyAlgorithm("ECDH-ES+A192KW")     // ECDH-ES + AES key wrap (192)
+	ECDH_ES_A256KW     = KeyAlgorithm("ECDH-ES+A256KW")     // ECDH-ES + AES key wrap (256)
+	A128GCMKW          = KeyAlgorithm("A128GCMKW")          // AES-GCM key wrap (128)
+	A192GCMKW          = KeyAlgorithm("A192GCMKW")          // AES-GCM key wrap (192)
+	A256GCMKW          = KeyAlgorithm("A256GCMKW")          // AES-GCM key wrap (256)
+	PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
+	PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
+	PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
+)
+
+// Signature algorithms
+const (
+	EdDSA = SignatureAlgorithm("EdDSA")
+	HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
+	HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
+	HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
+	RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
+	RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
+	RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
+	ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256
+	ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384
+	ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512
+	PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
+	PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
+	PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512
+)
+
+// Content encryption algorithms
+const (
+	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
+	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
+	A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
+	A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
+	A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
+	A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
+)
+
+// Compression algorithms
+const (
+	NONE    = CompressionAlgorithm("")    // No compression
+	DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951)
+)
+
+// A key in the protected header of a JWS object. Use of the Header...
+// constants is preferred to enhance type safety.
+type HeaderKey string
+
+const (
+	HeaderType        HeaderKey = "typ" // string
+	HeaderContentType           = "cty" // string
+
+	// These are set by go-jose and shouldn't need to be set by consumers of the
+	// library.
+	headerAlgorithm   = "alg"  // string
+	headerEncryption  = "enc"  // ContentEncryption
+	headerCompression = "zip"  // CompressionAlgorithm
+	headerCritical    = "crit" // []string
+
+	headerAPU = "apu" // *byteBuffer
+	headerAPV = "apv" // *byteBuffer
+	headerEPK = "epk" // *JSONWebKey
+	headerIV  = "iv"  // *byteBuffer
+	headerTag = "tag" // *byteBuffer
+	headerX5c = "x5c" // []*x509.Certificate
+
+	headerJWK   = "jwk"   // *JSONWebKey
+	headerKeyID = "kid"   // string
+	headerNonce = "nonce" // string
+	headerB64   = "b64"   // bool
+
+	headerP2C = "p2c" // *byteBuffer (int)
+	headerP2S = "p2s" // *byteBuffer ([]byte)
+
+)
+
+// supportedCritical is the set of supported extensions that are understood and processed.
+var supportedCritical = map[string]bool{
+	headerB64: true,
+}
+
+// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
+//
+// The decoding of the constituent items is deferred because we want to marshal
+// some members into particular structs rather than generic maps, but at the
+// same time we need to receive any extra fields unhandled by this library to
+// pass through to consuming code in case it wants to examine them.
+type rawHeader map[HeaderKey]*json.RawMessage
+
+// Header represents the read-only JOSE header for JWE/JWS objects.
+type Header struct {
+	KeyID      string
+	JSONWebKey *JSONWebKey
+	Algorithm  string
+	Nonce      string
+
+	// Unverified certificate chain parsed from x5c header.
+	certificates []*x509.Certificate
+
+	// Any headers not recognised above get unmarshalled
+	// from JSON in a generic manner and placed in this map.
+	ExtraHeaders map[HeaderKey]interface{}
+}
+
+// Certificates verifies & returns the certificate chain present
+// in the x5c header field of a message, if one was present. Returns
+// an error if there was no x5c header present or the chain could
+// not be validated with the given verify options.
+func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) {
+	if len(h.certificates) == 0 {
+		return nil, errors.New("go-jose/go-jose: no x5c header present in message")
+	}
+
+	leaf := h.certificates[0]
+	if opts.Intermediates == nil {
+		opts.Intermediates = x509.NewCertPool()
+		for _, intermediate := range h.certificates[1:] {
+			opts.Intermediates.AddCert(intermediate)
+		}
+	}
+
+	return leaf.Verify(opts)
+}
+
+func (parsed rawHeader) set(k HeaderKey, v interface{}) error {
+	b, err := json.Marshal(v)
+	if err != nil {
+		return err
+	}
+
+	parsed[k] = makeRawMessage(b)
+	return nil
+}
+
+// getString gets a string from the raw JSON, defaulting to "".
+func (parsed rawHeader) getString(k HeaderKey) string {
+	v, ok := parsed[k]
+	if !ok || v == nil {
+		return ""
+	}
+	var s string
+	err := json.Unmarshal(*v, &s)
+	if err != nil {
+		return ""
+	}
+	return s
+}
+
+// getByteBuffer gets a byte buffer from the raw JSON. Returns (nil, nil) if
+// not specified.
+func (parsed rawHeader) getByteBuffer(k HeaderKey) (*byteBuffer, error) {
+	v := parsed[k]
+	if v == nil {
+		return nil, nil
+	}
+	var bb *byteBuffer
+	err := json.Unmarshal(*v, &bb)
+	if err != nil {
+		return nil, err
+	}
+	return bb, nil
+}
+
+// getAlgorithm extracts parsed "alg" from the raw JSON as a KeyAlgorithm.
+func (parsed rawHeader) getAlgorithm() KeyAlgorithm {
+	return KeyAlgorithm(parsed.getString(headerAlgorithm))
+}
+
+// getSignatureAlgorithm extracts parsed "alg" from the raw JSON as a SignatureAlgorithm.
+func (parsed rawHeader) getSignatureAlgorithm() SignatureAlgorithm {
+	return SignatureAlgorithm(parsed.getString(headerAlgorithm))
+}
+
+// getEncryption extracts parsed "enc" from the raw JSON.
+func (parsed rawHeader) getEncryption() ContentEncryption {
+	return ContentEncryption(parsed.getString(headerEncryption))
+}
+
+// getCompression extracts parsed "zip" from the raw JSON.
+func (parsed rawHeader) getCompression() CompressionAlgorithm {
+	return CompressionAlgorithm(parsed.getString(headerCompression))
+}
+
+func (parsed rawHeader) getNonce() string {
+	return parsed.getString(headerNonce)
+}
+
+// getEPK extracts parsed "epk" from the raw JSON.
+func (parsed rawHeader) getEPK() (*JSONWebKey, error) {
+	v := parsed[headerEPK]
+	if v == nil {
+		return nil, nil
+	}
+	var epk *JSONWebKey
+	err := json.Unmarshal(*v, &epk)
+	if err != nil {
+		return nil, err
+	}
+	return epk, nil
+}
+
+// getAPU extracts parsed "apu" from the raw JSON.
+func (parsed rawHeader) getAPU() (*byteBuffer, error) {
+	return parsed.getByteBuffer(headerAPU)
+}
+
+// getAPV extracts parsed "apv" from the raw JSON.
+func (parsed rawHeader) getAPV() (*byteBuffer, error) {
+	return parsed.getByteBuffer(headerAPV)
+}
+
+// getIV extracts parsed "iv" from the raw JSON.
+func (parsed rawHeader) getIV() (*byteBuffer, error) {
+	return parsed.getByteBuffer(headerIV)
+}
+
+// getTag extracts parsed "tag" from the raw JSON.
+func (parsed rawHeader) getTag() (*byteBuffer, error) {
+	return parsed.getByteBuffer(headerTag)
+}
+
+// getJWK extracts parsed "jwk" from the raw JSON.
+func (parsed rawHeader) getJWK() (*JSONWebKey, error) {
+	v := parsed[headerJWK]
+	if v == nil {
+		return nil, nil
+	}
+	var jwk *JSONWebKey
+	err := json.Unmarshal(*v, &jwk)
+	if err != nil {
+		return nil, err
+	}
+	return jwk, nil
+}
+
+// getCritical extracts parsed "crit" from the raw JSON. If omitted, it
+// returns an empty slice.
+func (parsed rawHeader) getCritical() ([]string, error) {
+	v := parsed[headerCritical]
+	if v == nil {
+		return nil, nil
+	}
+
+	var q []string
+	err := json.Unmarshal(*v, &q)
+	if err != nil {
+		return nil, err
+	}
+	return q, nil
+}
+
+// getS2C extracts parsed "p2c" from the raw JSON.
+func (parsed rawHeader) getP2C() (int, error) {
+	v := parsed[headerP2C]
+	if v == nil {
+		return 0, nil
+	}
+
+	var p2c int
+	err := json.Unmarshal(*v, &p2c)
+	if err != nil {
+		return 0, err
+	}
+	return p2c, nil
+}
+
+// getS2S extracts parsed "p2s" from the raw JSON.
+func (parsed rawHeader) getP2S() (*byteBuffer, error) {
+	return parsed.getByteBuffer(headerP2S)
+}
+
+// getB64 extracts parsed "b64" from the raw JSON, defaulting to true.
+func (parsed rawHeader) getB64() (bool, error) {
+	v := parsed[headerB64]
+	if v == nil {
+		return true, nil
+	}
+
+	var b64 bool
+	err := json.Unmarshal(*v, &b64)
+	if err != nil {
+		return true, err
+	}
+	return b64, nil
+}
+
+// sanitized produces a cleaned-up header object from the raw JSON.
+func (parsed rawHeader) sanitized() (h Header, err error) {
+	for k, v := range parsed {
+		if v == nil {
+			continue
+		}
+		switch k {
+		case headerJWK:
+			var jwk *JSONWebKey
+			err = json.Unmarshal(*v, &jwk)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal JWK: %v: %#v", err, string(*v))
+				return
+			}
+			h.JSONWebKey = jwk
+		case headerKeyID:
+			var s string
+			err = json.Unmarshal(*v, &s)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal key ID: %v: %#v", err, string(*v))
+				return
+			}
+			h.KeyID = s
+		case headerAlgorithm:
+			var s string
+			err = json.Unmarshal(*v, &s)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal algorithm: %v: %#v", err, string(*v))
+				return
+			}
+			h.Algorithm = s
+		case headerNonce:
+			var s string
+			err = json.Unmarshal(*v, &s)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal nonce: %v: %#v", err, string(*v))
+				return
+			}
+			h.Nonce = s
+		case headerX5c:
+			c := []string{}
+			err = json.Unmarshal(*v, &c)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v))
+				return
+			}
+			h.certificates, err = parseCertificateChain(c)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v))
+				return
+			}
+		default:
+			if h.ExtraHeaders == nil {
+				h.ExtraHeaders = map[HeaderKey]interface{}{}
+			}
+			var v2 interface{}
+			err = json.Unmarshal(*v, &v2)
+			if err != nil {
+				err = fmt.Errorf("failed to unmarshal value: %v: %#v", err, string(*v))
+				return
+			}
+			h.ExtraHeaders[k] = v2
+		}
+	}
+	return
+}
+
+func parseCertificateChain(chain []string) ([]*x509.Certificate, error) {
+	out := make([]*x509.Certificate, len(chain))
+	for i, cert := range chain {
+		raw, err := base64.StdEncoding.DecodeString(cert)
+		if err != nil {
+			return nil, err
+		}
+		out[i], err = x509.ParseCertificate(raw)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return out, nil
+}
+
+func (dst rawHeader) isSet(k HeaderKey) bool {
+	dvr := dst[k]
+	if dvr == nil {
+		return false
+	}
+
+	var dv interface{}
+	err := json.Unmarshal(*dvr, &dv)
+	if err != nil {
+		return true
+	}
+
+	if dvStr, ok := dv.(string); ok {
+		return dvStr != ""
+	}
+
+	return true
+}
+
+// Merge headers from src into dst, giving precedence to headers from l.
+func (dst rawHeader) merge(src *rawHeader) {
+	if src == nil {
+		return
+	}
+
+	for k, v := range *src {
+		if dst.isSet(k) {
+			continue
+		}
+
+		dst[k] = v
+	}
+}
+
+// Get JOSE name of curve
+func curveName(crv elliptic.Curve) (string, error) {
+	switch crv {
+	case elliptic.P256():
+		return "P-256", nil
+	case elliptic.P384():
+		return "P-384", nil
+	case elliptic.P521():
+		return "P-521", nil
+	default:
+		return "", fmt.Errorf("go-jose/go-jose: unsupported/unknown elliptic curve")
+	}
+}
+
+// Get size of curve in bytes
+func curveSize(crv elliptic.Curve) int {
+	bits := crv.Params().BitSize
+
+	div := bits / 8
+	mod := bits % 8
+
+	if mod == 0 {
+		return div
+	}
+
+	return div + 1
+}
+
+func makeRawMessage(b []byte) *json.RawMessage {
+	rm := json.RawMessage(b)
+	return &rm
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/signing.go b/vendor/gopkg.in/go-jose/go-jose.v2/signing.go
new file mode 100644
index 00000000..5195a1a9
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/signing.go
@@ -0,0 +1,441 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"golang.org/x/crypto/ed25519"
+
+	"gopkg.in/go-jose/go-jose.v2/json"
+)
+
+// NonceSource represents a source of random nonces to go into JWS objects
+type NonceSource interface {
+	Nonce() (string, error)
+}
+
+// Signer represents a signer which takes a payload and produces a signed JWS object.
+type Signer interface {
+	Sign(payload []byte) (*JSONWebSignature, error)
+	Options() SignerOptions
+}
+
+// SigningKey represents an algorithm/key used to sign a message.
+type SigningKey struct {
+	Algorithm SignatureAlgorithm
+	Key       interface{}
+}
+
+// SignerOptions represents options that can be set when creating signers.
+type SignerOptions struct {
+	NonceSource NonceSource
+	EmbedJWK    bool
+
+	// Optional map of additional keys to be inserted into the protected header
+	// of a JWS object. Some specifications which make use of JWS like to insert
+	// additional values here. All values must be JSON-serializable.
+	ExtraHeaders map[HeaderKey]interface{}
+}
+
+// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
+// if necessary. It returns itself and so can be used in a fluent style.
+func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions {
+	if so.ExtraHeaders == nil {
+		so.ExtraHeaders = map[HeaderKey]interface{}{}
+	}
+	so.ExtraHeaders[k] = v
+	return so
+}
+
+// WithContentType adds a content type ("cty") header and returns the updated
+// SignerOptions.
+func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions {
+	return so.WithHeader(HeaderContentType, contentType)
+}
+
+// WithType adds a type ("typ") header and returns the updated SignerOptions.
+func (so *SignerOptions) WithType(typ ContentType) *SignerOptions {
+	return so.WithHeader(HeaderType, typ)
+}
+
+// WithCritical adds the given names to the critical ("crit") header and returns
+// the updated SignerOptions.
+func (so *SignerOptions) WithCritical(names ...string) *SignerOptions {
+	if so.ExtraHeaders[headerCritical] == nil {
+		so.WithHeader(headerCritical, make([]string, 0, len(names)))
+	}
+	crit := so.ExtraHeaders[headerCritical].([]string)
+	so.ExtraHeaders[headerCritical] = append(crit, names...)
+	return so
+}
+
+// WithBase64 adds a base64url-encode payload ("b64") header and returns the updated
+// SignerOptions. When the "b64" value is "false", the payload is not base64 encoded.
+func (so *SignerOptions) WithBase64(b64 bool) *SignerOptions {
+	if !b64 {
+		so.WithHeader(headerB64, b64)
+		so.WithCritical(headerB64)
+	}
+	return so
+}
+
+type payloadSigner interface {
+	signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error)
+}
+
+type payloadVerifier interface {
+	verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
+}
+
+type genericSigner struct {
+	recipients   []recipientSigInfo
+	nonceSource  NonceSource
+	embedJWK     bool
+	extraHeaders map[HeaderKey]interface{}
+}
+
+type recipientSigInfo struct {
+	sigAlg    SignatureAlgorithm
+	publicKey func() *JSONWebKey
+	signer    payloadSigner
+}
+
+func staticPublicKey(jwk *JSONWebKey) func() *JSONWebKey {
+	return func() *JSONWebKey {
+		return jwk
+	}
+}
+
+// NewSigner creates an appropriate signer based on the key type
+func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error) {
+	return NewMultiSigner([]SigningKey{sig}, opts)
+}
+
+// NewMultiSigner creates a signer for multiple recipients
+func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) {
+	signer := &genericSigner{recipients: []recipientSigInfo{}}
+
+	if opts != nil {
+		signer.nonceSource = opts.NonceSource
+		signer.embedJWK = opts.EmbedJWK
+		signer.extraHeaders = opts.ExtraHeaders
+	}
+
+	for _, sig := range sigs {
+		err := signer.addRecipient(sig.Algorithm, sig.Key)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return signer, nil
+}
+
+// newVerifier creates a verifier based on the key type
+func newVerifier(verificationKey interface{}) (payloadVerifier, error) {
+	switch verificationKey := verificationKey.(type) {
+	case ed25519.PublicKey:
+		return &edEncrypterVerifier{
+			publicKey: verificationKey,
+		}, nil
+	case *rsa.PublicKey:
+		return &rsaEncrypterVerifier{
+			publicKey: verificationKey,
+		}, nil
+	case *ecdsa.PublicKey:
+		return &ecEncrypterVerifier{
+			publicKey: verificationKey,
+		}, nil
+	case []byte:
+		return &symmetricMac{
+			key: verificationKey,
+		}, nil
+	case JSONWebKey:
+		return newVerifier(verificationKey.Key)
+	case *JSONWebKey:
+		return newVerifier(verificationKey.Key)
+	}
+	if ov, ok := verificationKey.(OpaqueVerifier); ok {
+		return &opaqueVerifier{verifier: ov}, nil
+	}
+	return nil, ErrUnsupportedKeyType
+}
+
+func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error {
+	recipient, err := makeJWSRecipient(alg, signingKey)
+	if err != nil {
+		return err
+	}
+
+	ctx.recipients = append(ctx.recipients, recipient)
+	return nil
+}
+
+func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) {
+	switch signingKey := signingKey.(type) {
+	case ed25519.PrivateKey:
+		return newEd25519Signer(alg, signingKey)
+	case *rsa.PrivateKey:
+		return newRSASigner(alg, signingKey)
+	case *ecdsa.PrivateKey:
+		return newECDSASigner(alg, signingKey)
+	case []byte:
+		return newSymmetricSigner(alg, signingKey)
+	case JSONWebKey:
+		return newJWKSigner(alg, signingKey)
+	case *JSONWebKey:
+		return newJWKSigner(alg, *signingKey)
+	}
+	if signer, ok := signingKey.(OpaqueSigner); ok {
+		return newOpaqueSigner(alg, signer)
+	}
+	return recipientSigInfo{}, ErrUnsupportedKeyType
+}
+
+func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) {
+	recipient, err := makeJWSRecipient(alg, signingKey.Key)
+	if err != nil {
+		return recipientSigInfo{}, err
+	}
+	if recipient.publicKey != nil && recipient.publicKey() != nil {
+		// recipient.publicKey is a JWK synthesized for embedding when recipientSigInfo
+		// was created for the inner key (such as a RSA or ECDSA public key). It contains
+		// the pub key for embedding, but doesn't have extra params like key id.
+		publicKey := signingKey
+		publicKey.Key = recipient.publicKey().Key
+		recipient.publicKey = staticPublicKey(&publicKey)
+
+		// This should be impossible, but let's check anyway.
+		if !recipient.publicKey().IsPublic() {
+			return recipientSigInfo{}, errors.New("go-jose/go-jose: public key was unexpectedly not public")
+		}
+	}
+	return recipient, nil
+}
+
+func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
+	obj := &JSONWebSignature{}
+	obj.payload = payload
+	obj.Signatures = make([]Signature, len(ctx.recipients))
+
+	for i, recipient := range ctx.recipients {
+		protected := map[HeaderKey]interface{}{
+			headerAlgorithm: string(recipient.sigAlg),
+		}
+
+		if recipient.publicKey != nil && recipient.publicKey() != nil {
+			// We want to embed the JWK or set the kid header, but not both. Having a protected
+			// header that contains an embedded JWK while also simultaneously containing the kid
+			// header is confusing, and at least in ACME the two are considered to be mutually
+			// exclusive. The fact that both can exist at the same time is a somewhat unfortunate
+			// result of the JOSE spec. We've decided that this library will only include one or
+			// the other to avoid this confusion.
+			//
+			// See https://github.com/go-jose/go-jose/issues/157 for more context.
+			if ctx.embedJWK {
+				protected[headerJWK] = recipient.publicKey()
+			} else {
+				keyID := recipient.publicKey().KeyID
+				if keyID != "" {
+					protected[headerKeyID] = keyID
+				}
+			}
+		}
+
+		if ctx.nonceSource != nil {
+			nonce, err := ctx.nonceSource.Nonce()
+			if err != nil {
+				return nil, fmt.Errorf("go-jose/go-jose: Error generating nonce: %v", err)
+			}
+			protected[headerNonce] = nonce
+		}
+
+		for k, v := range ctx.extraHeaders {
+			protected[k] = v
+		}
+
+		serializedProtected := mustSerializeJSON(protected)
+		needsBase64 := true
+
+		if b64, ok := protected[headerB64]; ok {
+			if needsBase64, ok = b64.(bool); !ok {
+				return nil, errors.New("go-jose/go-jose: Invalid b64 header parameter")
+			}
+		}
+
+		var input bytes.Buffer
+
+		input.WriteString(base64.RawURLEncoding.EncodeToString(serializedProtected))
+		input.WriteByte('.')
+
+		if needsBase64 {
+			input.WriteString(base64.RawURLEncoding.EncodeToString(payload))
+		} else {
+			input.Write(payload)
+		}
+
+		signatureInfo, err := recipient.signer.signPayload(input.Bytes(), recipient.sigAlg)
+		if err != nil {
+			return nil, err
+		}
+
+		signatureInfo.protected = &rawHeader{}
+		for k, v := range protected {
+			b, err := json.Marshal(v)
+			if err != nil {
+				return nil, fmt.Errorf("go-jose/go-jose: Error marshalling item %#v: %v", k, err)
+			}
+			(*signatureInfo.protected)[k] = makeRawMessage(b)
+		}
+		obj.Signatures[i] = signatureInfo
+	}
+
+	return obj, nil
+}
+
+func (ctx *genericSigner) Options() SignerOptions {
+	return SignerOptions{
+		NonceSource:  ctx.nonceSource,
+		EmbedJWK:     ctx.embedJWK,
+		ExtraHeaders: ctx.extraHeaders,
+	}
+}
+
+// Verify validates the signature on the object and returns the payload.
+// This function does not support multi-signature, if you desire multi-sig
+// verification use VerifyMulti instead.
+//
+// Be careful when verifying signatures based on embedded JWKs inside the
+// payload header. You cannot assume that the key received in a payload is
+// trusted.
+func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
+	err := obj.DetachedVerify(obj.payload, verificationKey)
+	if err != nil {
+		return nil, err
+	}
+	return obj.payload, nil
+}
+
+// UnsafePayloadWithoutVerification returns the payload without
+// verifying it. The content returned from this function cannot be
+// trusted.
+func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
+	return obj.payload
+}
+
+// DetachedVerify validates a detached signature on the given payload. In
+// most cases, you will probably want to use Verify instead. DetachedVerify
+// is only useful if you have a payload and signature that are separated from
+// each other.
+func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
+	verifier, err := newVerifier(verificationKey)
+	if err != nil {
+		return err
+	}
+
+	if len(obj.Signatures) > 1 {
+		return errors.New("go-jose/go-jose: too many signatures in payload; expecting only one")
+	}
+
+	signature := obj.Signatures[0]
+	headers := signature.mergedHeaders()
+	critical, err := headers.getCritical()
+	if err != nil {
+		return err
+	}
+
+	for _, name := range critical {
+		if !supportedCritical[name] {
+			return ErrCryptoFailure
+		}
+	}
+
+	input, err := obj.computeAuthData(payload, &signature)
+	if err != nil {
+		return ErrCryptoFailure
+	}
+
+	alg := headers.getSignatureAlgorithm()
+	err = verifier.verifyPayload(input, signature.Signature, alg)
+	if err == nil {
+		return nil
+	}
+
+	return ErrCryptoFailure
+}
+
+// VerifyMulti validates (one of the multiple) signatures on the object and
+// returns the index of the signature that was verified, along with the signature
+// object and the payload. We return the signature and index to guarantee that
+// callers are getting the verified value.
+func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) {
+	idx, sig, err := obj.DetachedVerifyMulti(obj.payload, verificationKey)
+	if err != nil {
+		return -1, Signature{}, nil, err
+	}
+	return idx, sig, obj.payload, nil
+}
+
+// DetachedVerifyMulti validates a detached signature on the given payload with
+// a signature/object that has potentially multiple signers. This returns the index
+// of the signature that was verified, along with the signature object. We return
+// the signature and index to guarantee that callers are getting the verified value.
+//
+// In most cases, you will probably want to use Verify or VerifyMulti instead.
+// DetachedVerifyMulti is only useful if you have a payload and signature that are
+// separated from each other, and the signature can have multiple signers at the
+// same time.
+func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
+	verifier, err := newVerifier(verificationKey)
+	if err != nil {
+		return -1, Signature{}, err
+	}
+
+outer:
+	for i, signature := range obj.Signatures {
+		headers := signature.mergedHeaders()
+		critical, err := headers.getCritical()
+		if err != nil {
+			continue
+		}
+
+		for _, name := range critical {
+			if !supportedCritical[name] {
+				continue outer
+			}
+		}
+
+		input, err := obj.computeAuthData(payload, &signature)
+		if err != nil {
+			continue
+		}
+
+		alg := headers.getSignatureAlgorithm()
+		err = verifier.verifyPayload(input, signature.Signature, alg)
+		if err == nil {
+			return i, signature, nil
+		}
+	}
+
+	return -1, Signature{}, ErrCryptoFailure
+}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
new file mode 100644
index 00000000..52c8b62b
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
@@ -0,0 +1,487 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+
+	"golang.org/x/crypto/pbkdf2"
+	"gopkg.in/go-jose/go-jose.v2/cipher"
+)
+
+// Random reader (stubbed out in tests)
+var RandReader = rand.Reader
+
+const (
+	// RFC7518 recommends a minimum of 1,000 iterations:
+	// https://tools.ietf.org/html/rfc7518#section-4.8.1.2
+	// NIST recommends a minimum of 10,000:
+	// https://pages.nist.gov/800-63-3/sp800-63b.html
+	// 1Password uses 100,000:
+	// https://support.1password.com/pbkdf2/
+	defaultP2C = 100000
+	// Default salt size: 128 bits
+	defaultP2SSize = 16
+)
+
+// Dummy key cipher for shared symmetric key mode
+type symmetricKeyCipher struct {
+	key []byte // Pre-shared content-encryption key
+	p2c int    // PBES2 Count
+	p2s []byte // PBES2 Salt Input
+}
+
+// Signer/verifier for MAC modes
+type symmetricMac struct {
+	key []byte
+}
+
+// Input/output from an AEAD operation
+type aeadParts struct {
+	iv, ciphertext, tag []byte
+}
+
+// A content cipher based on an AEAD construction
+type aeadContentCipher struct {
+	keyBytes     int
+	authtagBytes int
+	getAead      func(key []byte) (cipher.AEAD, error)
+}
+
+// Random key generator
+type randomKeyGenerator struct {
+	size int
+}
+
+// Static key generator
+type staticKeyGenerator struct {
+	key []byte
+}
+
+// Create a new content cipher based on AES-GCM
+func newAESGCM(keySize int) contentCipher {
+	return &aeadContentCipher{
+		keyBytes:     keySize,
+		authtagBytes: 16,
+		getAead: func(key []byte) (cipher.AEAD, error) {
+			aes, err := aes.NewCipher(key)
+			if err != nil {
+				return nil, err
+			}
+
+			return cipher.NewGCM(aes)
+		},
+	}
+}
+
+// Create a new content cipher based on AES-CBC+HMAC
+func newAESCBC(keySize int) contentCipher {
+	return &aeadContentCipher{
+		keyBytes:     keySize * 2,
+		authtagBytes: keySize,
+		getAead: func(key []byte) (cipher.AEAD, error) {
+			return josecipher.NewCBCHMAC(key, aes.NewCipher)
+		},
+	}
+}
+
+// Get an AEAD cipher object for the given content encryption algorithm
+func getContentCipher(alg ContentEncryption) contentCipher {
+	switch alg {
+	case A128GCM:
+		return newAESGCM(16)
+	case A192GCM:
+		return newAESGCM(24)
+	case A256GCM:
+		return newAESGCM(32)
+	case A128CBC_HS256:
+		return newAESCBC(16)
+	case A192CBC_HS384:
+		return newAESCBC(24)
+	case A256CBC_HS512:
+		return newAESCBC(32)
+	default:
+		return nil
+	}
+}
+
+// getPbkdf2Params returns the key length and hash function used in
+// pbkdf2.Key.
+func getPbkdf2Params(alg KeyAlgorithm) (int, func() hash.Hash) {
+	switch alg {
+	case PBES2_HS256_A128KW:
+		return 16, sha256.New
+	case PBES2_HS384_A192KW:
+		return 24, sha512.New384
+	case PBES2_HS512_A256KW:
+		return 32, sha512.New
+	default:
+		panic("invalid algorithm")
+	}
+}
+
+// getRandomSalt generates a new salt of the given size.
+func getRandomSalt(size int) ([]byte, error) {
+	salt := make([]byte, size)
+	_, err := io.ReadFull(RandReader, salt)
+	if err != nil {
+		return nil, err
+	}
+
+	return salt, nil
+}
+
+// newSymmetricRecipient creates a JWE encrypter based on AES-GCM key wrap.
+func newSymmetricRecipient(keyAlg KeyAlgorithm, key []byte) (recipientKeyInfo, error) {
+	switch keyAlg {
+	case DIRECT, A128GCMKW, A192GCMKW, A256GCMKW, A128KW, A192KW, A256KW:
+	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	return recipientKeyInfo{
+		keyAlg: keyAlg,
+		keyEncrypter: &symmetricKeyCipher{
+			key: key,
+		},
+	}, nil
+}
+
+// newSymmetricSigner creates a recipientSigInfo based on the given key.
+func newSymmetricSigner(sigAlg SignatureAlgorithm, key []byte) (recipientSigInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch sigAlg {
+	case HS256, HS384, HS512:
+	default:
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		signer: &symmetricMac{
+			key: key,
+		},
+	}, nil
+}
+
+// Generate a random key for the given content cipher
+func (ctx randomKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	key := make([]byte, ctx.size)
+	_, err := io.ReadFull(RandReader, key)
+	if err != nil {
+		return nil, rawHeader{}, err
+	}
+
+	return key, rawHeader{}, nil
+}
+
+// Key size for random generator
+func (ctx randomKeyGenerator) keySize() int {
+	return ctx.size
+}
+
+// Generate a static key (for direct mode)
+func (ctx staticKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	cek := make([]byte, len(ctx.key))
+	copy(cek, ctx.key)
+	return cek, rawHeader{}, nil
+}
+
+// Key size for static generator
+func (ctx staticKeyGenerator) keySize() int {
+	return len(ctx.key)
+}
+
+// Get key size for this cipher
+func (ctx aeadContentCipher) keySize() int {
+	return ctx.keyBytes
+}
+
+// Encrypt some data
+func (ctx aeadContentCipher) encrypt(key, aad, pt []byte) (*aeadParts, error) {
+	// Get a new AEAD instance
+	aead, err := ctx.getAead(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// Initialize a new nonce
+	iv := make([]byte, aead.NonceSize())
+	_, err = io.ReadFull(RandReader, iv)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertextAndTag := aead.Seal(nil, iv, pt, aad)
+	offset := len(ciphertextAndTag) - ctx.authtagBytes
+
+	return &aeadParts{
+		iv:         iv,
+		ciphertext: ciphertextAndTag[:offset],
+		tag:        ciphertextAndTag[offset:],
+	}, nil
+}
+
+// Decrypt some data
+func (ctx aeadContentCipher) decrypt(key, aad []byte, parts *aeadParts) ([]byte, error) {
+	aead, err := ctx.getAead(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(parts.iv) != aead.NonceSize() || len(parts.tag) < ctx.authtagBytes {
+		return nil, ErrCryptoFailure
+	}
+
+	return aead.Open(nil, parts.iv, append(parts.ciphertext, parts.tag...), aad)
+}
+
+// Encrypt the content encryption key.
+func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	switch alg {
+	case DIRECT:
+		return recipientInfo{
+			header: &rawHeader{},
+		}, nil
+	case A128GCMKW, A192GCMKW, A256GCMKW:
+		aead := newAESGCM(len(ctx.key))
+
+		parts, err := aead.encrypt(ctx.key, []byte{}, cek)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		header := &rawHeader{}
+		header.set(headerIV, newBuffer(parts.iv))
+		header.set(headerTag, newBuffer(parts.tag))
+
+		return recipientInfo{
+			header:       header,
+			encryptedKey: parts.ciphertext,
+		}, nil
+	case A128KW, A192KW, A256KW:
+		block, err := aes.NewCipher(ctx.key)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		jek, err := josecipher.KeyWrap(block, cek)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		return recipientInfo{
+			encryptedKey: jek,
+			header:       &rawHeader{},
+		}, nil
+	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
+		if len(ctx.p2s) == 0 {
+			salt, err := getRandomSalt(defaultP2SSize)
+			if err != nil {
+				return recipientInfo{}, err
+			}
+			ctx.p2s = salt
+		}
+
+		if ctx.p2c <= 0 {
+			ctx.p2c = defaultP2C
+		}
+
+		// salt is UTF8(Alg) || 0x00 || Salt Input
+		salt := bytes.Join([][]byte{[]byte(alg), ctx.p2s}, []byte{0x00})
+
+		// derive key
+		keyLen, h := getPbkdf2Params(alg)
+		key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
+
+		// use AES cipher with derived key
+		block, err := aes.NewCipher(key)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		jek, err := josecipher.KeyWrap(block, cek)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		header := &rawHeader{}
+		header.set(headerP2C, ctx.p2c)
+		header.set(headerP2S, newBuffer(ctx.p2s))
+
+		return recipientInfo{
+			encryptedKey: jek,
+			header:       header,
+		}, nil
+	}
+
+	return recipientInfo{}, ErrUnsupportedAlgorithm
+}
+
+// Decrypt the content encryption key.
+func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	switch headers.getAlgorithm() {
+	case DIRECT:
+		cek := make([]byte, len(ctx.key))
+		copy(cek, ctx.key)
+		return cek, nil
+	case A128GCMKW, A192GCMKW, A256GCMKW:
+		aead := newAESGCM(len(ctx.key))
+
+		iv, err := headers.getIV()
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid IV: %v", err)
+		}
+		tag, err := headers.getTag()
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid tag: %v", err)
+		}
+
+		parts := &aeadParts{
+			iv:         iv.bytes(),
+			ciphertext: recipient.encryptedKey,
+			tag:        tag.bytes(),
+		}
+
+		cek, err := aead.decrypt(ctx.key, []byte{}, parts)
+		if err != nil {
+			return nil, err
+		}
+
+		return cek, nil
+	case A128KW, A192KW, A256KW:
+		block, err := aes.NewCipher(ctx.key)
+		if err != nil {
+			return nil, err
+		}
+
+		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
+		if err != nil {
+			return nil, err
+		}
+		return cek, nil
+	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
+		p2s, err := headers.getP2S()
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: %v", err)
+		}
+		if p2s == nil || len(p2s.data) == 0 {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: must be present")
+		}
+
+		p2c, err := headers.getP2C()
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: %v", err)
+		}
+		if p2c <= 0 {
+			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
+		}
+		if p2c > 1000000 {
+			// An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
+			// DoS attacks.
+			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high")
+		}
+
+		// salt is UTF8(Alg) || 0x00 || Salt Input
+		alg := headers.getAlgorithm()
+		salt := bytes.Join([][]byte{[]byte(alg), p2s.bytes()}, []byte{0x00})
+
+		// derive key
+		keyLen, h := getPbkdf2Params(alg)
+		key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
+
+		// use AES cipher with derived key
+		block, err := aes.NewCipher(key)
+		if err != nil {
+			return nil, err
+		}
+
+		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
+		if err != nil {
+			return nil, err
+		}
+		return cek, nil
+	}
+
+	return nil, ErrUnsupportedAlgorithm
+}
+
+// Sign the given payload
+func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	mac, err := ctx.hmac(payload, alg)
+	if err != nil {
+		return Signature{}, errors.New("go-jose/go-jose: failed to compute hmac")
+	}
+
+	return Signature{
+		Signature: mac,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// Verify the given payload
+func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
+	expected, err := ctx.hmac(payload, alg)
+	if err != nil {
+		return errors.New("go-jose/go-jose: failed to compute hmac")
+	}
+
+	if len(mac) != len(expected) {
+		return errors.New("go-jose/go-jose: invalid hmac")
+	}
+
+	match := subtle.ConstantTimeCompare(mac, expected)
+	if match != 1 {
+		return errors.New("go-jose/go-jose: invalid hmac")
+	}
+
+	return nil
+}
+
+// Compute the HMAC based on the given alg value
+func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
+	var hash func() hash.Hash
+
+	switch alg {
+	case HS256:
+		hash = sha256.New
+	case HS384:
+		hash = sha512.New384
+	case HS512:
+		hash = sha512.New
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	hmac := hmac.New(hash, ctx.key)
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hmac.Write(payload)
+	return hmac.Sum(nil), nil
+}
diff --git a/vendor/k8s.io/apiserver/pkg/authentication/token/jwt/jwt.go b/vendor/k8s.io/apiserver/pkg/authentication/token/jwt/jwt.go
new file mode 100644
index 00000000..17b38494
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authentication/token/jwt/jwt.go
@@ -0,0 +1,26 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jwt
+
+// CredentialIDForJTI converts a given JTI string into a credential identifier for use in a
+// users 'extra' info.
+func CredentialIDForJTI(jti string) string {
+	if len(jti) == 0 {
+		return ""
+	}
+	return "JTI=" + jti
+}
diff --git a/vendor/k8s.io/apiserver/pkg/authentication/token/union/union.go b/vendor/k8s.io/apiserver/pkg/authentication/token/union/union.go
new file mode 100644
index 00000000..80fdd89b
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authentication/token/union/union.go
@@ -0,0 +1,71 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package union
+
+import (
+	"context"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+)
+
+// unionAuthTokenHandler authenticates tokens using a chain of authenticator.Token objects
+type unionAuthTokenHandler struct {
+	// Handlers is a chain of request authenticators to delegate to
+	Handlers []authenticator.Token
+	// FailOnError determines whether an error returns short-circuits the chain
+	FailOnError bool
+}
+
+// New returns a token authenticator that validates credentials using a chain of authenticator.Token objects.
+// The entire chain is tried until one succeeds. If all fail, an aggregate error is returned.
+func New(authTokenHandlers ...authenticator.Token) authenticator.Token {
+	if len(authTokenHandlers) == 1 {
+		return authTokenHandlers[0]
+	}
+	return &unionAuthTokenHandler{Handlers: authTokenHandlers, FailOnError: false}
+}
+
+// NewFailOnError returns a token authenticator that validates credentials using a chain of authenticator.Token objects.
+// The first error short-circuits the chain.
+func NewFailOnError(authTokenHandlers ...authenticator.Token) authenticator.Token {
+	if len(authTokenHandlers) == 1 {
+		return authTokenHandlers[0]
+	}
+	return &unionAuthTokenHandler{Handlers: authTokenHandlers, FailOnError: true}
+}
+
+// AuthenticateToken authenticates the token using a chain of authenticator.Token objects.
+func (authHandler *unionAuthTokenHandler) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+	var errlist []error
+	for _, currAuthRequestHandler := range authHandler.Handlers {
+		info, ok, err := currAuthRequestHandler.AuthenticateToken(ctx, token)
+		if err != nil {
+			if authHandler.FailOnError {
+				return info, ok, err
+			}
+			errlist = append(errlist, err)
+			continue
+		}
+
+		if ok {
+			return info, ok, err
+		}
+	}
+
+	return nil, false, utilerrors.NewAggregate(errlist)
+}
diff --git a/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go b/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go
new file mode 100644
index 00000000..109cde25
--- /dev/null
+++ b/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go
@@ -0,0 +1,110 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oidc
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"sync"
+	"time"
+
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+	"k8s.io/utils/clock"
+)
+
+const (
+	namespace = "apiserver"
+	subsystem = "authentication"
+)
+
+var (
+	jwtAuthenticatorLatencyMetric = metrics.NewHistogramVec(
+		&metrics.HistogramOpts{
+			Namespace:      namespace,
+			Subsystem:      subsystem,
+			Name:           "jwt_authenticator_latency_seconds",
+			Help:           "Latency of jwt authentication operations in seconds. This is the time spent authenticating a token for cache miss only (i.e. when the token is not found in the cache).",
+			StabilityLevel: metrics.ALPHA,
+			// default histogram buckets with a 1ms starting point
+			Buckets: []float64{.001, .005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10},
+		},
+		[]string{"result", "jwt_issuer_hash"},
+	)
+)
+
+var registerMetrics sync.Once
+
+func RegisterMetrics() {
+	registerMetrics.Do(func() {
+		legacyregistry.MustRegister(jwtAuthenticatorLatencyMetric)
+	})
+}
+
+func recordAuthenticationLatency(result, jwtIssuerHash string, duration time.Duration) {
+	jwtAuthenticatorLatencyMetric.WithLabelValues(result, jwtIssuerHash).Observe(duration.Seconds())
+}
+
+func getHash(data string) string {
+	if len(data) > 0 {
+		return fmt.Sprintf("sha256:%x", sha256.Sum256([]byte(data)))
+	}
+	return ""
+}
+
+func newInstrumentedAuthenticator(jwtIssuer string, delegate AuthenticatorTokenWithHealthCheck) AuthenticatorTokenWithHealthCheck {
+	return newInstrumentedAuthenticatorWithClock(jwtIssuer, delegate, clock.RealClock{})
+}
+
+func newInstrumentedAuthenticatorWithClock(jwtIssuer string, delegate AuthenticatorTokenWithHealthCheck, clock clock.PassiveClock) *instrumentedAuthenticator {
+	RegisterMetrics()
+	return &instrumentedAuthenticator{
+		jwtIssuerHash: getHash(jwtIssuer),
+		delegate:      delegate,
+		clock:         clock,
+	}
+}
+
+type instrumentedAuthenticator struct {
+	jwtIssuerHash string
+	delegate      AuthenticatorTokenWithHealthCheck
+	clock         clock.PassiveClock
+}
+
+func (a *instrumentedAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+	start := a.clock.Now()
+	response, ok, err := a.delegate.AuthenticateToken(ctx, token)
+	// this only happens when issuer doesn't match the authenticator
+	// we don't want to record metrics for this case
+	if !ok && err == nil {
+		return response, ok, err
+	}
+
+	duration := a.clock.Since(start)
+	if err != nil {
+		recordAuthenticationLatency("failure", a.jwtIssuerHash, duration)
+	} else {
+		recordAuthenticationLatency("success", a.jwtIssuerHash, duration)
+	}
+	return response, ok, err
+}
+
+func (a *instrumentedAuthenticator) HealthCheck() error {
+	return a.delegate.HealthCheck()
+}
diff --git a/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go b/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
new file mode 100644
index 00000000..d5fd28f0
--- /dev/null
+++ b/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
@@ -0,0 +1,1162 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+oidc implements the authenticator.Token interface using the OpenID Connect protocol.
+
+	config := oidc.Options{
+		IssuerURL:     "https://accounts.google.com",
+		ClientID:      os.Getenv("GOOGLE_CLIENT_ID"),
+		UsernameClaim: "email",
+	}
+	tokenAuthenticator, err := oidc.New(config)
+*/
+package oidc
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"reflect"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/coreos/go-oidc"
+	celgo "github.com/google/cel-go/cel"
+	"github.com/google/cel-go/common/types/ref"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/apis/apiserver"
+	apiservervalidation "k8s.io/apiserver/pkg/apis/apiserver/validation"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	authenticationcel "k8s.io/apiserver/pkg/authentication/cel"
+	authenticationtokenjwt "k8s.io/apiserver/pkg/authentication/token/jwt"
+	"k8s.io/apiserver/pkg/authentication/user"
+	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/klog/v2"
+)
+
+var (
+	// synchronizeTokenIDVerifierForTest should be set to true to force a
+	// wait until the token ID verifiers are ready.
+	synchronizeTokenIDVerifierForTest = false
+)
+
+const (
+	wellKnownEndpointPath = "/.well-known/openid-configuration"
+)
+
+type Options struct {
+	// JWTAuthenticator is the authenticator that will be used to verify the JWT.
+	JWTAuthenticator apiserver.JWTAuthenticator
+
+	// Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer.
+	// Mutually exclusive with JWTAuthenticator.Issuer.DiscoveryURL.
+	KeySet oidc.KeySet
+
+	// PEM encoded root certificate contents of the provider.  Mutually exclusive with Client.
+	CAContentProvider CAContentProvider
+
+	// Optional http.Client used to make all requests to the remote issuer.  Mutually exclusive with CAContentProvider.
+	Client *http.Client
+
+	// Optional CEL compiler used to compile the CEL expressions. This is useful to use a shared instance
+	// of the compiler as these compilers holding a CEL environment are expensive to create. If not provided,
+	// a default compiler will be created.
+	// Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
+	Compiler authenticationcel.Compiler
+
+	// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
+	// can be used by the provider to sign tokens.
+	//
+	// https://tools.ietf.org/html/rfc7518#section-3.1
+	//
+	// This value defaults to RS256, the value recommended by the OpenID Connect
+	// spec:
+	//
+	// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+	SupportedSigningAlgs []string
+
+	DisallowedIssuers []string
+
+	// now is used for testing. It defaults to time.Now.
+	now func() time.Time
+}
+
+// Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.
+type CAContentProvider interface {
+	CurrentCABundleContent() []byte
+}
+
+// initVerifier creates a new ID token verifier for the given configuration and issuer URL.  On success, calls setVerifier with the
+// resulting verifier.
+func initVerifier(ctx context.Context, config *oidc.Config, iss string, audiences sets.Set[string]) (*idTokenVerifier, error) {
+	provider, err := oidc.NewProvider(ctx, iss)
+	if err != nil {
+		return nil, fmt.Errorf("init verifier failed: %v", err)
+	}
+	return &idTokenVerifier{provider.Verifier(config), audiences}, nil
+}
+
+// asyncIDTokenVerifier is an ID token verifier that allows async initialization
+// of the issuer check.  Must be passed by reference as it wraps sync.Mutex.
+type asyncIDTokenVerifier struct {
+	m sync.Mutex
+
+	// v is the ID token verifier initialized asynchronously.  It remains nil
+	// up until it is eventually initialized.
+	// Guarded by m
+	v *idTokenVerifier
+}
+
+// newAsyncIDTokenVerifier creates a new asynchronous token verifier.  The
+// verifier is available immediately, but may remain uninitialized for some time
+// after creation.
+func newAsyncIDTokenVerifier(ctx context.Context, c *oidc.Config, iss string, audiences sets.Set[string]) *asyncIDTokenVerifier {
+	t := &asyncIDTokenVerifier{}
+
+	sync := make(chan struct{})
+	// Polls indefinitely in an attempt to initialize the distributed claims
+	// verifier, or until context canceled.
+	initFn := func(ctx context.Context) (done bool, err error) {
+		klog.V(4).Infof("oidc authenticator: attempting init: iss=%v", iss)
+		v, err := initVerifier(ctx, c, iss, audiences)
+		if err != nil {
+			klog.Errorf("oidc authenticator: async token verifier for issuer: %q: %v", iss, err)
+			return false, nil
+		}
+		t.m.Lock()
+		defer t.m.Unlock()
+		t.v = v
+		close(sync)
+		return true, nil
+	}
+
+	go func() {
+		_ = wait.PollUntilContextCancel(ctx, 10*time.Second, true, initFn)
+	}()
+
+	if synchronizeTokenIDVerifierForTest {
+		select {
+		case <-sync:
+		case <-ctx.Done():
+		}
+	}
+
+	return t
+}
+
+// verifier returns the underlying ID token verifier, or nil if one is not yet initialized.
+func (a *asyncIDTokenVerifier) verifier() *idTokenVerifier {
+	a.m.Lock()
+	defer a.m.Unlock()
+	return a.v
+}
+
+type jwtAuthenticator struct {
+	jwtAuthenticator apiserver.JWTAuthenticator
+
+	// Contains an *oidc.IDTokenVerifier. Do not access directly use the
+	// idTokenVerifier method.
+	verifier atomic.Value
+
+	// resolver is used to resolve distributed claims.
+	resolver *claimResolver
+
+	// celMapper contains the compiled CEL expressions for
+	// username, groups, uid, extra, claimMapping and claimValidation
+	celMapper authenticationcel.CELMapper
+
+	// requiredClaims contains the list of claims that must be present in the token.
+	requiredClaims map[string]string
+
+	healthCheck atomic.Pointer[errorHolder]
+}
+
+// idTokenVerifier is a wrapper around oidc.IDTokenVerifier. It uses the oidc.IDTokenVerifier
+// to verify the raw ID token and then performs audience validation locally.
+type idTokenVerifier struct {
+	verifier  *oidc.IDTokenVerifier
+	audiences sets.Set[string]
+}
+
+func (a *jwtAuthenticator) setVerifier(v *idTokenVerifier) {
+	a.verifier.Store(v)
+	if v != nil {
+		// this must be done after the verifier has been stored so that a nil error
+		// from HealthCheck always means that the authenticator is ready for use.
+		a.healthCheck.Store(&errorHolder{})
+	}
+}
+
+func (a *jwtAuthenticator) idTokenVerifier() (*idTokenVerifier, bool) {
+	if v := a.verifier.Load(); v != nil {
+		return v.(*idTokenVerifier), true
+	}
+	return nil, false
+}
+
+func AllValidSigningAlgorithms() []string {
+	return sets.List(sets.KeySet(allowedSigningAlgs))
+}
+
+// allowlist of signing algorithms to ensure users don't mistakenly pass something goofy.
+var allowedSigningAlgs = map[string]bool{
+	oidc.RS256: true,
+	oidc.RS384: true,
+	oidc.RS512: true,
+	oidc.ES256: true,
+	oidc.ES384: true,
+	oidc.ES512: true,
+	oidc.PS256: true,
+	oidc.PS384: true,
+	oidc.PS512: true,
+}
+
+type AuthenticatorTokenWithHealthCheck interface {
+	authenticator.Token
+	HealthCheck() error
+}
+
+// New returns an authenticator that is asynchronously initialized when opts.KeySet is not set.
+// The input lifecycleCtx is used to:
+// - terminate background goroutines that are needed for asynchronous initialization
+// - as the base context for any requests that are made (i.e. for key fetching)
+// Thus, once the lifecycleCtx is canceled, the authenticator must not be used.
+// A caller may check if the authenticator is healthy by calling the HealthCheck method.
+func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error) {
+	compiler := opts.Compiler
+	if compiler == nil {
+		compiler = authenticationcel.NewDefaultCompiler()
+	}
+	celMapper, fieldErr := apiservervalidation.CompileAndValidateJWTAuthenticator(compiler, opts.JWTAuthenticator, opts.DisallowedIssuers)
+	if err := fieldErr.ToAggregate(); err != nil {
+		return nil, err
+	}
+
+	supportedSigningAlgs := opts.SupportedSigningAlgs
+	if len(supportedSigningAlgs) == 0 {
+		// RS256 is the default recommended by OpenID Connect and an 'alg' value
+		// providers are required to implement.
+		supportedSigningAlgs = []string{oidc.RS256}
+	}
+	for _, alg := range supportedSigningAlgs {
+		if !allowedSigningAlgs[alg] {
+			return nil, fmt.Errorf("oidc: unsupported signing alg: %q", alg)
+		}
+	}
+
+	if opts.Client != nil && opts.CAContentProvider != nil {
+		return nil, fmt.Errorf("oidc: Client and CAContentProvider are mutually exclusive")
+	}
+
+	client := opts.Client
+
+	if client == nil {
+		var roots *x509.CertPool
+		var err error
+		if opts.CAContentProvider != nil {
+			// TODO(enj): make this reload CA data dynamically
+			roots, err = certutil.NewPoolFromBytes(opts.CAContentProvider.CurrentCABundleContent())
+			if err != nil {
+				return nil, fmt.Errorf("Failed to read the CA contents: %v", err)
+			}
+		} else {
+			klog.Info("OIDC: No x509 certificates provided, will use host's root CA set")
+		}
+
+		// Copied from http.DefaultTransport.
+		tr := net.SetTransportDefaults(&http.Transport{
+			// According to golang's doc, if RootCAs is nil,
+			// TLS uses the host's root CA set.
+			TLSClientConfig: &tls.Config{RootCAs: roots},
+		})
+
+		client = &http.Client{Transport: tr, Timeout: 30 * time.Second}
+	}
+
+	// If the discovery URL is set in authentication configuration, we set up a
+	// roundTripper to rewrite the {url}/.well-known/openid-configuration to
+	// the discovery URL. This is useful for self-hosted providers, for example,
+	// providers that run on top of Kubernetes itself.
+	if len(opts.JWTAuthenticator.Issuer.DiscoveryURL) > 0 {
+		if opts.KeySet != nil {
+			return nil, fmt.Errorf("oidc: KeySet and DiscoveryURL are mutually exclusive")
+		}
+
+		discoveryURL, err := url.Parse(opts.JWTAuthenticator.Issuer.DiscoveryURL)
+		if err != nil {
+			return nil, fmt.Errorf("oidc: invalid discovery URL: %w", err)
+		}
+
+		clientWithDiscoveryURL := *client
+		baseTransport := clientWithDiscoveryURL.Transport
+		if baseTransport == nil {
+			baseTransport = http.DefaultTransport
+		}
+		// This matches the url construction in oidc.NewProvider as of go-oidc v2.2.1.
+		// xref: https://github.com/coreos/go-oidc/blob/40cd342c4a2076195294612a834d11df23c1b25a/oidc.go#L114
+		urlToRewrite := strings.TrimSuffix(opts.JWTAuthenticator.Issuer.URL, "/") + wellKnownEndpointPath
+		clientWithDiscoveryURL.Transport = &discoveryURLRoundTripper{baseTransport, discoveryURL, urlToRewrite}
+		client = &clientWithDiscoveryURL
+	}
+
+	lifecycleCtx = oidc.ClientContext(lifecycleCtx, client)
+
+	now := opts.now
+	if now == nil {
+		now = time.Now
+	}
+
+	audiences := sets.New[string](opts.JWTAuthenticator.Issuer.Audiences...)
+	verifierConfig := &oidc.Config{
+		ClientID:             opts.JWTAuthenticator.Issuer.Audiences[0],
+		SupportedSigningAlgs: supportedSigningAlgs,
+		Now:                  now,
+	}
+	if audiences.Len() > 1 {
+		verifierConfig.ClientID = ""
+		// SkipClientIDCheck is set to true because we want to support multiple audiences
+		// in the authentication configuration.
+		// The go oidc library does not support validating
+		// multiple audiences, so we have to skip the client ID check and do it ourselves.
+		// xref: https://github.com/coreos/go-oidc/issues/397
+		verifierConfig.SkipClientIDCheck = true
+	}
+
+	var resolver *claimResolver
+	groupsClaim := opts.JWTAuthenticator.ClaimMappings.Groups.Claim
+	if groupsClaim != "" {
+		resolver = newClaimResolver(lifecycleCtx, groupsClaim, client, verifierConfig, audiences)
+	}
+
+	requiredClaims := make(map[string]string)
+	for _, claimValidationRule := range opts.JWTAuthenticator.ClaimValidationRules {
+		if len(claimValidationRule.Claim) > 0 {
+			requiredClaims[claimValidationRule.Claim] = claimValidationRule.RequiredValue
+		}
+	}
+
+	authn := &jwtAuthenticator{
+		jwtAuthenticator: opts.JWTAuthenticator,
+		resolver:         resolver,
+		celMapper:        celMapper,
+		requiredClaims:   requiredClaims,
+	}
+	authn.healthCheck.Store(&errorHolder{
+		err: fmt.Errorf("oidc: authenticator for issuer %q is not initialized", authn.jwtAuthenticator.Issuer.URL),
+	})
+
+	issuerURL := opts.JWTAuthenticator.Issuer.URL
+	if opts.KeySet != nil {
+		// We already have a key set, synchronously initialize the verifier.
+		authn.setVerifier(&idTokenVerifier{
+			oidc.NewVerifier(issuerURL, opts.KeySet, verifierConfig),
+			audiences,
+		})
+	} else {
+		// Asynchronously attempt to initialize the authenticator. This enables
+		// self-hosted providers, providers that run on top of Kubernetes itself.
+		go func() {
+			// we ignore any errors from polling because they can only come from the context being canceled
+			_ = wait.PollUntilContextCancel(lifecycleCtx, 10*time.Second, true, func(_ context.Context) (done bool, err error) {
+				// this must always use lifecycleCtx because NewProvider uses that context for future key set fetching.
+				// this also means that there is no correct way to control the timeout of the discovery request made by NewProvider.
+				// the global timeout of the http.Client is still honored.
+				provider, err := oidc.NewProvider(lifecycleCtx, issuerURL)
+				if err != nil {
+					klog.Errorf("oidc authenticator: initializing plugin: %v", err)
+					authn.healthCheck.Store(&errorHolder{err: err})
+					return false, nil
+				}
+
+				verifier := provider.Verifier(verifierConfig)
+				authn.setVerifier(&idTokenVerifier{verifier, audiences})
+				return true, nil
+			})
+		}()
+	}
+
+	return newInstrumentedAuthenticator(issuerURL, authn), nil
+}
+
+type errorHolder struct {
+	err error
+}
+
+// discoveryURLRoundTripper is a http.RoundTripper that rewrites the
+// {url}/.well-known/openid-configuration to the discovery URL.
+type discoveryURLRoundTripper struct {
+	base http.RoundTripper
+	// discoveryURL is the URL to use to fetch the openid configuration
+	discoveryURL *url.URL
+	// urlToRewrite is the URL to rewrite to the discovery URL
+	urlToRewrite string
+}
+
+func (t *discoveryURLRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if req.Method == http.MethodGet && req.URL.String() == t.urlToRewrite {
+		clone := req.Clone(req.Context())
+		clone.Host = ""
+		clone.URL = t.discoveryURL
+		return t.base.RoundTrip(clone)
+	}
+	return t.base.RoundTrip(req)
+}
+
+// untrustedIssuer extracts an untrusted "iss" claim from the given JWT token,
+// or returns an error if the token can not be parsed.  Since the JWT is not
+// verified, the returned issuer should not be trusted.
+func untrustedIssuer(token string) (string, error) {
+	if strings.HasPrefix(strings.TrimSpace(token), "{") {
+		return "", fmt.Errorf("token is not compact JWT")
+	}
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return "", fmt.Errorf("malformed token")
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return "", fmt.Errorf("error decoding token: %v", err)
+	}
+	claims := struct {
+		// WARNING: this JWT is not verified. Do not trust these claims.
+		Issuer string `json:"iss"`
+	}{}
+	if err := json.Unmarshal(payload, &claims); err != nil {
+		return "", fmt.Errorf("while unmarshaling token: %v", err)
+	}
+	// Coalesce the legacy GoogleIss with the new one.
+	//
+	// http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss
+	if claims.Issuer == "accounts.google.com" {
+		return "https://accounts.google.com", nil
+	}
+	return claims.Issuer, nil
+}
+
+func hasCorrectIssuer(iss, tokenData string) bool {
+	uiss, err := untrustedIssuer(tokenData)
+	if err != nil {
+		return false
+	}
+	if uiss != iss {
+		return false
+	}
+	return true
+}
+
+// endpoint represents an OIDC distributed claims endpoint.
+type endpoint struct {
+	// URL to use to request the distributed claim.  This URL is expected to be
+	// prefixed by one of the known issuer URLs.
+	URL string `json:"endpoint,omitempty"`
+	// AccessToken is the bearer token to use for access.  If empty, it is
+	// not used.  Access token is optional per the OIDC distributed claims
+	// specification.
+	// See: http://openid.net/specs/openid-connect-core-1_0.html#DistributedExample
+	AccessToken string `json:"access_token,omitempty"`
+	// JWT is the container for aggregated claims.  Not supported at the moment.
+	// See: http://openid.net/specs/openid-connect-core-1_0.html#AggregatedExample
+	JWT string `json:"JWT,omitempty"`
+}
+
+// claimResolver expands distributed claims by calling respective claim source
+// endpoints.
+type claimResolver struct {
+	ctx context.Context
+
+	// claim is the distributed claim that may be resolved.
+	claim string
+
+	// audiences is the set of acceptable audiences the JWT must be issued to.
+	// At least one of the entries must match the "aud" claim in presented JWTs.
+	audiences sets.Set[string]
+
+	// client is the to use for resolving distributed claims
+	client *http.Client
+
+	// config is the OIDC configuration used for resolving distributed claims.
+	config *oidc.Config
+
+	// verifierPerIssuer contains, for each issuer, the appropriate verifier to use
+	// for this claim.  It is assumed that there will be very few entries in
+	// this map.
+	// Guarded by m.
+	verifierPerIssuer map[string]*asyncIDTokenVerifier
+
+	m sync.Mutex
+}
+
+// newClaimResolver creates a new resolver for distributed claims.
+// the input ctx is retained and is used as the base context for background requests such as key fetching.
+func newClaimResolver(ctx context.Context, claim string, client *http.Client, config *oidc.Config, audiences sets.Set[string]) *claimResolver {
+	return &claimResolver{
+		ctx:               ctx,
+		claim:             claim,
+		audiences:         audiences,
+		client:            client,
+		config:            config,
+		verifierPerIssuer: map[string]*asyncIDTokenVerifier{},
+	}
+}
+
+// Verifier returns either the verifier for the specified issuer, or error.
+func (r *claimResolver) Verifier(iss string) (*idTokenVerifier, error) {
+	r.m.Lock()
+	av := r.verifierPerIssuer[iss]
+	if av == nil {
+		// This lazy init should normally be very quick.
+		ctx := oidc.ClientContext(r.ctx, r.client)
+		av = newAsyncIDTokenVerifier(ctx, r.config, iss, r.audiences)
+		r.verifierPerIssuer[iss] = av
+	}
+	r.m.Unlock()
+
+	v := av.verifier()
+	if v == nil {
+		return nil, fmt.Errorf("verifier not initialized for issuer: %q", iss)
+	}
+	return v, nil
+}
+
+// expand extracts the distributed claims from claim names and claim sources.
+// The extracted claim value is pulled up into the supplied claims.
+//
+// Distributed claims are of the form as seen below, and are defined in the
+// OIDC Connect Core 1.0, section 5.6.2.
+// See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
+//
+//	{
+//	  ... (other normal claims)...
+//	  "_claim_names": {
+//	    "groups": "src1"
+//	  },
+//	  "_claim_sources": {
+//	    "src1": {
+//	      "endpoint": "https://www.example.com",
+//	      "access_token": "f005ba11"
+//	    },
+//	  },
+//	}
+func (r *claimResolver) expand(ctx context.Context, c claims) error {
+	const (
+		// The claim containing a map of endpoint references per claim.
+		// OIDC Connect Core 1.0, section 5.6.2.
+		claimNamesKey = "_claim_names"
+		// The claim containing endpoint specifications.
+		// OIDC Connect Core 1.0, section 5.6.2.
+		claimSourcesKey = "_claim_sources"
+	)
+
+	_, ok := c[r.claim]
+	if ok {
+		// There already is a normal claim, skip resolving.
+		return nil
+	}
+	names, ok := c[claimNamesKey]
+	if !ok {
+		// No _claim_names, no keys to look up.
+		return nil
+	}
+
+	claimToSource := map[string]string{}
+	if err := json.Unmarshal([]byte(names), &claimToSource); err != nil {
+		return fmt.Errorf("oidc: error parsing distributed claim names: %v", err)
+	}
+
+	rawSources, ok := c[claimSourcesKey]
+	if !ok {
+		// Having _claim_names claim,  but no _claim_sources is not an expected
+		// state.
+		return fmt.Errorf("oidc: no claim sources")
+	}
+
+	var sources map[string]endpoint
+	if err := json.Unmarshal([]byte(rawSources), &sources); err != nil {
+		// The claims sources claim is malformed, this is not an expected state.
+		return fmt.Errorf("oidc: could not parse claim sources: %v", err)
+	}
+
+	src, ok := claimToSource[r.claim]
+	if !ok {
+		// No distributed claim present.
+		return nil
+	}
+	ep, ok := sources[src]
+	if !ok {
+		return fmt.Errorf("id token _claim_names contained a source %s missing in _claims_sources", src)
+	}
+	if ep.URL == "" {
+		// This is maybe an aggregated claim (ep.JWT != "").
+		return nil
+	}
+	return r.resolve(ctx, ep, c)
+}
+
+// resolve requests distributed claims from all endpoints passed in,
+// and inserts the lookup results into allClaims.
+func (r *claimResolver) resolve(ctx context.Context, endpoint endpoint, allClaims claims) error {
+	// TODO: cache resolved claims.
+	jwt, err := getClaimJWT(ctx, r.client, endpoint.URL, endpoint.AccessToken)
+	if err != nil {
+		return fmt.Errorf("while getting distributed claim %q: %v", r.claim, err)
+	}
+	untrustedIss, err := untrustedIssuer(jwt)
+	if err != nil {
+		return fmt.Errorf("getting untrusted issuer from endpoint %v failed for claim %q: %v", endpoint.URL, r.claim, err)
+	}
+	v, err := r.Verifier(untrustedIss)
+	if err != nil {
+		return fmt.Errorf("verifying untrusted issuer %v failed: %v", untrustedIss, err)
+	}
+	t, err := v.Verify(ctx, jwt)
+	if err != nil {
+		return fmt.Errorf("verify distributed claim token: %v", err)
+	}
+	var distClaims claims
+	if err := t.Claims(&distClaims); err != nil {
+		return fmt.Errorf("could not parse distributed claims for claim %v: %v", r.claim, err)
+	}
+	value, ok := distClaims[r.claim]
+	if !ok {
+		return fmt.Errorf("jwt returned by distributed claim endpoint %q did not contain claim: %v", endpoint.URL, r.claim)
+	}
+	allClaims[r.claim] = value
+	return nil
+}
+
+func (v *idTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {
+	t, err := v.verifier.Verify(ctx, rawIDToken)
+	if err != nil {
+		return nil, err
+	}
+	if err := v.verifyAudience(t); err != nil {
+		return nil, err
+	}
+	return t, nil
+}
+
+// verifyAudience verifies the audience field in the ID token matches the expected audience.
+// This is added based on https://github.com/coreos/go-oidc/blob/b203e58c24394ddf5e816706a7645f01280245c7/oidc/verify.go#L275-L281
+// with the difference that we allow multiple audiences.
+//
+// AuthenticationConfiguration has a audienceMatchPolicy field, but the only supported value now is "MatchAny".
+// So, The default match behavior is to match at least one of the audiences in the ID token.
+func (v *idTokenVerifier) verifyAudience(t *oidc.IDToken) error {
+	// We validate audience field is not empty in the authentication configuration.
+	// This check ensures callers of "Verify" using idTokenVerifier are not passing
+	// an empty audience.
+	if v.audiences.Len() == 0 {
+		return fmt.Errorf("oidc: invalid configuration, audiences cannot be empty")
+	}
+	if v.audiences.HasAny(t.Audience...) {
+		return nil
+	}
+
+	return fmt.Errorf("oidc: expected audience in %q got %q", sets.List(v.audiences), t.Audience)
+}
+
+func (a *jwtAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+	if !hasCorrectIssuer(a.jwtAuthenticator.Issuer.URL, token) {
+		return nil, false, nil
+	}
+
+	verifier, ok := a.idTokenVerifier()
+	if !ok {
+		return nil, false, fmt.Errorf("oidc: authenticator not initialized")
+	}
+
+	idToken, err := verifier.Verify(ctx, token)
+	if err != nil {
+		return nil, false, fmt.Errorf("oidc: verify token: %v", err)
+	}
+
+	var c claims
+	if err := idToken.Claims(&c); err != nil {
+		return nil, false, fmt.Errorf("oidc: parse claims: %v", err)
+	}
+	if a.resolver != nil {
+		if err := a.resolver.expand(ctx, c); err != nil {
+			return nil, false, fmt.Errorf("oidc: could not expand distributed claims: %v", err)
+		}
+	}
+
+	var claimsUnstructured *unstructured.Unstructured
+	// Convert the claims to unstructured so that we can evaluate the CEL expressions
+	// against the claims. This is done once here so that we don't have to convert
+	// the claims to unstructured multiple times in the CEL mapper for each mapping.
+	// Only perform this conversion if any of the mapping or validation rules contain
+	// CEL expressions.
+	// TODO(aramase): In the future when we look into making distributed claims work,
+	// we should see if we can skip this function and use a dynamic type resolver for
+	// both json.RawMessage and the distributed claim fetching.
+	if a.celMapper.Username != nil || a.celMapper.Groups != nil || a.celMapper.UID != nil || a.celMapper.Extra != nil || a.celMapper.ClaimValidationRules != nil {
+		if claimsUnstructured, err = convertObjectToUnstructured(&c); err != nil {
+			return nil, false, fmt.Errorf("oidc: could not convert claims to unstructured: %w", err)
+		}
+	}
+
+	var username string
+	if username, err = a.getUsername(ctx, c, claimsUnstructured); err != nil {
+		return nil, false, err
+	}
+
+	info := &user.DefaultInfo{Name: username}
+	if info.Groups, err = a.getGroups(ctx, c, claimsUnstructured); err != nil {
+		return nil, false, err
+	}
+
+	if info.UID, err = a.getUID(ctx, c, claimsUnstructured); err != nil {
+		return nil, false, err
+	}
+
+	extra, err := a.getExtra(ctx, c, claimsUnstructured)
+	if err != nil {
+		return nil, false, err
+	}
+	if len(extra) > 0 {
+		info.Extra = extra
+	}
+
+	// check to ensure all required claims are present in the ID token and have matching values.
+	for claim, value := range a.requiredClaims {
+		if !c.hasClaim(claim) {
+			return nil, false, fmt.Errorf("oidc: required claim %s not present in ID token", claim)
+		}
+
+		// NOTE: Only string values are supported as valid required claim values.
+		var claimValue string
+		if err := c.unmarshalClaim(claim, &claimValue); err != nil {
+			return nil, false, fmt.Errorf("oidc: parse claim %s: %w", claim, err)
+		}
+		if claimValue != value {
+			return nil, false, fmt.Errorf("oidc: required claim %s value does not match. Got = %s, want = %s", claim, claimValue, value)
+		}
+	}
+
+	if a.celMapper.ClaimValidationRules != nil {
+		evalResult, err := a.celMapper.ClaimValidationRules.EvalClaimMappings(ctx, claimsUnstructured)
+		if err != nil {
+			return nil, false, fmt.Errorf("oidc: error evaluating claim validation expression: %w", err)
+		}
+		if err := checkValidationRulesEvaluation(evalResult, func(a authenticationcel.ExpressionAccessor) (string, error) {
+			claimValidationCondition, ok := a.(*authenticationcel.ClaimValidationCondition)
+			if !ok {
+				return "", fmt.Errorf("invalid type conversion, expected ClaimValidationCondition")
+			}
+			return claimValidationCondition.Message, nil
+		}); err != nil {
+			return nil, false, fmt.Errorf("oidc: error evaluating claim validation expression: %w", err)
+		}
+	}
+
+	if a.celMapper.UserValidationRules != nil {
+		// Convert the user info to unstructured so that we can evaluate the CEL expressions
+		// against the user info. This is done once here so that we don't have to convert
+		// the user info to unstructured multiple times in the CEL mapper for each mapping.
+		userInfoUnstructured, err := convertUserInfoToUnstructured(info)
+		if err != nil {
+			return nil, false, fmt.Errorf("oidc: could not convert user info to unstructured: %w", err)
+		}
+
+		evalResult, err := a.celMapper.UserValidationRules.EvalUser(ctx, userInfoUnstructured)
+		if err != nil {
+			return nil, false, fmt.Errorf("oidc: error evaluating user info validation rule: %w", err)
+		}
+		if err := checkValidationRulesEvaluation(evalResult, func(a authenticationcel.ExpressionAccessor) (string, error) {
+			userValidationCondition, ok := a.(*authenticationcel.UserValidationCondition)
+			if !ok {
+				return "", fmt.Errorf("invalid type conversion, expected UserValidationCondition")
+			}
+			return userValidationCondition.Message, nil
+		}); err != nil {
+			return nil, false, fmt.Errorf("oidc: error evaluating user info validation rule: %w", err)
+		}
+	}
+
+	return &authenticator.Response{User: info}, true, nil
+}
+
+func (a *jwtAuthenticator) HealthCheck() error {
+	if holder := *a.healthCheck.Load(); holder.err != nil {
+		return fmt.Errorf("oidc: authenticator for issuer %q is not healthy: %w", a.jwtAuthenticator.Issuer.URL, holder.err)
+	}
+
+	return nil
+}
+
+func (a *jwtAuthenticator) getUsername(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (string, error) {
+	if a.celMapper.Username != nil {
+		evalResult, err := a.celMapper.Username.EvalClaimMapping(ctx, claimsUnstructured)
+		if err != nil {
+			return "", fmt.Errorf("oidc: error evaluating username claim expression: %w", err)
+		}
+		if evalResult.EvalResult.Type() != celgo.StringType {
+			return "", fmt.Errorf("oidc: error evaluating username claim expression: %w", fmt.Errorf("username claim expression must return a string"))
+		}
+
+		username := evalResult.EvalResult.Value().(string)
+
+		if len(username) == 0 {
+			return "", fmt.Errorf("oidc: empty username via CEL expression is not allowed")
+		}
+
+		return username, nil
+	}
+
+	var username string
+	usernameClaim := a.jwtAuthenticator.ClaimMappings.Username.Claim
+	if err := c.unmarshalClaim(usernameClaim, &username); err != nil {
+		return "", fmt.Errorf("oidc: parse username claims %q: %v", usernameClaim, err)
+	}
+
+	if usernameClaim == "email" {
+		// If the email_verified claim is present, ensure the email is valid.
+		// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+		if hasEmailVerified := c.hasClaim("email_verified"); hasEmailVerified {
+			var emailVerified bool
+			if err := c.unmarshalClaim("email_verified", &emailVerified); err != nil {
+				return "", fmt.Errorf("oidc: parse 'email_verified' claim: %v", err)
+			}
+
+			// If the email_verified claim is present we have to verify it is set to `true`.
+			if !emailVerified {
+				return "", fmt.Errorf("oidc: email not verified")
+			}
+		}
+	}
+
+	userNamePrefix := a.jwtAuthenticator.ClaimMappings.Username.Prefix
+	if userNamePrefix != nil && *userNamePrefix != "" {
+		return *userNamePrefix + username, nil
+	}
+	return username, nil
+}
+
+func (a *jwtAuthenticator) getGroups(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) ([]string, error) {
+	groupsClaim := a.jwtAuthenticator.ClaimMappings.Groups.Claim
+	if len(groupsClaim) > 0 {
+		if _, ok := c[groupsClaim]; ok {
+			// Some admins want to use string claims like "role" as the group value.
+			// Allow the group claim to be a single string instead of an array.
+			//
+			// See: https://github.com/kubernetes/kubernetes/issues/33290
+			var groups stringOrArray
+			if err := c.unmarshalClaim(groupsClaim, &groups); err != nil {
+				return nil, fmt.Errorf("oidc: parse groups claim %q: %w", groupsClaim, err)
+			}
+
+			prefix := a.jwtAuthenticator.ClaimMappings.Groups.Prefix
+			if prefix != nil && *prefix != "" {
+				for i, group := range groups {
+					groups[i] = *prefix + group
+				}
+			}
+
+			return []string(groups), nil
+		}
+	}
+
+	if a.celMapper.Groups == nil {
+		return nil, nil
+	}
+
+	evalResult, err := a.celMapper.Groups.EvalClaimMapping(ctx, claimsUnstructured)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: error evaluating group claim expression: %w", err)
+	}
+
+	groups, err := convertCELValueToStringList(evalResult.EvalResult)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: error evaluating group claim expression: %w", err)
+	}
+	return groups, nil
+}
+
+func (a *jwtAuthenticator) getUID(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (string, error) {
+	uidClaim := a.jwtAuthenticator.ClaimMappings.UID.Claim
+	if len(uidClaim) > 0 {
+		var uid string
+		if err := c.unmarshalClaim(uidClaim, &uid); err != nil {
+			return "", fmt.Errorf("oidc: parse uid claim %q: %w", uidClaim, err)
+		}
+		return uid, nil
+	}
+
+	if a.celMapper.UID == nil {
+		return "", nil
+	}
+
+	evalResult, err := a.celMapper.UID.EvalClaimMapping(ctx, claimsUnstructured)
+	if err != nil {
+		return "", fmt.Errorf("oidc: error evaluating uid claim expression: %w", err)
+	}
+	if evalResult.EvalResult.Type() != celgo.StringType {
+		return "", fmt.Errorf("oidc: error evaluating uid claim expression: %w", fmt.Errorf("uid claim expression must return a string"))
+	}
+
+	return evalResult.EvalResult.Value().(string), nil
+}
+
+func (a *jwtAuthenticator) getExtra(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (map[string][]string, error) {
+	extra := make(map[string][]string)
+
+	if credentialID := getCredentialID(c); len(credentialID) > 0 {
+		extra[user.CredentialIDKey] = []string{credentialID}
+	}
+
+	if a.celMapper.Extra == nil {
+		return extra, nil
+	}
+
+	evalResult, err := a.celMapper.Extra.EvalClaimMappings(ctx, claimsUnstructured)
+	if err != nil {
+		return nil, err
+	}
+	for _, result := range evalResult {
+		extraMapping, ok := result.ExpressionAccessor.(*authenticationcel.ExtraMappingExpression)
+		if !ok {
+			return nil, fmt.Errorf("oidc: error evaluating extra claim expression: %w", fmt.Errorf("invalid type conversion, expected ExtraMappingCondition"))
+		}
+
+		extraValues, err := convertCELValueToStringList(result.EvalResult)
+		if err != nil {
+			return nil, fmt.Errorf("oidc: error evaluating extra claim expression: %s: %w", extraMapping.Expression, err)
+		}
+
+		if len(extraValues) > 0 {
+			extra[extraMapping.Key] = extraValues
+		}
+	}
+
+	return extra, nil
+}
+
+func getCredentialID(c claims) string {
+	if _, ok := c["jti"]; ok {
+		var jti string
+		if err := c.unmarshalClaim("jti", &jti); err == nil {
+			return authenticationtokenjwt.CredentialIDForJTI(jti)
+		}
+	}
+
+	return ""
+}
+
+// getClaimJWT gets a distributed claim JWT from url, using the supplied access
+// token as bearer token.  If the access token is "", the authorization header
+// will not be set.
+// TODO: Allow passing in JSON hints to the IDP.
+func getClaimJWT(ctx context.Context, client *http.Client, url, accessToken string) (string, error) {
+	// TODO: Allow passing request body with configurable information.
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return "", fmt.Errorf("while calling %v: %v", url, err)
+	}
+	if accessToken != "" {
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", accessToken))
+	}
+	req = req.WithContext(ctx)
+	response, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer response.Body.Close()
+	// Report non-OK status code as an error.
+	if response.StatusCode < http.StatusOK || response.StatusCode > http.StatusIMUsed {
+		return "", fmt.Errorf("error while getting distributed claim JWT: %v", response.Status)
+	}
+	responseBytes, err := ioutil.ReadAll(response.Body)
+	if err != nil {
+		return "", fmt.Errorf("could not decode distributed claim response")
+	}
+	return string(responseBytes), nil
+}
+
+type stringOrArray []string
+
+func (s *stringOrArray) UnmarshalJSON(b []byte) error {
+	var a []string
+	if err := json.Unmarshal(b, &a); err == nil {
+		*s = a
+		return nil
+	}
+	var str string
+	if err := json.Unmarshal(b, &str); err != nil {
+		return err
+	}
+	*s = []string{str}
+	return nil
+}
+
+type claims map[string]json.RawMessage
+
+func (c claims) unmarshalClaim(name string, v interface{}) error {
+	val, ok := c[name]
+	if !ok {
+		return fmt.Errorf("claim not present")
+	}
+	return json.Unmarshal([]byte(val), v)
+}
+
+func (c claims) hasClaim(name string) bool {
+	if _, ok := c[name]; !ok {
+		return false
+	}
+	return true
+}
+
+// convertCELValueToStringList converts the CEL value to a string list.
+// The CEL value needs to be either a string or a list of strings.
+// "", [] are treated as not being present and will return nil.
+// Empty string in a list of strings is treated as not being present and will be filtered out.
+func convertCELValueToStringList(val ref.Val) ([]string, error) {
+	switch val.Type().TypeName() {
+	case celgo.StringType.TypeName():
+		out := val.Value().(string)
+		if len(out) == 0 {
+			return nil, nil
+		}
+		return []string{out}, nil
+
+	case celgo.ListType(nil).TypeName():
+		var result []string
+		switch val.Value().(type) {
+		case []interface{}:
+			for _, v := range val.Value().([]interface{}) {
+				out, ok := v.(string)
+				if !ok {
+					return nil, fmt.Errorf("expression must return a string or a list of strings")
+				}
+				if len(out) == 0 {
+					continue
+				}
+				result = append(result, out)
+			}
+		case []ref.Val:
+			for _, v := range val.Value().([]ref.Val) {
+				out, ok := v.Value().(string)
+				if !ok {
+					return nil, fmt.Errorf("expression must return a string or a list of strings")
+				}
+				if len(out) == 0 {
+					continue
+				}
+				result = append(result, out)
+			}
+		default:
+			return nil, fmt.Errorf("expression must return a string or a list of strings")
+		}
+
+		if len(result) == 0 {
+			return nil, nil
+		}
+
+		return result, nil
+	case celgo.NullType.TypeName():
+		return nil, nil
+	default:
+		return nil, fmt.Errorf("expression must return a string or a list of strings")
+	}
+}
+
+// messageFunc is a function that returns a message for a validation rule.
+type messageFunc func(authenticationcel.ExpressionAccessor) (string, error)
+
+// checkValidationRulesEvaluation checks if the validation rules evaluation results
+// are valid. If the validation rules evaluation results are not valid, it returns
+// an error with an optional message that was set in the validation rule.
+func checkValidationRulesEvaluation(results []authenticationcel.EvaluationResult, messageFn messageFunc) error {
+	for _, result := range results {
+		if result.EvalResult.Type() != celgo.BoolType {
+			return fmt.Errorf("validation expression must return a boolean")
+		}
+		if !result.EvalResult.Value().(bool) {
+			expression := result.ExpressionAccessor.GetExpression()
+
+			message, err := messageFn(result.ExpressionAccessor)
+			if err != nil {
+				return err
+			}
+
+			return fmt.Errorf("validation expression '%s' failed: %s", expression, message)
+		}
+	}
+
+	return nil
+}
+
+func convertObjectToUnstructured(obj interface{}) (*unstructured.Unstructured, error) {
+	if obj == nil || reflect.ValueOf(obj).IsNil() {
+		return &unstructured.Unstructured{Object: nil}, nil
+	}
+	ret, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
+	if err != nil {
+		return nil, err
+	}
+	return &unstructured.Unstructured{Object: ret}, nil
+}
+
+func convertUserInfoToUnstructured(info user.Info) (*unstructured.Unstructured, error) {
+	userInfo := &authenticationv1.UserInfo{
+		Extra:    make(map[string]authenticationv1.ExtraValue),
+		Groups:   info.GetGroups(),
+		UID:      info.GetUID(),
+		Username: info.GetName(),
+	}
+	// Convert the extra information in the user object
+	for key, val := range info.GetExtra() {
+		userInfo.Extra[key] = authenticationv1.ExtraValue(val)
+	}
+
+	// Convert the user info to unstructured so that we can evaluate the CEL expressions
+	// against the user info. This is done once here so that we don't have to convert
+	// the user info to unstructured multiple times in the CEL mapper for each mapping.
+	userInfoUnstructured, err := convertObjectToUnstructured(userInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	// check if the user info contains the required fields. If not, set them to empty values.
+	// This is done because the CEL expressions expect these fields to be present.
+	if userInfoUnstructured.Object["username"] == nil {
+		userInfoUnstructured.Object["username"] = ""
+	}
+	if userInfoUnstructured.Object["uid"] == nil {
+		userInfoUnstructured.Object["uid"] = ""
+	}
+	if userInfoUnstructured.Object["groups"] == nil {
+		userInfoUnstructured.Object["groups"] = []string{}
+	}
+	if userInfoUnstructured.Object["extra"] == nil {
+		userInfoUnstructured.Object["extra"] = map[string]authenticationv1.ExtraValue{}
+	}
+	return userInfoUnstructured, nil
+}

From ab84e8fdc3dd1824463d99e617d21b34697d9235 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Tue, 27 Jan 2026 12:58:32 +0200
Subject: [PATCH 02/10] Add support for OIDC in the operator

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 Dockerfile                                    |   3 +
 cmd/caib/auth/config.go                       | 134 ++++++
 cmd/caib/auth/oidc.go                         | 388 ++++++++++++++++++
 cmd/caib/auth/wrapper.go                      |  71 ++++
 cmd/caib/main.go                              |  95 ++++-
 go.mod                                        |   8 +-
 go.sum                                        |   8 +
 internal/buildapi/auth_config.go              | 173 ++++++++
 internal/buildapi/client/client.go            |  46 +++
 internal/buildapi/client_tokens.go            | 117 ++++++
 internal/buildapi/internal_jwt.go             |  73 ++++
 internal/buildapi/server.go                   | 313 ++++++++++++--
 .../controller/operatorconfig/controller.go   |  67 ++-
 .../controller/operatorconfig/resources.go    | 144 ++++++-
 vendor/modules.txt                            |  20 +
 15 files changed, 1615 insertions(+), 45 deletions(-)
 create mode 100644 cmd/caib/auth/config.go
 create mode 100644 cmd/caib/auth/oidc.go
 create mode 100644 cmd/caib/auth/wrapper.go
 create mode 100644 internal/buildapi/auth_config.go
 create mode 100644 internal/buildapi/client_tokens.go
 create mode 100644 internal/buildapi/internal_jwt.go

diff --git a/Dockerfile b/Dockerfile
index 03831b44..6c2ccc90 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,6 +31,9 @@ WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY --from=builder /workspace/build-api .
 COPY --from=builder /workspace/init-secrets .
+# Include CA bundle so OIDC discovery works without custom CA config
+COPY --from=builder /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]
diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
new file mode 100644
index 00000000..6a12f9b7
--- /dev/null
+++ b/cmd/caib/auth/config.go
@@ -0,0 +1,134 @@
+package auth
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
+	insecureTLS := strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1"
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS},
+		},
+	}
+
+	configURL := strings.TrimSuffix(serverURL, "/") + "/v1/auth/config"
+	req, err := http.NewRequest("GET", configURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, nil
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, nil
+	}
+
+	var apiResponse struct {
+		ClientID string `json:"clientId"`
+		JWT      []struct {
+			Issuer struct {
+				URL       string   `json:"url"`
+				Audiences []string `json:"audiences,omitempty"`
+			} `json:"issuer"`
+			ClaimMappings struct {
+				Username struct {
+					Claim  string `json:"claim"`
+					Prefix string `json:"prefix,omitempty"`
+				} `json:"username"`
+			} `json:"claimMappings"`
+		} `json:"jwt"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&apiResponse); err != nil {
+		return nil, nil
+	}
+
+	if len(apiResponse.JWT) == 0 {
+		return nil, nil
+	}
+
+	jwtConfig := apiResponse.JWT[0]
+
+	clientID := apiResponse.ClientID
+	if clientID == "" {
+		return nil, fmt.Errorf("OIDC client ID is required but not provided by the server")
+	}
+
+	return &OIDCConfig{
+		IssuerURL: jwtConfig.Issuer.URL,
+		ClientID:  clientID,
+		Scopes:    []string{"openid", "profile", "email"},
+	}, nil
+}
+
+// GetOIDCConfigFromLocalConfig tries to read from local config file
+func GetOIDCConfigFromLocalConfig() (*OIDCConfig, error) {
+	homeDir, _ := os.UserHomeDir()
+	configPath := filepath.Join(homeDir, tokenCacheDir, "config.json")
+
+	data, err := os.ReadFile(configPath)
+	if err != nil {
+		return nil, err
+	}
+
+	var config struct {
+		IssuerURL string   `json:"issuer_url"`
+		ClientID  string   `json:"client_id"`
+		Scopes    []string `json:"scopes"`
+	}
+
+	if err := json.Unmarshal(data, &config); err != nil {
+		return nil, err
+	}
+
+	if config.IssuerURL == "" || config.ClientID == "" {
+		return nil, fmt.Errorf("invalid config: issuer_url and client_id required")
+	}
+
+	scopes := config.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+
+	return &OIDCConfig{
+		IssuerURL: config.IssuerURL,
+		ClientID:  config.ClientID,
+		Scopes:    scopes,
+	}, nil
+}
+
+// SaveOIDCConfig saves OIDC config to local file
+func SaveOIDCConfig(config *OIDCConfig) error {
+	homeDir, _ := os.UserHomeDir()
+	configPath := filepath.Join(homeDir, tokenCacheDir, "config.json")
+
+	configData := map[string]interface{}{
+		"issuer_url": config.IssuerURL,
+		"client_id":  config.ClientID,
+		"scopes":     config.Scopes,
+	}
+
+	data, err := json.MarshalIndent(configData, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	if err := os.MkdirAll(filepath.Dir(configPath), 0700); err != nil {
+		return err
+	}
+
+	return os.WriteFile(configPath, data, 0600)
+}
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
new file mode 100644
index 00000000..bfb03f30
--- /dev/null
+++ b/cmd/caib/auth/oidc.go
@@ -0,0 +1,388 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+const (
+	tokenCacheDir  = ".caib"
+	tokenCacheFile = "token.json"
+)
+
+type TokenCache struct {
+	Token     string    `json:"token"`
+	ExpiresAt time.Time `json:"expires_at"`
+	Issuer    string    `json:"issuer"`
+}
+
+type OIDCConfig struct {
+	IssuerURL string
+	ClientID  string
+	Scopes    []string
+}
+
+type OIDCAuth struct {
+	config     OIDCConfig
+	tokenCache *TokenCache
+	cachePath  string
+}
+
+func NewOIDCAuth(issuerURL, clientID string, scopes []string) *OIDCAuth {
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+
+	homeDir, _ := os.UserHomeDir()
+	cachePath := filepath.Join(homeDir, tokenCacheDir, tokenCacheFile)
+
+	return &OIDCAuth{
+		config: OIDCConfig{
+			IssuerURL: issuerURL,
+			ClientID:  clientID,
+			Scopes:    scopes,
+		},
+		cachePath: cachePath,
+	}
+}
+
+func (a *OIDCAuth) GetToken(ctx context.Context) (string, error) {
+	token, _, err := a.GetTokenWithStatus(ctx)
+	return token, err
+}
+
+// GetTokenWithStatus returns the token and whether it came from cache.
+func (a *OIDCAuth) GetTokenWithStatus(ctx context.Context) (string, bool, error) {
+	// Try to load from cache first
+	if err := a.loadTokenCache(); err == nil {
+		if a.tokenCache != nil && a.tokenCache.Token != "" {
+			// Check if token expires more than 5 minutes from now
+			if time.Now().Before(a.tokenCache.ExpiresAt.Add(-5 * time.Minute)) {
+				// Verify token is not expired by parsing it
+				if a.IsTokenValid(a.tokenCache.Token) {
+					return a.tokenCache.Token, true, nil
+				}
+			}
+		}
+	}
+
+	// Token expired or not found, trigger re-authentication
+	token, err := a.authenticate(ctx)
+	if err != nil {
+		return "", false, err
+	}
+	return token, false, nil
+}
+
+func (a *OIDCAuth) IsTokenValid(token string) bool {
+	parser := jwt.NewParser()
+	claims := jwt.MapClaims{}
+	_, _, err := parser.ParseUnverified(token, claims)
+	if err != nil {
+		return false
+	}
+
+	// Check expiration
+	if exp, ok := claims["exp"].(float64); ok {
+		expTime := time.Unix(int64(exp), 0)
+		if time.Now().After(expTime) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
+	// Get OIDC discovery document
+	discoveryURL := strings.TrimSuffix(a.config.IssuerURL, "/") + "/.well-known/openid-configuration"
+	discovery, err := a.getDiscovery(discoveryURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to get OIDC discovery: %w", err)
+	}
+
+	// Generate state and PKCE code verifier
+	state := generateRandomString(32)
+	codeVerifier := generateRandomString(43)
+	codeChallenge := base64URLEncode(sha256Hash(codeVerifier))
+
+	// Find available port for callback
+	listener, err := net.Listen("tcp", ":0")
+	if err != nil {
+		return "", fmt.Errorf("failed to find available port: %w", err)
+	}
+	port := listener.Addr().(*net.TCPAddr).Port
+	listener.Close()
+
+	redirectURI := fmt.Sprintf("http://localhost:%d/callback", port)
+
+	// Build authorization URL
+	authURL, err := url.Parse(discovery.AuthorizationEndpoint)
+	if err != nil {
+		return "", fmt.Errorf("invalid authorization endpoint: %w", err)
+	}
+	q := authURL.Query()
+	q.Set("response_type", "code")
+	q.Set("client_id", a.config.ClientID)
+	q.Set("redirect_uri", redirectURI)
+	q.Set("scope", strings.Join(a.config.Scopes, " "))
+	q.Set("state", state)
+	q.Set("code_challenge", codeChallenge)
+	q.Set("code_challenge_method", "S256")
+	authURL.RawQuery = q.Encode()
+
+	// Create callback server
+	codeChan := make(chan string, 1)
+	stateChan := make(chan string, 1)
+	errChan := make(chan error, 1)
+
+	server := &http.Server{
+		Addr: fmt.Sprintf(":%d", port),
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path != "/callback" {
+				http.NotFound(w, r)
+				return
+			}
+
+			code := r.URL.Query().Get("code")
+			returnedState := r.URL.Query().Get("state")
+			errorParam := r.URL.Query().Get("error")
+
+			if errorParam != "" {
+				errChan <- fmt.Errorf("OIDC error: %s", errorParam)
+				w.WriteHeader(http.StatusBadRequest)
+				fmt.Fprintf(w, "Authentication failed: %s", errorParam)
+				return
+			}
+
+			if code == "" {
+				errChan <- fmt.Errorf("no authorization code received")
+				w.WriteHeader(http.StatusBadRequest)
+				fmt.Fprintf(w, "No authorization code received")
+				return
+			}
+
+			if returnedState != state {
+				errChan <- fmt.Errorf("state mismatch")
+				w.WriteHeader(http.StatusBadRequest)
+				fmt.Fprintf(w, "State mismatch")
+				return
+			}
+
+			codeChan <- code
+			stateChan <- returnedState
+			w.WriteHeader(http.StatusOK)
+			fmt.Fprintf(w, "Authentication successful! You can close this window.")
+		}),
+	}
+
+	go func() {
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			errChan <- fmt.Errorf("callback server error: %w", err)
+		}
+	}()
+
+	fmt.Println("Token is expired, triggering re-authentication")
+	fmt.Printf("\nPlease open the URL in browser: %s\n\n", authURL.String())
+	if err := openBrowser(authURL.String()); err != nil {
+		fmt.Printf("Warning: Could not open browser automatically: %v\n", err)
+		fmt.Println("Please open the URL manually")
+	}
+
+	// Wait for callback
+	select {
+	case code := <-codeChan:
+		server.Shutdown(ctx)
+		// Exchange code for token
+		token, err := a.exchangeCodeForToken(ctx, discovery.TokenEndpoint, code, redirectURI, codeVerifier)
+		if err != nil {
+			return "", fmt.Errorf("failed to exchange code for token: %w", err)
+		}
+
+		// Save token to cache
+		if err := a.saveTokenCache(token); err != nil {
+			fmt.Printf("Warning: Failed to save token cache: %v\n", err)
+		}
+
+		return token, nil
+	case err := <-errChan:
+		server.Shutdown(ctx)
+		return "", err
+	case <-ctx.Done():
+		server.Shutdown(ctx)
+		return "", ctx.Err()
+	case <-time.After(5 * time.Minute):
+		server.Shutdown(ctx)
+		return "", fmt.Errorf("authentication timeout")
+	}
+}
+
+func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code, redirectURI, codeVerifier string) (string, error) {
+	data := url.Values{}
+	data.Set("grant_type", "authorization_code")
+	data.Set("code", code)
+	data.Set("redirect_uri", redirectURI)
+	data.Set("client_id", a.config.ClientID)
+	data.Set("code_verifier", codeVerifier)
+
+	req, err := http.NewRequestWithContext(ctx, "POST", tokenEndpoint, strings.NewReader(data.Encode()))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	client := &http.Client{Timeout: 30 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return "", fmt.Errorf("token exchange failed: %s: %s", resp.Status, string(body))
+	}
+
+	var tokenResp struct {
+		IDToken     string `json:"id_token"`
+		AccessToken string `json:"access_token"`
+		ExpiresIn   int    `json:"expires_in"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return "", err
+	}
+
+	// Prefer id_token, fallback to access_token
+	token := tokenResp.IDToken
+	if token == "" {
+		token = tokenResp.AccessToken
+	}
+
+	return token, nil
+}
+
+type DiscoveryDocument struct {
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+}
+
+func (a *OIDCAuth) getDiscovery(discoveryURL string) (*DiscoveryDocument, error) {
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Get(discoveryURL)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("discovery request failed: %s", resp.Status)
+	}
+
+	var discovery DiscoveryDocument
+	if err := json.NewDecoder(resp.Body).Decode(&discovery); err != nil {
+		return nil, err
+	}
+
+	return &discovery, nil
+}
+
+func (a *OIDCAuth) loadTokenCache() error {
+	data, err := os.ReadFile(a.cachePath)
+	if err != nil {
+		return err
+	}
+
+	var cache TokenCache
+	if err := json.Unmarshal(data, &cache); err != nil {
+		return err
+	}
+
+	a.tokenCache = &cache
+	return nil
+}
+
+func (a *OIDCAuth) saveTokenCache(token string) error {
+	// Parse token to get expiration
+	parser := jwt.NewParser()
+	claims := jwt.MapClaims{}
+	_, _, err := parser.ParseUnverified(token, claims)
+	if err != nil {
+		return fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	var expiresAt time.Time
+	if exp, ok := claims["exp"].(float64); ok {
+		expiresAt = time.Unix(int64(exp), 0)
+	} else {
+		// Default to 1 hour if no expiration
+		expiresAt = time.Now().Add(1 * time.Hour)
+	}
+
+	cache := TokenCache{
+		Token:     token,
+		ExpiresAt: expiresAt,
+		Issuer:    a.config.IssuerURL,
+	}
+
+	data, err := json.Marshal(cache)
+	if err != nil {
+		return err
+	}
+
+	// Ensure cache directory exists
+	if err := os.MkdirAll(filepath.Dir(a.cachePath), 0700); err != nil {
+		return err
+	}
+
+	return os.WriteFile(a.cachePath, data, 0600)
+}
+
+func generateRandomString(length int) string {
+	b := make([]byte, length)
+	rand.Read(b)
+	return base64.URLEncoding.EncodeToString(b)[:length]
+}
+
+func base64URLEncode(data []byte) string {
+	return strings.TrimRight(base64.URLEncoding.EncodeToString(data), "=")
+}
+
+func sha256Hash(data string) []byte {
+	h := sha256.Sum256([]byte(data))
+	return h[:]
+}
+
+func openBrowser(url string) error {
+	var cmd string
+	var args []string
+
+	switch runtime.GOOS {
+	case "windows":
+		cmd = "cmd"
+		args = []string{"/c", "start"}
+	case "darwin":
+		cmd = "open"
+	default:
+		cmd = "xdg-open"
+	}
+
+	args = append(args, url)
+	return exec.Command(cmd, args...).Start()
+}
diff --git a/cmd/caib/auth/wrapper.go b/cmd/caib/auth/wrapper.go
new file mode 100644
index 00000000..33e701a3
--- /dev/null
+++ b/cmd/caib/auth/wrapper.go
@@ -0,0 +1,71 @@
+package auth
+
+import (
+	"context"
+	"strings"
+
+	buildapiclient "github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/client"
+)
+
+// IsAuthError checks if an error is an authentication error (401/403)
+func IsAuthError(err error) bool {
+	if err == nil {
+		return false
+	}
+	errStr := err.Error()
+	return strings.Contains(errStr, "401") ||
+		strings.Contains(errStr, "403") ||
+		strings.Contains(errStr, "unauthorized") ||
+		strings.Contains(errStr, "forbidden")
+}
+
+// GetTokenWithReauth gets a token, triggering OIDC re-auth if needed.
+// Returns empty string if no OIDC config is available (auth is optional).
+// The boolean return indicates whether a fresh auth flow was performed.
+func GetTokenWithReauth(ctx context.Context, serverURL string, currentToken string) (string, bool, error) {
+	// Try to get OIDC config from local config first
+	config, err := GetOIDCConfigFromLocalConfig()
+	if err != nil {
+		// Fallback to Build API
+		config, err = GetOIDCConfigFromAPI(serverURL)
+		if err != nil {
+			// If we can't get config, return empty (auth is optional)
+			return "", false, nil
+		}
+	}
+
+	// If no config available, return empty (auth is optional)
+	if config == nil {
+		return "", false, nil
+	}
+
+	oidcAuth := NewOIDCAuth(config.IssuerURL, config.ClientID, config.Scopes)
+
+	// If we have a current token, check if it's valid
+	if currentToken != "" {
+		if oidcAuth.IsTokenValid(currentToken) {
+			return currentToken, false, nil
+		}
+	}
+
+	// Get new token via OIDC flow
+	token, fromCache, err := oidcAuth.GetTokenWithStatus(ctx)
+	if err != nil {
+		return "", false, err
+	}
+	return token, !fromCache, nil
+}
+
+// CreateClientWithReauth creates a client and handles re-authentication on auth errors
+func CreateClientWithReauth(ctx context.Context, serverURL string, authToken *string) (*buildapiclient.Client, error) {
+	// Try to get token from OIDC if needed
+	if strings.TrimSpace(*authToken) == "" {
+		// Try OIDC auth
+		token, _, err := GetTokenWithReauth(ctx, serverURL, "")
+		if err == nil && token != "" {
+			*authToken = token
+		}
+	}
+
+	return buildapiclient.New(serverURL, buildapiclient.WithAuthToken(strings.TrimSpace(*authToken)))
+}
diff --git a/cmd/caib/main.go b/cmd/caib/main.go
index b405d3ef..90e64f7b 100644
--- a/cmd/caib/main.go
+++ b/cmd/caib/main.go
@@ -25,6 +25,7 @@ import (
 	"github.com/containers/image/v5/types"
 	"gopkg.in/yaml.v3"
 
+	"github.com/centos-automotive-suite/automotive-dev-operator/cmd/caib/auth"
 	"github.com/centos-automotive-suite/automotive-dev-operator/cmd/caib/catalog"
 	buildapitypes "github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi"
 	buildapiclient "github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/client"
@@ -88,10 +89,34 @@ var (
 )
 
 // createBuildAPIClient creates a build API client with authentication token from flags or kubeconfig
+// It will attempt OIDC re-authentication if token is missing or expired
 func createBuildAPIClient(serverURL string, authToken *string) (*buildapiclient.Client, error) {
-	if strings.TrimSpace(*authToken) == "" {
-		if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
-			*authToken = tok
+	ctx := context.Background()
+
+	explicitToken := strings.TrimSpace(*authToken) != "" || os.Getenv("CAIB_TOKEN") != ""
+
+	// If no explicit token, try OIDC if config is available
+	if !explicitToken {
+		if token, didAuth, err := auth.GetTokenWithReauth(ctx, serverURL, ""); err == nil && token != "" {
+			*authToken = token
+			if didAuth {
+				fmt.Println("OIDC authentication successful")
+			}
+		} else if err != nil {
+			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
+				*authToken = tok
+			}
+		} else {
+			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
+				*authToken = tok
+			}
+		}
+	} else {
+		// Token was explicitly provided, use it (but still try kubeconfig if empty)
+		if strings.TrimSpace(*authToken) == "" {
+			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
+				*authToken = tok
+			}
 		}
 	}
 
@@ -99,9 +124,59 @@ func createBuildAPIClient(serverURL string, authToken *string) (*buildapiclient.
 	if strings.TrimSpace(*authToken) != "" {
 		opts = append(opts, buildapiclient.WithAuthToken(strings.TrimSpace(*authToken)))
 	}
+
+	// Configure TLS
+	// Check for custom CA certificate
+	if caCertFile := os.Getenv("SSL_CERT_FILE"); caCertFile != "" {
+		opts = append(opts, buildapiclient.WithCACertificate(caCertFile))
+	} else if caCertFile := os.Getenv("REQUESTS_CA_BUNDLE"); caCertFile != "" {
+		opts = append(opts, buildapiclient.WithCACertificate(caCertFile))
+	} else {
+		if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
+			opts = append(opts, buildapiclient.WithInsecureTLS())
+		}
+	}
+
 	return buildapiclient.New(serverURL, opts...)
 }
 
+// executeWithReauth executes an API call and automatically retries with re-authentication on auth errors
+func executeWithReauth(serverURL string, authToken *string, fn func(*buildapiclient.Client) error) error {
+	ctx := context.Background()
+
+	client, err := createBuildAPIClient(serverURL, authToken)
+	if err != nil {
+		return err
+	}
+
+	err = fn(client)
+	if err == nil {
+		return nil
+	}
+
+	if !auth.IsAuthError(err) {
+		return err
+	}
+
+	// Auth error - try to re-authenticate
+	fmt.Println("Token is expired, triggering re-authentication")
+
+	newToken, _, err := auth.GetTokenWithReauth(ctx, serverURL, *authToken)
+	if err != nil {
+		return fmt.Errorf("re-authentication failed: %w", err)
+	}
+
+	// Update token and retry
+	*authToken = newToken
+	client, err = createBuildAPIClient(serverURL, authToken)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Re-authentication successful, retrying...")
+	return fn(client)
+}
+
 // extractRegistryCredentials extracts registry URL and returns registry URL and credentials from env vars
 func extractRegistryCredentials(primaryRef, secondaryRef string) (string, string, string) {
 	// Get credentials from environment variables only
@@ -168,7 +243,6 @@ func downloadOCIArtifactIfRequested(output, exportOCI, registryUsername, registr
 		handleError(fmt.Errorf("failed to download OCI artifact: %w", err))
 	}
 }
-
 func main() {
 	rootCmd := &cobra.Command{
 		Use:     "caib",
@@ -1444,12 +1518,13 @@ func runList(_ *cobra.Command, _ []string) {
 		fmt.Println("Error: --server is required (or set CAIB_SERVER)")
 		os.Exit(1)
 	}
-	api, err := createBuildAPIClient(serverURL, &authToken)
-	if err != nil {
-		fmt.Printf("Error: %v\n", err)
-		os.Exit(1)
-	}
-	items, err := api.ListBuilds(ctx)
+
+	var items []buildapitypes.BuildListItem
+	err := executeWithReauth(serverURL, &authToken, func(api *buildapiclient.Client) error {
+		var err error
+		items, err = api.ListBuilds(ctx)
+		return err
+	})
 	if err != nil {
 		fmt.Printf("Error listing ImageBuilds: %v\n", err)
 		os.Exit(1)
diff --git a/go.mod b/go.mod
index 19abb3b3..e4c094e0 100644
--- a/go.mod
+++ b/go.mod
@@ -7,9 +7,11 @@ toolchain go1.24.4
 require (
 	github.com/containers/image/v5 v5.36.2
 	github.com/gin-gonic/gin v1.10.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.36.3
 	k8s.io/apimachinery v0.33.3
+	k8s.io/apiserver v0.33.3
 	k8s.io/client-go v0.33.3
 	sigs.k8s.io/controller-runtime v0.19.1
 )
@@ -32,6 +34,7 @@ require (
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.2.1 // indirect
 	github.com/containers/storage v1.59.1 // indirect
+	github.com/coreos/go-oidc v2.3.0+incompatible // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -68,6 +71,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pquerna/cachecontrol v0.1.0 // indirect
 	github.com/proglottis/gpgme v0.1.4 // indirect
 	github.com/prometheus/statsd_exporter v0.28.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
@@ -91,7 +95,7 @@ require (
 	golang.org/x/arch v0.21.0 // indirect
 	golang.org/x/crypto v0.42.0 // indirect
 	google.golang.org/api v0.243.0 // indirect
-	k8s.io/apiserver v0.33.3 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	knative.dev/pkg v0.0.0-20250716115900-19d3cc2da0b9 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
@@ -177,5 +181,5 @@ require (
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
+	sigs.k8s.io/yaml v1.6.0
 )
diff --git a/go.sum b/go.sum
index 2f74630b..895d4fbe 100644
--- a/go.sum
+++ b/go.sum
@@ -102,6 +102,8 @@ github.com/containers/ocicrypt v1.2.1 h1:0qIOTT9DoYwcKmxSt8QJt+VzMY18onl9jUXsxpV
 github.com/containers/ocicrypt v1.2.1/go.mod h1:aD0AAqfMp0MtwqWgHM1bUwe1anx0VazI108CRrSKINQ=
 github.com/containers/storage v1.59.1 h1:11Zu68MXsEQGBBd+GadPrHPpWeqjKS8hJDGiAHgIqDs=
 github.com/containers/storage v1.59.1/go.mod h1:KoAYHnAjP3/cTsRS+mmWZGkufSY2GACiKQ4V3ZLQnR0=
+github.com/coreos/go-oidc v2.3.0+incompatible h1:+5vEsrgprdLjjQ9FzIKAzQz1wwPD+83hQRfUIPh7rO0=
+github.com/coreos/go-oidc v2.3.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q=
 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
@@ -193,6 +195,8 @@ github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PU
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -375,6 +379,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
+github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/proglottis/gpgme v0.1.4 h1:3nE7YNA70o2aLjcg63tXMOhPD7bplfE5CBdV+hLAm2M=
@@ -890,6 +896,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
+gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/internal/buildapi/auth_config.go b/internal/buildapi/auth_config.go
new file mode 100644
index 00000000..6001a7d7
--- /dev/null
+++ b/internal/buildapi/auth_config.go
@@ -0,0 +1,173 @@
+package buildapi
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	apiserverv1beta1 "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+	"sigs.k8s.io/yaml"
+
+	apiserver "k8s.io/apiserver/pkg/apis/apiserver"
+)
+
+type AuthenticationConfiguration struct {
+	ClientID string                              `json:"clientId"`
+	Internal InternalAuthConfig                  `json:"internal"`
+	JWT      []apiserverv1beta1.JWTAuthenticator `json:"jwt"`
+}
+
+type InternalAuthConfig struct {
+	Prefix string `json:"prefix"`
+}
+
+func loadAuthenticationConfigurationFromFile(ctx context.Context, path string) (*AuthenticationConfiguration, authenticator.Token, string, error) {
+	if path == "" {
+		return nil, nil, "", nil
+	}
+	if info, err := os.Stat(path); err == nil && info.IsDir() {
+		return nil, nil, "", fmt.Errorf("path is a directory, not a file: %s", path)
+	}
+	content, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil, "", fmt.Errorf("file not found: %s", path)
+		}
+		return nil, nil, "", fmt.Errorf("failed to read file %s: %w", path, err)
+	}
+
+	var config AuthenticationConfiguration
+
+	var wrapped struct {
+		Authentication AuthenticationConfiguration `yaml:"authentication" json:"authentication"`
+	}
+	wrappedErr := yaml.Unmarshal(content, &wrapped)
+	if wrappedErr == nil {
+		if len(wrapped.Authentication.JWT) > 0 {
+			config = wrapped.Authentication
+		} else if wrapped.Authentication.Internal.Prefix != "" {
+			config = wrapped.Authentication
+		} else {
+			if err := yaml.Unmarshal(content, &config); err != nil {
+				return nil, nil, "", fmt.Errorf("failed to parse auth config: wrapped parse succeeded but JWT empty (jwt_count=0, internal_prefix=%q), direct parse failed: %w. This suggests YAML structure mismatch with Kubernetes JWTAuthenticator format", wrapped.Authentication.Internal.Prefix, err)
+			}
+		}
+	} else {
+		if err := yaml.Unmarshal(content, &config); err != nil {
+			return nil, nil, "", fmt.Errorf("failed to parse auth config (tried wrapped and direct): wrapped_err=%v, direct_err=%w", wrappedErr, err)
+		}
+	}
+
+	if len(config.JWT) == 0 {
+		var raw struct {
+			Authentication struct {
+				ClientID string `yaml:"clientId"`
+				Internal struct {
+					Prefix string `yaml:"prefix"`
+				} `yaml:"internal"`
+				JWT []struct {
+					Issuer struct {
+						URL                  string   `yaml:"url"`
+						Audiences            []string `yaml:"audiences"`
+						CertificateAuthority string   `yaml:"certificateAuthority"`
+					} `yaml:"issuer"`
+					ClaimMappings struct {
+						Username struct {
+							Claim  string `yaml:"claim"`
+							Prefix string `yaml:"prefix"`
+						} `yaml:"username"`
+					} `yaml:"claimMappings"`
+				} `yaml:"jwt"`
+			} `yaml:"authentication"`
+		}
+		if err := yaml.Unmarshal(content, &raw); err == nil && len(raw.Authentication.JWT) > 0 {
+			if config.ClientID == "" {
+				config.ClientID = raw.Authentication.ClientID
+			}
+			if config.Internal.Prefix == "" {
+				config.Internal.Prefix = raw.Authentication.Internal.Prefix
+			}
+			for _, entry := range raw.Authentication.JWT {
+				prefix := entry.ClaimMappings.Username.Prefix
+				jwt := apiserverv1beta1.JWTAuthenticator{
+					Issuer: apiserverv1beta1.Issuer{
+						URL:                  entry.Issuer.URL,
+						Audiences:            entry.Issuer.Audiences,
+						CertificateAuthority: entry.Issuer.CertificateAuthority,
+					},
+					ClaimMappings: apiserverv1beta1.ClaimMappings{
+						Username: apiserverv1beta1.PrefixedClaimOrExpression{
+							Claim:  entry.ClaimMappings.Username.Claim,
+							Prefix: &prefix,
+						},
+					},
+				}
+				config.JWT = append(config.JWT, jwt)
+			}
+		}
+	}
+
+	if config.Internal.Prefix == "" {
+		config.Internal.Prefix = "internal:"
+	}
+
+	authn, err := newJWTAuthenticator(ctx, config)
+	if err != nil {
+		return nil, nil, "", err
+	}
+	return &config, authn, config.Internal.Prefix, nil
+}
+
+func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration) (authenticator.Token, error) {
+	if len(config.JWT) == 0 {
+		return nil, nil
+	}
+
+	scheme := runtime.NewScheme()
+	_ = apiserver.AddToScheme(scheme)
+	_ = apiserverv1beta1.AddToScheme(scheme)
+
+	var jwtAuthenticators []authenticator.Token
+	for _, jwtAuthenticator := range config.JWT {
+		var oidcCAContent oidc.CAContentProvider
+		if jwtAuthenticator.Issuer.CertificateAuthority != "" {
+			var oidcCAError error
+			if _, err := os.Stat(jwtAuthenticator.Issuer.CertificateAuthority); err == nil {
+				oidcCAContent, oidcCAError = dynamiccertificates.NewDynamicCAContentFromFile(
+					"oidc-authenticator",
+					jwtAuthenticator.Issuer.CertificateAuthority,
+				)
+				jwtAuthenticator.Issuer.CertificateAuthority = ""
+			} else {
+				oidcCAContent, oidcCAError = dynamiccertificates.NewStaticCAContent(
+					"oidc-authenticator",
+					[]byte(jwtAuthenticator.Issuer.CertificateAuthority),
+				)
+			}
+			if oidcCAError != nil {
+				return nil, oidcCAError
+			}
+		}
+
+		var jwtAuthenticatorUnversioned apiserver.JWTAuthenticator
+		if err := scheme.Convert(&jwtAuthenticator, &jwtAuthenticatorUnversioned, nil); err != nil {
+			return nil, err
+		}
+
+		oidcAuth, err := oidc.New(ctx, oidc.Options{
+			JWTAuthenticator:     jwtAuthenticatorUnversioned,
+			CAContentProvider:    oidcCAContent,
+			SupportedSigningAlgs: oidc.AllValidSigningAlgorithms(),
+		})
+		if err != nil {
+			return nil, err
+		}
+		jwtAuthenticators = append(jwtAuthenticators, oidcAuth)
+	}
+	return tokenunion.NewFailOnError(jwtAuthenticators...), nil
+}
diff --git a/internal/buildapi/client/client.go b/internal/buildapi/client/client.go
index 8ddbd175..0528c4d2 100644
--- a/internal/buildapi/client/client.go
+++ b/internal/buildapi/client/client.go
@@ -4,6 +4,8 @@ package client
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -52,6 +54,50 @@ func WithHTTPClient(h *http.Client) Option { return func(c *Client) { c.httpClie
 // WithAuthToken sets an authentication token for API requests.
 func WithAuthToken(t string) Option { return func(c *Client) { c.authToken = t } }
 
+// WithInsecureTLS skips TLS certificate verification (use only for testing)
+func WithInsecureTLS() Option {
+	return func(c *Client) {
+		if c.httpClient.Transport == nil {
+			c.httpClient.Transport = &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			}
+		} else if transport, ok := c.httpClient.Transport.(*http.Transport); ok {
+			if transport.TLSClientConfig == nil {
+				transport.TLSClientConfig = &tls.Config{}
+			}
+			transport.TLSClientConfig.InsecureSkipVerify = true
+		}
+	}
+}
+
+// WithCACertificate configures TLS to use a custom CA certificate
+func WithCACertificate(caCertPath string) Option {
+	return func(c *Client) {
+		caCert, err := os.ReadFile(caCertPath)
+		if err != nil {
+			// If file doesn't exist, skip (will use system CAs)
+			return
+		}
+		caCertPool := x509.NewCertPool()
+		if !caCertPool.AppendCertsFromPEM(caCert) {
+			// If parsing fails, skip (will use system CAs)
+			return
+		}
+		if c.httpClient.Transport == nil {
+			c.httpClient.Transport = &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs: caCertPool,
+				},
+			}
+		} else if transport, ok := c.httpClient.Transport.(*http.Transport); ok {
+			if transport.TLSClientConfig == nil {
+				transport.TLSClientConfig = &tls.Config{}
+			}
+			transport.TLSClientConfig.RootCAs = caCertPool
+		}
+	}
+}
+
 // CreateBuild submits a new build request to the API server.
 //
 //nolint:dupl // Build and Flash methods are intentionally similar but work with different types
diff --git a/internal/buildapi/client_tokens.go b/internal/buildapi/client_tokens.go
new file mode 100644
index 00000000..c444287c
--- /dev/null
+++ b/internal/buildapi/client_tokens.go
@@ -0,0 +1,117 @@
+package buildapi
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v5"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	clientTokenPrefix = "ado-build-api-client-"
+	clientTokenExpiry = 30 * 24 * time.Hour
+)
+
+func (a *APIServer) authenticateExternalJWT(c *gin.Context, token string) (string, bool) {
+	resp, ok, err := a.externalJWT.AuthenticateToken(c.Request.Context(), token)
+	if err != nil || !ok || resp == nil || resp.User == nil {
+		return "", false
+	}
+	username := strings.TrimSpace(resp.User.GetName())
+	if username == "" {
+		return "", false
+	}
+	// Note: OIDC token storage is handled in server.go after this returns
+	return username, true
+}
+
+func (a *APIServer) ensureClientTokenSecret(c *gin.Context, username string, oidcToken string) error {
+	k8sClient, err := getClientFromRequest(c)
+	if err != nil {
+		return err
+	}
+	secretName := clientTokenPrefix + hashName(username)
+	key := types.NamespacedName{Name: secretName, Namespace: resolveNamespace()}
+
+	// Generate internal JWT token
+	internalToken, expiresAt, err := a.signClientToken(username)
+	if err != nil {
+		return err
+	}
+
+	existing := &corev1.Secret{}
+	if err := k8sClient.Get(c.Request.Context(), key, existing); err == nil {
+		// Secret exists, update it with new OIDC token and internal token
+		existing.StringData = map[string]string{
+			"token":      internalToken,
+			"oidc-token": oidcToken, // Store the OIDC token
+			"username":   username,
+			"issuer":     a.internalJWT.issuer,
+			"audience":   a.internalJWT.audience,
+			"expires-at": expiresAt.Format(time.RFC3339),
+		}
+		return k8sClient.Update(c.Request.Context(), existing)
+	} else if !errors.IsNotFound(err) {
+		return err
+	}
+
+	// Create new secret
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: resolveNamespace(),
+			Labels: map[string]string{
+				"app.kubernetes.io/name":                        "automotive-dev-operator",
+				"app.kubernetes.io/component":                   "build-api",
+				"automotive.sdv.cloud.redhat.com/resource-type": "client-token",
+			},
+			Annotations: map[string]string{
+				"automotive.sdv.cloud.redhat.com/username": username,
+			},
+		},
+		Type: corev1.SecretTypeOpaque,
+		StringData: map[string]string{
+			"token":      internalToken,
+			"oidc-token": oidcToken, // Store the OIDC token from SSO login
+			"username":   username,
+			"issuer":     a.internalJWT.issuer,
+			"audience":   a.internalJWT.audience,
+			"expires-at": expiresAt.Format(time.RFC3339),
+		},
+	}
+	return k8sClient.Create(c.Request.Context(), secret)
+}
+
+func (a *APIServer) signClientToken(username string) (string, time.Time, error) {
+	expiresAt := time.Now().Add(clientTokenExpiry)
+	audience := a.internalJWT.audience
+	if audience == "" {
+		audience = "ado-build-api"
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
+		Issuer:    a.internalJWT.issuer,
+		Subject:   username,
+		Audience:  jwt.ClaimStrings{audience},
+		IssuedAt:  jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
+		NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
+		ExpiresAt: jwt.NewNumericDate(expiresAt),
+	})
+	signed, err := token.SignedString(a.internalJWT.key)
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("failed to sign client token: %w", err)
+	}
+	return signed, expiresAt, nil
+}
+
+func hashName(value string) string {
+	sum := sha1.Sum([]byte(value))
+	return hex.EncodeToString(sum[:])[:12]
+}
diff --git a/internal/buildapi/internal_jwt.go b/internal/buildapi/internal_jwt.go
new file mode 100644
index 00000000..f47ef36b
--- /dev/null
+++ b/internal/buildapi/internal_jwt.go
@@ -0,0 +1,73 @@
+package buildapi
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type internalJWTConfig struct {
+	issuer   string
+	audience string
+	key      []byte
+}
+
+func loadInternalJWTConfig() (*internalJWTConfig, error) {
+	issuer := strings.TrimSpace(os.Getenv("INTERNAL_JWT_ISSUER"))
+	audience := strings.TrimSpace(os.Getenv("INTERNAL_JWT_AUDIENCE"))
+	key := strings.TrimSpace(os.Getenv("INTERNAL_JWT_KEY"))
+
+	if issuer == "" && audience == "" && key == "" {
+		return nil, nil
+	}
+	if issuer == "" || audience == "" || key == "" {
+		return nil, fmt.Errorf("INTERNAL_JWT_ISSUER, INTERNAL_JWT_AUDIENCE, and INTERNAL_JWT_KEY must all be set")
+	}
+
+	return &internalJWTConfig{
+		issuer:   issuer,
+		audience: audience,
+		key:      []byte(key),
+	}, nil
+}
+
+func validateInternalJWT(tokenString string, cfg *internalJWTConfig) (string, bool) {
+	claims := &jwt.RegisteredClaims{}
+	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (any, error) {
+		if token.Method != jwt.SigningMethodHS256 {
+			return nil, fmt.Errorf("unexpected signing method: %s", token.Header["alg"])
+		}
+		return cfg.key, nil
+	})
+	if err != nil || !token.Valid {
+		return "", false
+	}
+
+	if claims.Issuer != cfg.issuer {
+		return "", false
+	}
+	if cfg.audience != "" && !audienceContains(claims.Audience, cfg.audience) {
+		return "", false
+	}
+	now := time.Now()
+	if claims.ExpiresAt == nil || now.After(claims.ExpiresAt.Time) {
+		return "", false
+	}
+	if claims.NotBefore != nil && now.Before(claims.NotBefore.Time) {
+		return "", false
+	}
+
+	return claims.Subject, true
+}
+
+func audienceContains(audiences jwt.ClaimStrings, audience string) bool {
+	for _, entry := range audiences {
+		if entry == audience {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/buildapi/server.go b/internal/buildapi/server.go
index e6a1230f..986d2f1b 100644
--- a/internal/buildapi/server.go
+++ b/internal/buildapi/server.go
@@ -25,12 +25,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/client-go/kubernetes"
 	kscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/remotecommand"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
 
 	automotivev1alpha1 "github.com/centos-automotive-suite/automotive-dev-operator/api/v1alpha1"
 	"github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/catalog"
@@ -80,11 +82,16 @@ func DefaultAPILimits() APILimits {
 
 // APIServer provides the REST API for build operations.
 type APIServer struct {
-	server *http.Server
-	router *gin.Engine
-	addr   string
-	log    logr.Logger
-	limits APILimits
+	server         *http.Server
+	router         *gin.Engine
+	addr           string
+	log            logr.Logger
+	limits         APILimits
+	internalJWT    *internalJWTConfig
+	externalJWT    authenticator.Token
+	internalPrefix string
+	authConfig     *AuthenticationConfiguration // Store raw config for API exposure
+	oidcClientID   string
 }
 
 //go:embed openapi.yaml
@@ -104,6 +111,57 @@ func NewAPIServerWithLimits(addr string, logger logr.Logger, limits APILimits) *
 	}
 
 	a := &APIServer{addr: addr, log: logger, limits: limits}
+	if clientID := strings.TrimSpace(os.Getenv("BUILD_API_OIDC_CLIENT_ID")); clientID != "" {
+		a.oidcClientID = clientID
+	}
+	if cfg, err := loadInternalJWTConfig(); err != nil {
+		logger.Error(err, "internal JWT configuration is invalid; internal JWT auth disabled")
+	} else if cfg != nil {
+		a.internalJWT = cfg
+		logger.Info("internal JWT auth enabled", "issuer", cfg.issuer, "audience", cfg.audience)
+	}
+	// Try to load from config file (supports both 'config' and 'authentication.yaml' keys)
+	authConfigPath := os.Getenv("AUTH_CONFIG_PATH")
+	if authConfigPath == "" {
+		authConfigPath = "/etc/build-api/config"
+	}
+	logger.Info("loading authentication config", "path", authConfigPath)
+	// Try 'config' first (Jumpstarter style), then fallback to 'authentication.yaml'
+	cfg, authn, prefix, err := loadAuthenticationConfigurationFromFile(context.Background(), authConfigPath)
+	if err != nil {
+		logger.Info("primary config path failed, trying fallback", "primary_path", authConfigPath, "error", err)
+		// Try fallback path if primary path fails (but only if it's not a directory)
+		fallbackPath := "/etc/build-api/authentication.yaml"
+		if info, statErr := os.Stat(fallbackPath); statErr == nil && !info.IsDir() {
+			if fallbackCfg, fallbackAuthn, fallbackPrefix, fallbackErr := loadAuthenticationConfigurationFromFile(context.Background(), fallbackPath); fallbackErr == nil {
+				cfg = fallbackCfg
+				authn = fallbackAuthn
+				prefix = fallbackPrefix
+				logger.Info("loaded authentication config from fallback path", "path", fallbackPath)
+			} else {
+				logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_path", fallbackPath, "fallback_err", fallbackErr)
+			}
+		} else {
+			logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_is_dir", statErr == nil && info.IsDir())
+		}
+	} else if cfg == nil {
+		logger.Info("authentication config file not found or empty", "path", authConfigPath)
+	} else {
+		logger.Info("loaded authentication config", "path", authConfigPath, "jwt_count", len(cfg.JWT))
+	}
+	if cfg != nil {
+		a.authConfig = cfg
+		a.externalJWT = authn
+		a.internalPrefix = prefix
+		if cfg.ClientID != "" {
+			a.oidcClientID = cfg.ClientID
+		}
+		if len(cfg.JWT) > 0 {
+			logger.Info("external OIDC auth enabled", "issuers", len(cfg.JWT))
+		} else {
+			logger.Info("authentication config loaded but no JWT issuers configured")
+		}
+	}
 	a.router = a.createRouter()
 	a.server = &http.Server{Addr: addr, Handler: a.router}
 	return a
@@ -220,6 +278,9 @@ func (a *APIServer) createRouter() *gin.Engine {
 			c.Data(http.StatusOK, "application/yaml", embeddedOpenAPI)
 		})
 
+		// Auth config endpoint (no auth required - needed for OIDC discovery)
+		v1.GET("/auth/config", a.handleGetAuthConfig)
+
 		buildsGroup := v1.Group("/builds")
 		buildsGroup.Use(a.authMiddleware())
 		{
@@ -296,11 +357,16 @@ func (a *APIServer) getCatalogClient() (client.Client, error) {
 // authMiddleware provides authentication middleware for Gin
 func (a *APIServer) authMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		if !a.isAuthenticated(c) {
+		username, authType, ok := a.authenticateRequest(c)
+		if !ok {
 			c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
 			c.Abort()
 			return
 		}
+		if username != "" {
+			c.Set("requester", username)
+			c.Set("authType", authType)
+		}
 		c.Next()
 	}
 }
@@ -984,7 +1050,7 @@ func (a *APIServer) createBuild(c *gin.Context) {
 
 	ctx := c.Request.Context()
 	namespace := resolveNamespace()
-	requestedBy := resolveRequester(c)
+	requestedBy := a.resolveRequester(c)
 
 	existing := &automotivev1alpha1.ImageBuild{}
 	if err := k8sClient.Get(ctx, types.NamespacedName{Name: req.Name, Namespace: namespace}, existing); err == nil {
@@ -1639,25 +1705,50 @@ func getClientFromRequest(c *gin.Context) (client.Client, error) {
 	return k8sClient, nil
 }
 
-func (a *APIServer) isAuthenticated(c *gin.Context) bool {
+func (a *APIServer) authenticateRequest(c *gin.Context) (string, string, bool) {
 	token := extractBearerToken(c)
 	if token == "" {
-		return false
+		return "", "", false
+	}
+
+	if a.internalJWT != nil {
+		if subject, ok := validateInternalJWT(token, a.internalJWT); ok {
+			username := subject
+			if a.internalPrefix != "" {
+				username = a.internalPrefix + username
+			}
+			return username, "internal", true
+		}
+	}
+
+	if a.externalJWT != nil {
+		if username, ok := a.authenticateExternalJWT(c, token); ok {
+			// Store OIDC token in secret after successful authentication
+			if a.internalJWT != nil {
+				if err := a.ensureClientTokenSecret(c, username, token); err != nil {
+					a.log.Error(err, "failed to ensure client token secret", "username", username)
+				}
+			}
+			return username, "external", true
+		}
 	}
 
 	cfg, err := getRESTConfigFromRequest(c)
 	if err != nil {
-		return false
+		return "", "", false
 	}
 
 	clientset, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
-		return false
+		return "", "", false
 	}
 
 	tr := &authnv1.TokenReview{Spec: authnv1.TokenReviewSpec{Token: token}}
 	res, err := clientset.AuthenticationV1().TokenReviews().Create(c.Request.Context(), tr, metav1.CreateOptions{})
-	return err == nil && res.Status.Authenticated
+	if err == nil && res.Status.Authenticated {
+		return res.Status.User.Username, "k8s", true
+	}
+	return "", "", false
 }
 
 // extractBearerToken extracts the bearer token from the request
@@ -1670,29 +1761,195 @@ func extractBearerToken(c *gin.Context) string {
 	return strings.TrimSpace(token)
 }
 
-func resolveRequester(c *gin.Context) string {
-	token := extractBearerToken(c)
-	if token == "" {
-		return statusUnknown
+// findReadyArtifactPod finds a running and ready artifact pod for the given ImageBuild
+func findReadyArtifactPod(ctx context.Context, k8sClient client.Client, namespace, buildName string, deadline time.Time) (*corev1.Pod, error) {
+	for {
+		podList := &corev1.PodList{}
+		if err := k8sClient.List(ctx, podList,
+			client.InNamespace(namespace),
+			client.MatchingLabels{
+				"app.kubernetes.io/name":                          "artifact-pod",
+				"automotive.sdv.cloud.redhat.com/imagebuild-name": buildName,
+			}); err != nil {
+			return nil, fmt.Errorf("error listing artifact pods: %w", err)
+		}
+
+		for i := range podList.Items {
+			p := &podList.Items[i]
+			if p.Status.Phase == corev1.PodRunning {
+				for _, cs := range p.Status.ContainerStatuses {
+					if cs.Name == "fileserver" && cs.Ready {
+						return p, nil
+					}
+				}
+			}
+		}
+
+		if time.Now().After(deadline) {
+			return nil, fmt.Errorf("artifact pod not ready")
+		}
+		time.Sleep(2 * time.Second)
 	}
+}
 
-	cfg, err := getRESTConfigFromRequest(c)
-	if err != nil {
-		return statusUnknown
+func (a *APIServer) resolveRequester(c *gin.Context) string {
+	if v, ok := c.Get("requester"); ok {
+		if username, ok := v.(string); ok && username != "" {
+			return username
+		}
 	}
+	return "unknown"
+}
 
-	clientset, err := kubernetes.NewForConfig(cfg)
-	if err != nil {
-		return statusUnknown
+// handleGetAuthConfig returns OIDC configuration for clients (no auth required)
+func (a *APIServer) handleGetAuthConfig(c *gin.Context) {
+	type OIDCConfigResponse struct {
+		ClientID string `json:"clientId,omitempty"`
+		JWT      []struct {
+			Issuer struct {
+				URL       string   `json:"url"`
+				Audiences []string `json:"audiences,omitempty"`
+			} `json:"issuer"`
+			ClaimMappings struct {
+				Username struct {
+					Claim  string `json:"claim"`
+					Prefix string `json:"prefix,omitempty"`
+				} `json:"username"`
+			} `json:"claimMappings"`
+		} `json:"jwt"`
+	}
+
+	response := OIDCConfigResponse{
+		ClientID: a.oidcClientID,
+	}
+
+	// Validate clientId matches at least one audience if both are set
+	if a.oidcClientID != "" && a.authConfig != nil {
+		clientIDInAudience := false
+		for _, jwtConfig := range a.authConfig.JWT {
+			for _, audience := range jwtConfig.Issuer.Audiences {
+				if audience == a.oidcClientID {
+					clientIDInAudience = true
+					break
+				}
+			}
+		}
+		if !clientIDInAudience && len(a.authConfig.JWT) > 0 {
+			a.log.Info("OIDC clientId does not match any JWT audience", "clientId", a.oidcClientID)
+		}
 	}
 
-	tr := &authnv1.TokenReview{Spec: authnv1.TokenReviewSpec{Token: token}}
-	res, err := clientset.AuthenticationV1().TokenReviews().Create(c.Request.Context(), tr, metav1.CreateOptions{})
-	if err != nil || !res.Status.Authenticated || res.Status.User.Username == "" {
-		return statusUnknown
+	// Try to get from parsed config first
+	if a.authConfig != nil && len(a.authConfig.JWT) > 0 {
+		for _, jwtConfig := range a.authConfig.JWT {
+			prefix := ""
+			if jwtConfig.ClaimMappings.Username.Prefix != nil {
+				prefix = *jwtConfig.ClaimMappings.Username.Prefix
+			}
+			response.JWT = append(response.JWT, struct {
+				Issuer struct {
+					URL       string   `json:"url"`
+					Audiences []string `json:"audiences,omitempty"`
+				} `json:"issuer"`
+				ClaimMappings struct {
+					Username struct {
+						Claim  string `json:"claim"`
+						Prefix string `json:"prefix,omitempty"`
+					} `json:"username"`
+				} `json:"claimMappings"`
+			}{
+				Issuer: struct {
+					URL       string   `json:"url"`
+					Audiences []string `json:"audiences,omitempty"`
+				}{
+					URL:       jwtConfig.Issuer.URL,
+					Audiences: jwtConfig.Issuer.Audiences,
+				},
+				ClaimMappings: struct {
+					Username struct {
+						Claim  string `json:"claim"`
+						Prefix string `json:"prefix,omitempty"`
+					} `json:"username"`
+				}{
+					Username: struct {
+						Claim  string `json:"claim"`
+						Prefix string `json:"prefix,omitempty"`
+					}{
+						Claim:  jwtConfig.ClaimMappings.Username.Claim,
+						Prefix: prefix,
+					},
+				},
+			})
+		}
+	} else {
+		// Fallback: Try to read and parse ConfigMap directly if parsed config is empty
+		// This handles the case where YAML structure doesn't match Kubernetes types exactly
+		configPath := os.Getenv("AUTH_CONFIG_PATH")
+		if configPath == "" {
+			configPath = "/etc/build-api/config"
+		}
+		if content, err := os.ReadFile(configPath); err == nil {
+			// Try to parse as simple YAML to extract issuer URLs
+			var rawConfig struct {
+				Authentication struct {
+					JWT []struct {
+						Issuer struct {
+							URL       string   `yaml:"url" json:"url"`
+							Audiences []string `yaml:"audiences" json:"audiences"`
+						} `yaml:"issuer" json:"issuer"`
+						ClaimMappings struct {
+							Username struct {
+								Claim  string `yaml:"claim" json:"claim"`
+								Prefix string `yaml:"prefix" json:"prefix"`
+							} `yaml:"username" json:"username"`
+						} `yaml:"claimMappings" json:"claimMappings"`
+					} `yaml:"jwt" json:"jwt"`
+				} `yaml:"authentication" json:"authentication"`
+			}
+			if err := yaml.Unmarshal(content, &rawConfig); err == nil && len(rawConfig.Authentication.JWT) > 0 {
+				// Successfully parsed with simple struct
+				for _, jwt := range rawConfig.Authentication.JWT {
+					response.JWT = append(response.JWT, struct {
+						Issuer struct {
+							URL       string   `json:"url"`
+							Audiences []string `json:"audiences,omitempty"`
+						} `json:"issuer"`
+						ClaimMappings struct {
+							Username struct {
+								Claim  string `json:"claim"`
+								Prefix string `json:"prefix,omitempty"`
+							} `json:"username"`
+						} `json:"claimMappings"`
+					}{
+						Issuer: struct {
+							URL       string   `json:"url"`
+							Audiences []string `json:"audiences,omitempty"`
+						}{
+							URL:       jwt.Issuer.URL,
+							Audiences: jwt.Issuer.Audiences,
+						},
+						ClaimMappings: struct {
+							Username struct {
+								Claim  string `json:"claim"`
+								Prefix string `json:"prefix,omitempty"`
+							} `json:"username"`
+						}{
+							Username: struct {
+								Claim  string `json:"claim"`
+								Prefix string `json:"prefix,omitempty"`
+							}{
+								Claim:  jwt.ClaimMappings.Username.Claim,
+								Prefix: jwt.ClaimMappings.Username.Prefix,
+							},
+						},
+					})
+				}
+			}
+		}
 	}
 
-	return res.Status.User.Username
+	// If no config, return empty
+	c.JSON(http.StatusOK, response)
 }
 
 // Flash API handlers
@@ -1766,7 +2023,7 @@ func (a *APIServer) createFlash(c *gin.Context) {
 
 	ctx := c.Request.Context()
 	namespace := resolveNamespace()
-	requestedBy := resolveRequester(c)
+	requestedBy := a.resolveRequester(c)
 
 	// Get exporter selector from OperatorConfig if target is specified
 	exporterSelector := req.ExporterSelector
diff --git a/internal/controller/operatorconfig/controller.go b/internal/controller/operatorconfig/controller.go
index cab06032..12a1c1ae 100644
--- a/internal/controller/operatorconfig/controller.go
+++ b/internal/controller/operatorconfig/controller.go
@@ -23,10 +23,11 @@ import (
 )
 
 const (
-	operatorNamespace = "automotive-dev-operator-system"
-	finalizerName     = "operatorconfig.automotive.sdv.cloud.redhat.com/finalizer"
-	buildAPIName      = "ado-build-api"
-	phaseFailed       = "Failed"
+	operatorNamespace     = "automotive-dev-operator-system"
+	finalizerName         = "operatorconfig.automotive.sdv.cloud.redhat.com/finalizer"
+	buildAPIName          = "ado-build-api"
+	phaseFailed           = "Failed"
+	internalJWTSecretName = "ado-build-api-internal-jwt"
 )
 
 // isNoMatchError checks if error is "no matches for kind" error (CRD doesn't exist)
@@ -227,6 +228,18 @@ func (r *OperatorConfigReconciler) deployBuildAPI(ctx context.Context, owner *au
 		return fmt.Errorf("failed to ensure build-api OAuth secret: %w", err)
 	}
 
+	// Ensure internal JWT secret for build-api
+	if err := r.ensureBuildAPIInternalJWTSecret(ctx, owner); err != nil {
+		r.Log.Error(err, "Failed to ensure build-api internal JWT secret")
+		return fmt.Errorf("failed to ensure build-api internal JWT secret: %w", err)
+	}
+
+	// Ensure build-api auth configuration
+	if err := r.ensureBuildAPIAuthConfigMap(ctx); err != nil {
+		r.Log.Error(err, "Failed to ensure build-api auth config")
+		return fmt.Errorf("failed to ensure build-api auth config: %w", err)
+	}
+
 	// Update ServiceAccount with build-api OAuth redirect annotation
 	if err := r.updateBuildAPIServiceAccountAnnotation(ctx); err != nil {
 		r.Log.Error(err, "Failed to update ServiceAccount build-api OAuth annotation")
@@ -364,6 +377,52 @@ func (r *OperatorConfigReconciler) cleanupBuildAPI(ctx context.Context) error {
 		return fmt.Errorf("failed to delete build-api OAuth secret: %w", err)
 	}
 
+	// Delete build-api internal JWT secret
+	jwtSecret := &corev1.Secret{}
+	jwtSecret.Name = internalJWTSecretName
+	jwtSecret.Namespace = operatorNamespace
+	if err := r.Delete(ctx, jwtSecret); err != nil && !errors.IsNotFound(err) {
+		return fmt.Errorf("failed to delete build-api internal JWT secret: %w", err)
+	}
+
+	return nil
+}
+
+func (r *OperatorConfigReconciler) ensureBuildAPIInternalJWTSecret(ctx context.Context, owner *automotivev1alpha1.OperatorConfig) error {
+	secret := &corev1.Secret{}
+	err := r.Get(ctx, client.ObjectKey{Name: internalJWTSecretName, Namespace: operatorNamespace}, secret)
+	if err != nil {
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("failed to get internal JWT secret %s: %w", internalJWTSecretName, err)
+		}
+		// Secret doesn't exist, create it
+		secret, err = r.buildInternalJWTSecret(internalJWTSecretName)
+		if err != nil {
+			return fmt.Errorf("failed to build internal JWT secret: %w", err)
+		}
+		if err := r.Create(ctx, secret); err != nil {
+			return fmt.Errorf("failed to create internal JWT secret %s: %w", internalJWTSecretName, err)
+		}
+		r.Log.Info("Created internal JWT secret", "name", internalJWTSecretName)
+	}
+	return nil
+}
+
+func (r *OperatorConfigReconciler) ensureBuildAPIAuthConfigMap(ctx context.Context) error {
+	configMap := &corev1.ConfigMap{}
+	err := r.Get(ctx, client.ObjectKey{Name: buildAPIAuthConfigMapName, Namespace: operatorNamespace}, configMap)
+	if err == nil {
+		return nil
+	}
+	if !errors.IsNotFound(err) {
+		return fmt.Errorf("failed to get build-api auth configmap %s: %w", buildAPIAuthConfigMapName, err)
+	}
+
+	configMap = r.buildBuildAPIAuthConfigMap()
+	if err := r.Create(ctx, configMap); err != nil {
+		return fmt.Errorf("failed to create build-api auth configmap %s: %w", buildAPIAuthConfigMapName, err)
+	}
+	r.Log.Info("Created build-api auth configmap", "name", buildAPIAuthConfigMapName)
 	return nil
 }
 
diff --git a/internal/controller/operatorconfig/resources.go b/internal/controller/operatorconfig/resources.go
index beea5a77..8f3544e5 100644
--- a/internal/controller/operatorconfig/resources.go
+++ b/internal/controller/operatorconfig/resources.go
@@ -3,8 +3,12 @@ package operatorconfig
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"fmt"
 	"os"
+	"strings"
+	"time"
 
+	"github.com/golang-jwt/jwt/v5"
 	routev1 "github.com/openshift/api/route/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -15,7 +19,8 @@ import (
 )
 
 const (
-	defaultOperatorImage = "quay.io/rh-sdv-cloud/automotive-dev-operator:latest"
+	defaultOperatorImage      = "quay.io/rh-sdv-cloud/automotive-dev-operator:latest"
+	buildAPIAuthConfigMapName = "ado-build-api-authentication"
 )
 
 // getOperatorImage returns the operator image from env var or default
@@ -53,6 +58,43 @@ func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []c
 						},
 					},
 				},
+				{
+					Name:  "AUTH_CONFIG_PATH",
+					Value: "/etc/build-api/config",
+				},
+				{
+					Name: "INTERNAL_JWT_ISSUER",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: internalJWTSecretName,
+							},
+							Key: "issuer",
+						},
+					},
+				},
+				{
+					Name: "INTERNAL_JWT_AUDIENCE",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: internalJWTSecretName,
+							},
+							Key: "audience",
+						},
+					},
+				},
+				{
+					Name: "INTERNAL_JWT_KEY",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: internalJWTSecretName,
+							},
+							Key: "signing-key",
+						},
+					},
+				},
 			},
 			Ports: []corev1.ContainerPort{
 				{
@@ -61,6 +103,13 @@ func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []c
 					Protocol:      corev1.ProtocolTCP,
 				},
 			},
+			VolumeMounts: []corev1.VolumeMount{
+				{
+					Name:      "build-api-auth-config",
+					MountPath: "/etc/build-api",
+					ReadOnly:  true,
+				},
+			},
 			SecurityContext: &corev1.SecurityContext{
 				AllowPrivilegeEscalation: boolPtr(false),
 			},
@@ -179,6 +228,18 @@ func (r *OperatorConfigReconciler) buildBuildAPIDeployment(isOpenShift bool) *ap
 						},
 					},
 					Containers: r.buildBuildAPIContainers(isOpenShift),
+					Volumes: []corev1.Volume{
+						{
+							Name: "build-api-auth-config",
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: buildAPIAuthConfigMapName,
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 		},
@@ -326,6 +387,87 @@ func (r *OperatorConfigReconciler) buildOAuthSecret(name string) *corev1.Secret
 	}
 }
 
+func (r *OperatorConfigReconciler) buildBuildAPIAuthConfigMap() *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      buildAPIAuthConfigMapName,
+			Namespace: operatorNamespace,
+			Labels: map[string]string{
+				"app.kubernetes.io/name":      "automotive-dev-operator",
+				"app.kubernetes.io/component": "build-api",
+				"app.kubernetes.io/part-of":   "automotive-dev-operator",
+			},
+		},
+		Data: map[string]string{
+			"config": strings.TrimSpace(defaultAuthenticationConfig()), // Use 'config' key to match Jumpstarter
+		},
+	}
+}
+
+func defaultAuthenticationConfig() string {
+	return `
+internal:
+  prefix: "internal:"
+jwt: []
+`
+}
+
+func (r *OperatorConfigReconciler) buildInternalJWTSecret(name string) (*corev1.Secret, error) {
+	signingKey, err := generateRandomToken(32)
+	if err != nil {
+		return nil, err
+	}
+
+	issuer := "ado-build-api"
+	audience := "ado-build-api"
+	expiresAt := time.Now().Add(365 * 24 * time.Hour)
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
+		Issuer:    issuer,
+		Subject:   "internal",
+		Audience:  jwt.ClaimStrings{audience},
+		IssuedAt:  jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
+		NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
+		ExpiresAt: jwt.NewNumericDate(expiresAt),
+	})
+	signedToken, err := token.SignedString([]byte(signingKey))
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign internal JWT: %w", err)
+	}
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: operatorNamespace,
+			Labels: map[string]string{
+				"app.kubernetes.io/name":      "automotive-dev-operator",
+				"app.kubernetes.io/component": "build-api",
+				"app.kubernetes.io/part-of":   "automotive-dev-operator",
+			},
+		},
+		Type: corev1.SecretTypeOpaque,
+		StringData: map[string]string{
+			"signing-key": signingKey,
+			"token":       signedToken,
+			"issuer":      issuer,
+			"audience":    audience,
+			"expires-at":  expiresAt.Format(time.RFC3339),
+		},
+	}, nil
+}
+
+func generateRandomToken(length int) (string, error) {
+	const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
+	bytes := make([]byte, length)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+	for i := range bytes {
+		bytes[i] = charset[int(bytes[i])%len(charset)]
+	}
+	return string(bytes), nil
+}
+
 func boolPtr(b bool) *bool {
 	return &b
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 71e12961..b988685c 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -188,6 +188,9 @@ github.com/containers/storage/pkg/reexec
 github.com/containers/storage/pkg/regexp
 github.com/containers/storage/pkg/system
 github.com/containers/storage/pkg/unshare
+# github.com/coreos/go-oidc v2.3.0+incompatible
+## explicit
+github.com/coreos/go-oidc
 # github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467
 ## explicit
 github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
@@ -305,6 +308,9 @@ github.com/goccy/go-json/internal/runtime
 ## explicit; go 1.15
 github.com/gogo/protobuf/proto
 github.com/gogo/protobuf/sortkeys
+# github.com/golang-jwt/jwt/v5 v5.2.2
+## explicit; go 1.18
+github.com/golang-jwt/jwt/v5
 # github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8
 ## explicit; go 1.20
 github.com/golang/groupcache/lru
@@ -498,6 +504,7 @@ github.com/opencontainers/image-spec/specs-go/v1
 github.com/opencontainers/runtime-spec/specs-go
 # github.com/openshift/api v0.0.0-20250725072657-92b1455121e1
 ## explicit; go 1.24.0
+github.com/openshift/api/config/v1
 github.com/openshift/api/route/v1
 github.com/openshift/api/security/v1
 # github.com/pelletier/go-toml/v2 v2.2.4
@@ -510,6 +517,10 @@ github.com/pelletier/go-toml/v2/unstable
 # github.com/pkg/errors v0.9.1
 ## explicit
 github.com/pkg/errors
+# github.com/pquerna/cachecontrol v0.1.0
+## explicit; go 1.16
+github.com/pquerna/cachecontrol
+github.com/pquerna/cachecontrol/cacheobject
 # github.com/proglottis/gpgme v0.1.4
 ## explicit; go 1.17
 github.com/proglottis/gpgme
@@ -751,6 +762,7 @@ golang.org/x/arch/x86/x86asm
 golang.org/x/crypto/cast5
 golang.org/x/crypto/cryptobyte
 golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
 golang.org/x/crypto/nacl/secretbox
@@ -969,6 +981,11 @@ google.golang.org/protobuf/types/known/wrapperspb
 # gopkg.in/evanphx/json-patch.v4 v4.12.0
 ## explicit
 gopkg.in/evanphx/json-patch.v4
+# gopkg.in/go-jose/go-jose.v2 v2.6.3
+## explicit
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
 # gopkg.in/inf.v0 v0.9.1
 ## explicit
 gopkg.in/inf.v0
@@ -1141,7 +1158,9 @@ k8s.io/apiserver/pkg/authentication/request/websocket
 k8s.io/apiserver/pkg/authentication/request/x509
 k8s.io/apiserver/pkg/authentication/serviceaccount
 k8s.io/apiserver/pkg/authentication/token/cache
+k8s.io/apiserver/pkg/authentication/token/jwt
 k8s.io/apiserver/pkg/authentication/token/tokenfile
+k8s.io/apiserver/pkg/authentication/token/union
 k8s.io/apiserver/pkg/authentication/user
 k8s.io/apiserver/pkg/authorization/authorizer
 k8s.io/apiserver/pkg/authorization/authorizerfactory
@@ -1159,6 +1178,7 @@ k8s.io/apiserver/pkg/util/feature
 k8s.io/apiserver/pkg/util/webhook
 k8s.io/apiserver/pkg/util/x509metrics
 k8s.io/apiserver/pkg/warning
+k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
 k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics

From 77f87529496db67d47e165e1ed65aebc77a0ef35 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Wed, 28 Jan 2026 12:24:51 +0200
Subject: [PATCH 03/10] Fix OIDC changes linter issues

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 cmd/caib/auth/config.go                       | 18 +++++--
 cmd/caib/auth/oidc.go                         | 51 +++++++++++++------
 internal/buildapi/auth_config.go              |  4 +-
 internal/buildapi/server.go                   | 30 -----------
 .../controller/operatorconfig/controller.go   |  2 +-
 5 files changed, 55 insertions(+), 50 deletions(-)

diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index 6a12f9b7..57cf22d9 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -1,3 +1,4 @@
+// Package auth provides OIDC authentication functionality for the caib CLI.
 package auth
 
 import (
@@ -11,6 +12,7 @@ import (
 	"time"
 )
 
+// GetOIDCConfigFromAPI fetches OIDC configuration from the Build API server.
 func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 	insecureTLS := strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1"
 	client := &http.Client{
@@ -30,7 +32,11 @@ func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 	if err != nil {
 		return nil, nil
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			// Ignore close errors on response body
+		}
+	}()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, nil
@@ -76,7 +82,10 @@ func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 
 // GetOIDCConfigFromLocalConfig tries to read from local config file
 func GetOIDCConfigFromLocalConfig() (*OIDCConfig, error) {
-	homeDir, _ := os.UserHomeDir()
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return nil, err
+	}
 	configPath := filepath.Join(homeDir, tokenCacheDir, "config.json")
 
 	data, err := os.ReadFile(configPath)
@@ -112,7 +121,10 @@ func GetOIDCConfigFromLocalConfig() (*OIDCConfig, error) {
 
 // SaveOIDCConfig saves OIDC config to local file
 func SaveOIDCConfig(config *OIDCConfig) error {
-	homeDir, _ := os.UserHomeDir()
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return err
+	}
 	configPath := filepath.Join(homeDir, tokenCacheDir, "config.json")
 
 	configData := map[string]interface{}{
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
index bfb03f30..5af8491d 100644
--- a/cmd/caib/auth/oidc.go
+++ b/cmd/caib/auth/oidc.go
@@ -1,3 +1,4 @@
+// Package auth provides OIDC authentication functionality for the caib CLI.
 package auth
 
 import (
@@ -26,30 +27,37 @@ const (
 	tokenCacheFile = "token.json"
 )
 
+// TokenCache stores cached OIDC token information.
 type TokenCache struct {
 	Token     string    `json:"token"`
 	ExpiresAt time.Time `json:"expires_at"`
 	Issuer    string    `json:"issuer"`
 }
 
+// OIDCConfig holds OIDC provider configuration.
 type OIDCConfig struct {
 	IssuerURL string
 	ClientID  string
 	Scopes    []string
 }
 
+// OIDCAuth handles OIDC authentication flow and token management.
 type OIDCAuth struct {
 	config     OIDCConfig
 	tokenCache *TokenCache
 	cachePath  string
 }
 
+// NewOIDCAuth creates a new OIDC authenticator instance.
 func NewOIDCAuth(issuerURL, clientID string, scopes []string) *OIDCAuth {
 	if len(scopes) == 0 {
 		scopes = []string{"openid", "profile", "email"}
 	}
 
-	homeDir, _ := os.UserHomeDir()
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return nil
+	}
 	cachePath := filepath.Join(homeDir, tokenCacheDir, tokenCacheFile)
 
 	return &OIDCAuth{
@@ -62,6 +70,7 @@ func NewOIDCAuth(issuerURL, clientID string, scopes []string) *OIDCAuth {
 	}
 }
 
+// GetToken retrieves a valid OIDC token, using cache if available.
 func (a *OIDCAuth) GetToken(ctx context.Context) (string, error) {
 	token, _, err := a.GetTokenWithStatus(ctx)
 	return token, err
@@ -90,6 +99,7 @@ func (a *OIDCAuth) GetTokenWithStatus(ctx context.Context) (string, bool, error)
 	return token, false, nil
 }
 
+// IsTokenValid checks if a token is valid and not expired.
 func (a *OIDCAuth) IsTokenValid(token string) bool {
 	parser := jwt.NewParser()
 	claims := jwt.MapClaims{}
@@ -128,7 +138,9 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 		return "", fmt.Errorf("failed to find available port: %w", err)
 	}
 	port := listener.Addr().(*net.TCPAddr).Port
-	listener.Close()
+	if err := listener.Close(); err != nil {
+		return "", fmt.Errorf("failed to close listener: %w", err)
+	}
 
 	redirectURI := fmt.Sprintf("http://localhost:%d/callback", port)
 
@@ -149,7 +161,6 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 
 	// Create callback server
 	codeChan := make(chan string, 1)
-	stateChan := make(chan string, 1)
 	errChan := make(chan error, 1)
 
 	server := &http.Server{
@@ -167,28 +178,27 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 			if errorParam != "" {
 				errChan <- fmt.Errorf("OIDC error: %s", errorParam)
 				w.WriteHeader(http.StatusBadRequest)
-				fmt.Fprintf(w, "Authentication failed: %s", errorParam)
+				_, _ = fmt.Fprintf(w, "Authentication failed: %s", errorParam)
 				return
 			}
 
 			if code == "" {
 				errChan <- fmt.Errorf("no authorization code received")
 				w.WriteHeader(http.StatusBadRequest)
-				fmt.Fprintf(w, "No authorization code received")
+				_, _ = fmt.Fprintf(w, "No authorization code received")
 				return
 			}
 
 			if returnedState != state {
 				errChan <- fmt.Errorf("state mismatch")
 				w.WriteHeader(http.StatusBadRequest)
-				fmt.Fprintf(w, "State mismatch")
+				_, _ = fmt.Fprintf(w, "State mismatch")
 				return
 			}
 
 			codeChan <- code
-			stateChan <- returnedState
 			w.WriteHeader(http.StatusOK)
-			fmt.Fprintf(w, "Authentication successful! You can close this window.")
+			_, _ = fmt.Fprintf(w, "Authentication successful! You can close this window.")
 		}),
 	}
 
@@ -208,7 +218,7 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	// Wait for callback
 	select {
 	case code := <-codeChan:
-		server.Shutdown(ctx)
+		_ = server.Shutdown(ctx)
 		// Exchange code for token
 		token, err := a.exchangeCodeForToken(ctx, discovery.TokenEndpoint, code, redirectURI, codeVerifier)
 		if err != nil {
@@ -222,13 +232,13 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 
 		return token, nil
 	case err := <-errChan:
-		server.Shutdown(ctx)
+		_ = server.Shutdown(ctx)
 		return "", err
 	case <-ctx.Done():
-		server.Shutdown(ctx)
+		_ = server.Shutdown(ctx)
 		return "", ctx.Err()
 	case <-time.After(5 * time.Minute):
-		server.Shutdown(ctx)
+		_ = server.Shutdown(ctx)
 		return "", fmt.Errorf("authentication timeout")
 	}
 }
@@ -252,7 +262,11 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 	if err != nil {
 		return "", err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			// Ignore close errors on response body
+		}
+	}()
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
@@ -278,6 +292,7 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 	return token, nil
 }
 
+// DiscoveryDocument represents the OIDC discovery document structure.
 type DiscoveryDocument struct {
 	AuthorizationEndpoint string `json:"authorization_endpoint"`
 	TokenEndpoint         string `json:"token_endpoint"`
@@ -289,7 +304,11 @@ func (a *OIDCAuth) getDiscovery(discoveryURL string) (*DiscoveryDocument, error)
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			// Ignore close errors on response body
+		}
+	}()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("discovery request failed: %s", resp.Status)
@@ -356,7 +375,9 @@ func (a *OIDCAuth) saveTokenCache(token string) error {
 
 func generateRandomString(length int) string {
 	b := make([]byte, length)
-	rand.Read(b)
+	if _, err := rand.Read(b); err != nil {
+		panic(fmt.Sprintf("failed to generate random string: %v", err))
+	}
 	return base64.URLEncoding.EncodeToString(b)[:length]
 }
 
diff --git a/internal/buildapi/auth_config.go b/internal/buildapi/auth_config.go
index 6001a7d7..a321c6d3 100644
--- a/internal/buildapi/auth_config.go
+++ b/internal/buildapi/auth_config.go
@@ -16,12 +16,14 @@ import (
 	apiserver "k8s.io/apiserver/pkg/apis/apiserver"
 )
 
+// AuthenticationConfiguration defines the authentication configuration structure.
 type AuthenticationConfiguration struct {
 	ClientID string                              `json:"clientId"`
 	Internal InternalAuthConfig                  `json:"internal"`
 	JWT      []apiserverv1beta1.JWTAuthenticator `json:"jwt"`
 }
 
+// InternalAuthConfig defines internal authentication configuration.
 type InternalAuthConfig struct {
 	Prefix string `json:"prefix"`
 }
@@ -132,7 +134,7 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 	_ = apiserver.AddToScheme(scheme)
 	_ = apiserverv1beta1.AddToScheme(scheme)
 
-	var jwtAuthenticators []authenticator.Token
+	jwtAuthenticators := make([]authenticator.Token, 0, len(config.JWT))
 	for _, jwtAuthenticator := range config.JWT {
 		var oidcCAContent oidc.CAContentProvider
 		if jwtAuthenticator.Issuer.CertificateAuthority != "" {
diff --git a/internal/buildapi/server.go b/internal/buildapi/server.go
index 986d2f1b..c2fc1591 100644
--- a/internal/buildapi/server.go
+++ b/internal/buildapi/server.go
@@ -1761,36 +1761,6 @@ func extractBearerToken(c *gin.Context) string {
 	return strings.TrimSpace(token)
 }
 
-// findReadyArtifactPod finds a running and ready artifact pod for the given ImageBuild
-func findReadyArtifactPod(ctx context.Context, k8sClient client.Client, namespace, buildName string, deadline time.Time) (*corev1.Pod, error) {
-	for {
-		podList := &corev1.PodList{}
-		if err := k8sClient.List(ctx, podList,
-			client.InNamespace(namespace),
-			client.MatchingLabels{
-				"app.kubernetes.io/name":                          "artifact-pod",
-				"automotive.sdv.cloud.redhat.com/imagebuild-name": buildName,
-			}); err != nil {
-			return nil, fmt.Errorf("error listing artifact pods: %w", err)
-		}
-
-		for i := range podList.Items {
-			p := &podList.Items[i]
-			if p.Status.Phase == corev1.PodRunning {
-				for _, cs := range p.Status.ContainerStatuses {
-					if cs.Name == "fileserver" && cs.Ready {
-						return p, nil
-					}
-				}
-			}
-		}
-
-		if time.Now().After(deadline) {
-			return nil, fmt.Errorf("artifact pod not ready")
-		}
-		time.Sleep(2 * time.Second)
-	}
-}
 
 func (a *APIServer) resolveRequester(c *gin.Context) string {
 	if v, ok := c.Get("requester"); ok {
diff --git a/internal/controller/operatorconfig/controller.go b/internal/controller/operatorconfig/controller.go
index 12a1c1ae..81ffee07 100644
--- a/internal/controller/operatorconfig/controller.go
+++ b/internal/controller/operatorconfig/controller.go
@@ -388,7 +388,7 @@ func (r *OperatorConfigReconciler) cleanupBuildAPI(ctx context.Context) error {
 	return nil
 }
 
-func (r *OperatorConfigReconciler) ensureBuildAPIInternalJWTSecret(ctx context.Context, owner *automotivev1alpha1.OperatorConfig) error {
+func (r *OperatorConfigReconciler) ensureBuildAPIInternalJWTSecret(ctx context.Context, _ *automotivev1alpha1.OperatorConfig) error {
 	secret := &corev1.Secret{}
 	err := r.Get(ctx, client.ObjectKey{Name: internalJWTSecretName, Namespace: operatorNamespace}, secret)
 	if err != nil {

From 5ca90d4d3857a607794a58535cb4cae1a48873a7 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Wed, 28 Jan 2026 15:02:06 +0200
Subject: [PATCH 04/10] Improve OIDC implemantation

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 cmd/caib/auth/config.go            | 16 ++++++----
 cmd/caib/auth/oidc.go              | 48 ++++++++++++++++++++----------
 cmd/caib/auth/wrapper.go           | 33 +++++++++++++++-----
 cmd/caib/main.go                   | 22 ++++++++++----
 internal/buildapi/client/client.go | 16 +++++-----
 internal/buildapi/internal_jwt.go  | 10 +++++++
 internal/buildapi/server.go        |  1 -
 7 files changed, 105 insertions(+), 41 deletions(-)

diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index 57cf22d9..e777c5fc 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -30,18 +30,21 @@ func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 
 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, nil
+		return nil, fmt.Errorf("failed to fetch OIDC config from API: %w", err)
 	}
 	defer func() {
-		if err := resp.Body.Close(); err != nil {
-			// Ignore close errors on response body
-		}
+		_ = resp.Body.Close()
 	}()
 
-	if resp.StatusCode != http.StatusOK {
+	if resp.StatusCode == http.StatusNotFound {
+		// OIDC not configured - this is expected, return nil config without error
 		return nil, nil
 	}
 
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("failed to fetch OIDC config: HTTP %d", resp.StatusCode)
+	}
+
 	var apiResponse struct {
 		ClientID string `json:"clientId"`
 		JWT      []struct {
@@ -59,10 +62,11 @@ func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 	}
 
 	if err := json.NewDecoder(resp.Body).Decode(&apiResponse); err != nil {
-		return nil, nil
+		return nil, fmt.Errorf("failed to decode OIDC config response: %w", err)
 	}
 
 	if len(apiResponse.JWT) == 0 {
+		// OIDC not configured - this is expected, return nil config without error
 		return nil, nil
 	}
 
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
index 5af8491d..8a8f6f98 100644
--- a/cmd/caib/auth/oidc.go
+++ b/cmd/caib/auth/oidc.go
@@ -50,6 +50,10 @@ type OIDCAuth struct {
 
 // NewOIDCAuth creates a new OIDC authenticator instance.
 func NewOIDCAuth(issuerURL, clientID string, scopes []string) *OIDCAuth {
+	if issuerURL == "" || clientID == "" {
+		return nil
+	}
+
 	if len(scopes) == 0 {
 		scopes = []string{"openid", "profile", "email"}
 	}
@@ -120,6 +124,10 @@ func (a *OIDCAuth) IsTokenValid(token string) bool {
 }
 
 func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
+	if a.config.IssuerURL == "" {
+		return "", fmt.Errorf("issuer URL is required")
+	}
+
 	// Get OIDC discovery document
 	discoveryURL := strings.TrimSuffix(a.config.IssuerURL, "/") + "/.well-known/openid-configuration"
 	discovery, err := a.getDiscovery(discoveryURL)
@@ -128,8 +136,14 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	}
 
 	// Generate state and PKCE code verifier
-	state := generateRandomString(32)
-	codeVerifier := generateRandomString(43)
+	state, err := generateRandomString(32)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate state: %w", err)
+	}
+	codeVerifier, err := generateRandomString(43)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate code verifier: %w", err)
+	}
 	codeChallenge := base64URLEncode(sha256Hash(codeVerifier))
 
 	// Find available port for callback
@@ -218,7 +232,9 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	// Wait for callback
 	select {
 	case code := <-codeChan:
-		_ = server.Shutdown(ctx)
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		_ = server.Shutdown(shutdownCtx)
+		cancel()
 		// Exchange code for token
 		token, err := a.exchangeCodeForToken(ctx, discovery.TokenEndpoint, code, redirectURI, codeVerifier)
 		if err != nil {
@@ -232,13 +248,19 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 
 		return token, nil
 	case err := <-errChan:
-		_ = server.Shutdown(ctx)
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		_ = server.Shutdown(shutdownCtx)
+		cancel()
 		return "", err
 	case <-ctx.Done():
-		_ = server.Shutdown(ctx)
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		_ = server.Shutdown(shutdownCtx)
+		cancel()
 		return "", ctx.Err()
 	case <-time.After(5 * time.Minute):
-		_ = server.Shutdown(ctx)
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		_ = server.Shutdown(shutdownCtx)
+		cancel()
 		return "", fmt.Errorf("authentication timeout")
 	}
 }
@@ -263,9 +285,7 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 		return "", err
 	}
 	defer func() {
-		if err := resp.Body.Close(); err != nil {
-			// Ignore close errors on response body
-		}
+		_ = resp.Body.Close()
 	}()
 
 	if resp.StatusCode != http.StatusOK {
@@ -305,9 +325,7 @@ func (a *OIDCAuth) getDiscovery(discoveryURL string) (*DiscoveryDocument, error)
 		return nil, err
 	}
 	defer func() {
-		if err := resp.Body.Close(); err != nil {
-			// Ignore close errors on response body
-		}
+		_ = resp.Body.Close()
 	}()
 
 	if resp.StatusCode != http.StatusOK {
@@ -373,12 +391,12 @@ func (a *OIDCAuth) saveTokenCache(token string) error {
 	return os.WriteFile(a.cachePath, data, 0600)
 }
 
-func generateRandomString(length int) string {
+func generateRandomString(length int) (string, error) {
 	b := make([]byte, length)
 	if _, err := rand.Read(b); err != nil {
-		panic(fmt.Sprintf("failed to generate random string: %v", err))
+		return "", fmt.Errorf("failed to generate random string: %w", err)
 	}
-	return base64.URLEncoding.EncodeToString(b)[:length]
+	return base64.URLEncoding.EncodeToString(b)[:length], nil
 }
 
 func base64URLEncode(data []byte) string {
diff --git a/cmd/caib/auth/wrapper.go b/cmd/caib/auth/wrapper.go
index 33e701a3..2e8772f0 100644
--- a/cmd/caib/auth/wrapper.go
+++ b/cmd/caib/auth/wrapper.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	buildapiclient "github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/client"
@@ -22,6 +23,7 @@ func IsAuthError(err error) bool {
 // GetTokenWithReauth gets a token, triggering OIDC re-auth if needed.
 // Returns empty string if no OIDC config is available (auth is optional).
 // The boolean return indicates whether a fresh auth flow was performed.
+// Returns an error if OIDC is configured but config fetch fails (network/server errors).
 func GetTokenWithReauth(ctx context.Context, serverURL string, currentToken string) (string, bool, error) {
 	// Try to get OIDC config from local config first
 	config, err := GetOIDCConfigFromLocalConfig()
@@ -29,8 +31,8 @@ func GetTokenWithReauth(ctx context.Context, serverURL string, currentToken stri
 		// Fallback to Build API
 		config, err = GetOIDCConfigFromAPI(serverURL)
 		if err != nil {
-			// If we can't get config, return empty (auth is optional)
-			return "", false, nil
+			// Error fetching config - this is a real error, not "not configured"
+			return "", false, fmt.Errorf("failed to fetch OIDC configuration: %w", err)
 		}
 	}
 
@@ -40,6 +42,9 @@ func GetTokenWithReauth(ctx context.Context, serverURL string, currentToken stri
 	}
 
 	oidcAuth := NewOIDCAuth(config.IssuerURL, config.ClientID, config.Scopes)
+	if oidcAuth == nil {
+		return "", false, fmt.Errorf("failed to initialize OIDC authenticator")
+	}
 
 	// If we have a current token, check if it's valid
 	if currentToken != "" {
@@ -56,16 +61,30 @@ func GetTokenWithReauth(ctx context.Context, serverURL string, currentToken stri
 	return token, !fromCache, nil
 }
 
-// CreateClientWithReauth creates a client and handles re-authentication on auth errors
+// CreateClientWithReauth creates a client and handles re-authentication on auth errors.
+// If authToken is nil, it will be treated as empty and OIDC will be attempted.
+// OIDC errors are logged but do not prevent client creation (auth is optional).
 func CreateClientWithReauth(ctx context.Context, serverURL string, authToken *string) (*buildapiclient.Client, error) {
+	// Guard against nil pointer
+	tokenValue := ""
+	if authToken != nil {
+		tokenValue = strings.TrimSpace(*authToken)
+	}
+
 	// Try to get token from OIDC if needed
-	if strings.TrimSpace(*authToken) == "" {
+	if tokenValue == "" {
 		// Try OIDC auth
 		token, _, err := GetTokenWithReauth(ctx, serverURL, "")
-		if err == nil && token != "" {
-			*authToken = token
+		if err != nil {
+			// OIDC fetch failed - log but continue (auth is optional, kubeconfig may work)
+			fmt.Printf("Warning: OIDC authentication failed: %v\n", err)
+		} else if token != "" {
+			tokenValue = token
+			if authToken != nil {
+				*authToken = token
+			}
 		}
 	}
 
-	return buildapiclient.New(serverURL, buildapiclient.WithAuthToken(strings.TrimSpace(*authToken)))
+	return buildapiclient.New(serverURL, buildapiclient.WithAuthToken(tokenValue))
 }
diff --git a/cmd/caib/main.go b/cmd/caib/main.go
index 90e64f7b..40c52867 100644
--- a/cmd/caib/main.go
+++ b/cmd/caib/main.go
@@ -97,16 +97,28 @@ func createBuildAPIClient(serverURL string, authToken *string) (*buildapiclient.
 
 	// If no explicit token, try OIDC if config is available
 	if !explicitToken {
-		if token, didAuth, err := auth.GetTokenWithReauth(ctx, serverURL, ""); err == nil && token != "" {
+		token, didAuth, err := auth.GetTokenWithReauth(ctx, serverURL, "")
+		if err != nil {
+			// OIDC is configured but failed - don't silently fall back to kubeconfig
+			// This indicates a real authentication failure that should be reported
+			// Falling back could authenticate with an unexpected identity
+			fmt.Printf("Error: OIDC authentication failed: %v\n", err)
+			// Only try kubeconfig as last resort, but warn the user
+			fmt.Println("Attempting kubeconfig fallback (this may use a different identity)")
+			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
+				*authToken = tok
+			} else {
+				// No kubeconfig available either - return error
+				return nil, fmt.Errorf("OIDC authentication failed and no kubeconfig token available: %w", err)
+			}
+		} else if token != "" {
+			// OIDC succeeded
 			*authToken = token
 			if didAuth {
 				fmt.Println("OIDC authentication successful")
 			}
-		} else if err != nil {
-			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
-				*authToken = tok
-			}
 		} else {
+			// OIDC not configured (no error, no token) - safe to fall back to kubeconfig
 			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
 				*authToken = tok
 			}
diff --git a/internal/buildapi/client/client.go b/internal/buildapi/client/client.go
index 0528c4d2..8761eaf3 100644
--- a/internal/buildapi/client/client.go
+++ b/internal/buildapi/client/client.go
@@ -58,9 +58,10 @@ func WithAuthToken(t string) Option { return func(c *Client) { c.authToken = t }
 func WithInsecureTLS() Option {
 	return func(c *Client) {
 		if c.httpClient.Transport == nil {
-			c.httpClient.Transport = &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			}
+			// Clone default transport to preserve proxy, HTTP/2, connection pooling, and timeout settings
+			transport := http.DefaultTransport.(*http.Transport).Clone()
+			transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+			c.httpClient.Transport = transport
 		} else if transport, ok := c.httpClient.Transport.(*http.Transport); ok {
 			if transport.TLSClientConfig == nil {
 				transport.TLSClientConfig = &tls.Config{}
@@ -84,11 +85,12 @@ func WithCACertificate(caCertPath string) Option {
 			return
 		}
 		if c.httpClient.Transport == nil {
-			c.httpClient.Transport = &http.Transport{
-				TLSClientConfig: &tls.Config{
-					RootCAs: caCertPool,
-				},
+			// Clone default transport to preserve proxy, HTTP/2, connection pooling, and timeout settings
+			transport := http.DefaultTransport.(*http.Transport).Clone()
+			transport.TLSClientConfig = &tls.Config{
+				RootCAs: caCertPool,
 			}
+			c.httpClient.Transport = transport
 		} else if transport, ok := c.httpClient.Transport.(*http.Transport); ok {
 			if transport.TLSClientConfig == nil {
 				transport.TLSClientConfig = &tls.Config{}
diff --git a/internal/buildapi/internal_jwt.go b/internal/buildapi/internal_jwt.go
index f47ef36b..49e92676 100644
--- a/internal/buildapi/internal_jwt.go
+++ b/internal/buildapi/internal_jwt.go
@@ -35,6 +35,11 @@ func loadInternalJWTConfig() (*internalJWTConfig, error) {
 }
 
 func validateInternalJWT(tokenString string, cfg *internalJWTConfig) (string, bool) {
+	// Defensive nil check (function is currently always called after nil check, but safe to guard)
+	if cfg == nil {
+		return "", false
+	}
+
 	claims := &jwt.RegisteredClaims{}
 	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (any, error) {
 		if token.Method != jwt.SigningMethodHS256 {
@@ -60,6 +65,11 @@ func validateInternalJWT(tokenString string, cfg *internalJWTConfig) (string, bo
 		return "", false
 	}
 
+	// Reject tokens with empty subject - they don't represent a valid authenticated identity
+	if claims.Subject == "" {
+		return "", false
+	}
+
 	return claims.Subject, true
 }
 
diff --git a/internal/buildapi/server.go b/internal/buildapi/server.go
index c2fc1591..60cc4942 100644
--- a/internal/buildapi/server.go
+++ b/internal/buildapi/server.go
@@ -1761,7 +1761,6 @@ func extractBearerToken(c *gin.Context) string {
 	return strings.TrimSpace(token)
 }
 
-
 func (a *APIServer) resolveRequester(c *gin.Context) string {
 	if v, ok := c.Get("requester"); ok {
 		if username, ok := v.(string); ok && username != "" {

From 3c3e58850408031e929c402bb0dec8726b98620b Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Wed, 28 Jan 2026 16:23:21 +0200
Subject: [PATCH 05/10] Add test coverage for OIDC integration

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 cmd/caib/auth/config_test.go            | 263 ++++++++++++++++++++++++
 cmd/caib/auth/suite_test.go             |  13 ++
 cmd/caib/auth/wrapper_test.go           |  43 ++++
 internal/buildapi/client/client_test.go | 129 ++++++++++++
 internal/buildapi/internal_jwt_test.go  | 160 ++++++++++++++
 test/e2e/e2e_test.go                    | 104 ++++++++++
 6 files changed, 712 insertions(+)
 create mode 100644 cmd/caib/auth/config_test.go
 create mode 100644 cmd/caib/auth/suite_test.go
 create mode 100644 cmd/caib/auth/wrapper_test.go
 create mode 100644 internal/buildapi/client/client_test.go
 create mode 100644 internal/buildapi/internal_jwt_test.go

diff --git a/cmd/caib/auth/config_test.go b/cmd/caib/auth/config_test.go
new file mode 100644
index 00000000..7869f7d2
--- /dev/null
+++ b/cmd/caib/auth/config_test.go
@@ -0,0 +1,263 @@
+package auth
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+
+	. "github.com/onsi/ginkgo/v2" //nolint:revive
+	. "github.com/onsi/gomega"    //nolint:revive
+)
+
+var _ = Describe("GetOIDCConfigFromAPI", func() {
+	var server *httptest.Server
+	var originalEnv string
+
+	BeforeEach(func() {
+		originalEnv = os.Getenv("CAIB_INSECURE_TLS")
+		_ = os.Unsetenv("CAIB_INSECURE_TLS")
+	})
+
+	AfterEach(func() {
+		if server != nil {
+			server.Close()
+		}
+		if originalEnv != "" {
+			_ = os.Setenv("CAIB_INSECURE_TLS", originalEnv)
+		} else {
+			_ = os.Unsetenv("CAIB_INSECURE_TLS")
+		}
+	})
+
+	It("should return config when API returns valid OIDC configuration", func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			Expect(r.URL.Path).To(Equal("/v1/auth/config"))
+			response := map[string]interface{}{
+				"clientId": "test-client",
+				"jwt": []map[string]interface{}{
+					{
+						"issuer": map[string]interface{}{
+							"url":       "https://issuer.example.com",
+							"audiences": []string{"audience1"},
+						},
+						"claimMappings": map[string]interface{}{
+							"username": map[string]interface{}{
+								"claim": "preferred_username",
+							},
+						},
+					},
+				},
+			}
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(response)
+		}))
+
+		config, err := GetOIDCConfigFromAPI(server.URL)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(config).NotTo(BeNil())
+		Expect(config.IssuerURL).To(Equal("https://issuer.example.com"))
+		Expect(config.ClientID).To(Equal("test-client"))
+		Expect(config.Scopes).To(Equal([]string{"openid", "profile", "email"}))
+	})
+
+	It("should return nil config without error when API returns 404", func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusNotFound)
+		}))
+
+		config, err := GetOIDCConfigFromAPI(server.URL)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when API returns non-200 status", func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusInternalServerError)
+		}))
+
+		config, err := GetOIDCConfigFromAPI(server.URL)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("HTTP 500"))
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when API returns empty JWT array", func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			response := map[string]interface{}{
+				"clientId": "test-client",
+				"jwt":      []interface{}{},
+			}
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(response)
+		}))
+
+		config, err := GetOIDCConfigFromAPI(server.URL)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when client ID is missing", func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			response := map[string]interface{}{
+				"clientId": "",
+				"jwt": []map[string]interface{}{
+					{
+						"issuer": map[string]interface{}{
+							"url": "https://issuer.example.com",
+						},
+					},
+				},
+			}
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(response)
+		}))
+
+		config, err := GetOIDCConfigFromAPI(server.URL)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("client ID is required"))
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when network request fails", func() {
+		config, err := GetOIDCConfigFromAPI("http://invalid-host-that-does-not-exist:9999")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("failed to fetch OIDC config from API"))
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when response is invalid JSON", func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte("invalid json"))
+		}))
+
+		config, err := GetOIDCConfigFromAPI(server.URL)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("failed to decode"))
+		Expect(config).To(BeNil())
+	})
+})
+
+var _ = Describe("GetOIDCConfigFromLocalConfig", func() {
+	var tempDir string
+	var originalHome string
+
+	BeforeEach(func() {
+		var err error
+		tempDir, err = os.MkdirTemp("", "caib-test-*")
+		Expect(err).NotTo(HaveOccurred())
+
+		originalHome = os.Getenv("HOME")
+		_ = os.Setenv("HOME", tempDir)
+	})
+
+	AfterEach(func() {
+		if originalHome != "" {
+			_ = os.Setenv("HOME", originalHome)
+		}
+		_ = os.RemoveAll(tempDir)
+	})
+
+	It("should read config from local file", func() {
+		configDir := filepath.Join(tempDir, tokenCacheDir)
+		Expect(os.MkdirAll(configDir, 0700)).To(Succeed())
+
+		configData := map[string]interface{}{
+			"issuer_url": "https://issuer.example.com",
+			"client_id":  "test-client",
+			"scopes":     []string{"openid", "profile"},
+		}
+		data, err := json.Marshal(configData)
+		Expect(err).NotTo(HaveOccurred())
+
+		configPath := filepath.Join(configDir, "config.json")
+		Expect(os.WriteFile(configPath, data, 0600)).To(Succeed())
+
+		config, err := GetOIDCConfigFromLocalConfig()
+		Expect(err).NotTo(HaveOccurred())
+		Expect(config).NotTo(BeNil())
+		Expect(config.IssuerURL).To(Equal("https://issuer.example.com"))
+		Expect(config.ClientID).To(Equal("test-client"))
+		Expect(config.Scopes).To(Equal([]string{"openid", "profile"}))
+	})
+
+	It("should return error when file does not exist", func() {
+		config, err := GetOIDCConfigFromLocalConfig()
+		Expect(err).To(HaveOccurred())
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when config is invalid", func() {
+		configDir := filepath.Join(tempDir, tokenCacheDir)
+		Expect(os.MkdirAll(configDir, 0700)).To(Succeed())
+
+		configPath := filepath.Join(configDir, "config.json")
+		Expect(os.WriteFile(configPath, []byte("invalid json"), 0600)).To(Succeed())
+
+		config, err := GetOIDCConfigFromLocalConfig()
+		Expect(err).To(HaveOccurred())
+		Expect(config).To(BeNil())
+	})
+
+	It("should return error when issuer_url is missing", func() {
+		configDir := filepath.Join(tempDir, tokenCacheDir)
+		Expect(os.MkdirAll(configDir, 0700)).To(Succeed())
+
+		configData := map[string]interface{}{
+			"client_id": "test-client",
+		}
+		data, err := json.Marshal(configData)
+		Expect(err).NotTo(HaveOccurred())
+
+		configPath := filepath.Join(configDir, "config.json")
+		Expect(os.WriteFile(configPath, data, 0600)).To(Succeed())
+
+		config, err := GetOIDCConfigFromLocalConfig()
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("issuer_url and client_id required"))
+		Expect(config).To(BeNil())
+	})
+})
+
+var _ = Describe("SaveOIDCConfig", func() {
+	var tempDir string
+	var originalHome string
+
+	BeforeEach(func() {
+		var err error
+		tempDir, err = os.MkdirTemp("", "caib-test-*")
+		Expect(err).NotTo(HaveOccurred())
+
+		originalHome = os.Getenv("HOME")
+		_ = os.Setenv("HOME", tempDir)
+	})
+
+	AfterEach(func() {
+		if originalHome != "" {
+			_ = os.Setenv("HOME", originalHome)
+		}
+		_ = os.RemoveAll(tempDir)
+	})
+
+	It("should save config to local file", func() {
+		config := &OIDCConfig{
+			IssuerURL: "https://issuer.example.com",
+			ClientID:  "test-client",
+			Scopes:    []string{"openid", "profile"},
+		}
+
+		err := SaveOIDCConfig(config)
+		Expect(err).NotTo(HaveOccurred())
+
+		configPath := filepath.Join(tempDir, tokenCacheDir, "config.json")
+		data, err := os.ReadFile(configPath)
+		Expect(err).NotTo(HaveOccurred())
+
+		var savedConfig map[string]interface{}
+		Expect(json.Unmarshal(data, &savedConfig)).To(Succeed())
+		Expect(savedConfig["issuer_url"]).To(Equal("https://issuer.example.com"))
+		Expect(savedConfig["client_id"]).To(Equal("test-client"))
+	})
+})
diff --git a/cmd/caib/auth/suite_test.go b/cmd/caib/auth/suite_test.go
new file mode 100644
index 00000000..aea7c854
--- /dev/null
+++ b/cmd/caib/auth/suite_test.go
@@ -0,0 +1,13 @@
+package auth
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2" //nolint:revive
+	. "github.com/onsi/gomega"    //nolint:revive
+)
+
+func TestAuth(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Auth Suite")
+}
diff --git a/cmd/caib/auth/wrapper_test.go b/cmd/caib/auth/wrapper_test.go
new file mode 100644
index 00000000..8f164d53
--- /dev/null
+++ b/cmd/caib/auth/wrapper_test.go
@@ -0,0 +1,43 @@
+package auth
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2" //nolint:revive
+	. "github.com/onsi/gomega"    //nolint:revive
+)
+
+var _ = Describe("CreateClientWithReauth", func() {
+	It("should handle nil authToken pointer safely", func() {
+		ctx := context.Background()
+		client, err := CreateClientWithReauth(ctx, "https://api.example.com", nil)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+	})
+
+	It("should create client with empty token when authToken is empty string", func() {
+		ctx := context.Background()
+		emptyToken := ""
+		client, err := CreateClientWithReauth(ctx, "https://api.example.com", &emptyToken)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+	})
+
+	It("should create client with provided token", func() {
+		ctx := context.Background()
+		token := "test-token"
+		client, err := CreateClientWithReauth(ctx, "https://api.example.com", &token)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+	})
+
+	It("should handle OIDC errors gracefully and still create client", func() {
+		ctx := context.Background()
+		emptyToken := ""
+		// Use invalid server URL to trigger OIDC error
+		client, err := CreateClientWithReauth(ctx, "http://invalid-server:9999", &emptyToken)
+		// Should still create client even if OIDC fails (auth is optional)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+	})
+})
diff --git a/internal/buildapi/client/client_test.go b/internal/buildapi/client/client_test.go
new file mode 100644
index 00000000..236a4e78
--- /dev/null
+++ b/internal/buildapi/client/client_test.go
@@ -0,0 +1,129 @@
+package client
+
+import (
+	"net/http"
+	"os"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2" //nolint:revive
+	. "github.com/onsi/gomega"    //nolint:revive
+)
+
+func TestClient(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Client Suite")
+}
+
+var _ = Describe("WithInsecureTLS", func() {
+	It("should preserve default transport settings when cloning", func() {
+		client, err := New("https://api.example.com", WithInsecureTLS())
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+
+		transport, ok := client.httpClient.Transport.(*http.Transport)
+		Expect(ok).To(BeTrue())
+		Expect(transport).NotTo(BeNil())
+		Expect(transport.TLSClientConfig).NotTo(BeNil())
+		Expect(transport.TLSClientConfig.InsecureSkipVerify).To(BeTrue())
+
+		// Verify that default transport settings are preserved
+		// (proxy, HTTP/2, connection pooling should be inherited)
+		// Note: We can't compare function pointers directly, but we verify
+		// that the transport was cloned (not nil) and TLS config is set
+		Expect(transport.Proxy).NotTo(BeNil())
+		Expect(transport.DialContext).NotTo(BeNil())
+	})
+
+	It("should update existing transport TLS config", func() {
+		existingTransport := &http.Transport{}
+		existingClient := &http.Client{
+			Transport: existingTransport,
+		}
+
+		client, err := New("https://api.example.com", WithHTTPClient(existingClient), WithInsecureTLS())
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+
+		transport, ok := client.httpClient.Transport.(*http.Transport)
+		Expect(ok).To(BeTrue())
+		Expect(transport.TLSClientConfig).NotTo(BeNil())
+		Expect(transport.TLSClientConfig.InsecureSkipVerify).To(BeTrue())
+	})
+})
+
+var _ = Describe("WithCACertificate", func() {
+	var tempCertFile string
+
+	BeforeEach(func() {
+		// Create a temporary CA certificate file (PEM format)
+		tempFile, err := os.CreateTemp("", "test-ca-*.pem")
+		Expect(err).NotTo(HaveOccurred())
+		tempCertFile = tempFile.Name()
+
+		// Write a minimal valid PEM certificate (this is just for testing the file reading logic)
+		// This is a self-signed certificate in valid PEM format
+		certData := `-----BEGIN CERTIFICATE-----
+MIIBkTCB+wIJAKH4hJ8v5qQkMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAoM
+Fk15IE9yZ2FuaXphdGlvbiBJbmMuMRMwEQYDVQQDDApNeSBDQSBOYW1lMB4X
+DTIwMDEwMTAwMDAwMFoXDTI1MDEwMTAwMDAwMFowITEfMB0GA1UECgwWTXkg
+T3JnYW5pemF0aW9uIEluYy4xEzARBgNVBAMMCk15IENBIE5hbWUwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAATestExample123456789012345678901234
+56789012345678901234567890123456789012345678901234567890
+-----END CERTIFICATE-----`
+		_, err = tempFile.WriteString(certData)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(tempFile.Close()).To(Succeed())
+	})
+
+	AfterEach(func() {
+		if tempCertFile != "" {
+			_ = os.Remove(tempCertFile)
+		}
+	})
+
+	It("should preserve default transport settings when cloning", func() {
+		client, err := New("https://api.example.com", WithCACertificate(tempCertFile))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+
+		// If certificate parsing succeeds, verify transport is set up correctly
+		// If it fails (invalid cert), the function gracefully skips (uses system CAs)
+		// Both behaviors are valid
+		transport, ok := client.httpClient.Transport.(*http.Transport)
+		if ok && transport != nil {
+			// Certificate was parsed successfully, verify TLS config
+			Expect(transport.TLSClientConfig).NotTo(BeNil())
+			if transport.TLSClientConfig.RootCAs != nil {
+				// Verify that default transport settings are preserved
+				// Note: We can't compare function pointers directly, but we verify
+				// that the transport was cloned (not nil) and TLS config is set
+				Expect(transport.Proxy).NotTo(BeNil())
+				Expect(transport.DialContext).NotTo(BeNil())
+			}
+		}
+		// If transport is nil or not *http.Transport, that's also valid
+		// (certificate parsing failed, will use system CAs via default transport)
+	})
+
+	It("should handle non-existent certificate file gracefully", func() {
+		client, err := New("https://api.example.com", WithCACertificate("/non/existent/file.pem"))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+		// Should not fail, just skip CA cert configuration
+	})
+
+	It("should handle invalid certificate file gracefully", func() {
+		invalidFile, err := os.CreateTemp("", "invalid-*.pem")
+		Expect(err).NotTo(HaveOccurred())
+		_, err = invalidFile.WriteString("invalid certificate data")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(invalidFile.Close()).To(Succeed())
+
+		client, err := New("https://api.example.com", WithCACertificate(invalidFile.Name()))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(client).NotTo(BeNil())
+		// Should not fail, just skip CA cert configuration
+
+		_ = os.Remove(invalidFile.Name())
+	})
+})
diff --git a/internal/buildapi/internal_jwt_test.go b/internal/buildapi/internal_jwt_test.go
new file mode 100644
index 00000000..f2c7b4c3
--- /dev/null
+++ b/internal/buildapi/internal_jwt_test.go
@@ -0,0 +1,160 @@
+package buildapi
+
+import (
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	. "github.com/onsi/ginkgo/v2" //nolint:revive
+	. "github.com/onsi/gomega"    //nolint:revive
+)
+
+func TestInternalJWT(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Internal JWT Suite")
+}
+
+var _ = Describe("validateInternalJWT", func() {
+	var cfg *internalJWTConfig
+	var key []byte
+
+	BeforeEach(func() {
+		key = []byte("test-secret-key-32-bytes-long!")
+		cfg = &internalJWTConfig{
+			issuer:   "test-issuer",
+			audience: "test-audience",
+			key:      key,
+		}
+	})
+
+	It("should reject nil config", func() {
+		token := "dummy-token"
+		subject, valid := validateInternalJWT(token, nil)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should reject token with empty subject", func() {
+		claims := jwt.RegisteredClaims{
+			Issuer:   "test-issuer",
+			Audience: jwt.ClaimStrings{"test-audience"},
+			Subject:  "", // Empty subject
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(key)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should accept valid token with non-empty subject", func() {
+		claims := jwt.RegisteredClaims{
+			Issuer:   "test-issuer",
+			Audience: jwt.ClaimStrings{"test-audience"},
+			Subject:  "test-user",
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(key)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeTrue())
+		Expect(subject).To(Equal("test-user"))
+	})
+
+	It("should reject token with wrong issuer", func() {
+		claims := jwt.RegisteredClaims{
+			Issuer:   "wrong-issuer",
+			Audience: jwt.ClaimStrings{"test-audience"},
+			Subject:  "test-user",
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(key)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should reject token with wrong audience", func() {
+		claims := jwt.RegisteredClaims{
+			Issuer:   "test-issuer",
+			Audience: jwt.ClaimStrings{"wrong-audience"},
+			Subject:  "test-user",
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(key)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should reject expired token", func() {
+		claims := jwt.RegisteredClaims{
+			Issuer:   "test-issuer",
+			Audience: jwt.ClaimStrings{"test-audience"},
+			Subject:  "test-user",
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(-time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(key)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should reject token used before NotBefore time", func() {
+		claims := jwt.RegisteredClaims{
+			Issuer:    "test-issuer",
+			Audience:  jwt.ClaimStrings{"test-audience"},
+			Subject:   "test-user",
+			NotBefore: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(2 * time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(key)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should reject token with invalid signature", func() {
+		wrongKey := []byte("wrong-secret-key-32-bytes-long!")
+		claims := jwt.RegisteredClaims{
+			Issuer:   "test-issuer",
+			Audience: jwt.ClaimStrings{"test-audience"},
+			Subject:  "test-user",
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
+		}
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		tokenString, err := token.SignedString(wrongKey)
+		Expect(err).NotTo(HaveOccurred())
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+
+	It("should reject token with wrong signing method", func() {
+		// Test with an invalid token string (wrong signing method)
+		// This will fail validation since it doesn't match the expected HS256 method
+		tokenString := "invalid.token.string"
+
+		subject, valid := validateInternalJWT(tokenString, cfg)
+		Expect(valid).To(BeFalse())
+		Expect(subject).To(BeEmpty())
+	})
+})
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 882b5053..6bc070a0 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -330,3 +330,107 @@ func containsMiddle(s, substr string) bool {
 	}
 	return false
 }
+
+var _ = Describe("OIDC Authentication", Ordered, func() {
+	BeforeAll(func() {
+		By("creating manager namespace")
+		cmd := exec.Command("kubectl", "create", "ns", namespace)
+		_, _ = utils.Run(cmd)
+	})
+
+	AfterAll(func() {
+		By("removing manager namespace")
+		cmd := exec.Command("kubectl", "delete", "ns", namespace, "--timeout=60s")
+		_, _ = utils.Run(cmd)
+	})
+
+	Context("Build API OIDC Configuration", func() {
+		It("should return 404 when OIDC is not configured", func() {
+			By("getting Build API route")
+			cmd := exec.Command("kubectl", "get", "route", "ado-build-api",
+				"-n", namespace, "-o", "jsonpath={.spec.host}")
+			output, err := utils.Run(cmd)
+			if err != nil {
+				Skip("Build API route not found - OIDC tests require Build API to be deployed")
+			}
+			apiURL := "https://" + strings.TrimSpace(string(output))
+
+			By("checking /v1/auth/config endpoint returns 404 when OIDC not configured")
+			cmd = exec.Command("curl", "-k", "-s", "-o", "/dev/null", "-w", "%{http_code}",
+				apiURL+"/v1/auth/config")
+			output, err = utils.Run(cmd)
+			Expect(err).NotTo(HaveOccurred())
+			// Should return 404 or 200 with empty JWT array
+			statusCode := strings.TrimSpace(string(output))
+			Expect(statusCode).To(Or(Equal("404"), Equal("200")))
+		})
+
+		It("should handle OIDC configuration when provided", func() {
+			By("creating OIDC ConfigMap")
+			oidcConfigYAML := `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ado-build-api-authentication
+  namespace: automotive-dev-operator-system
+data:
+  authentication.yaml: |
+    apiVersion: apiserver.config.k8s.io/v1beta1
+    kind: AuthenticationConfiguration
+    jwt:
+      - issuer:
+          url: https://issuer.example.com
+          audiences:
+            - test-audience
+        claimMappings:
+          username:
+            claim: preferred_username
+            prefix: ""
+    clientId: test-client-id
+`
+			cmd := exec.Command("kubectl", "apply", "-f", "-")
+			cmd.Stdin = strings.NewReader(oidcConfigYAML)
+			_, err := utils.Run(cmd)
+			ExpectWithOffset(1, err).NotTo(HaveOccurred())
+
+			By("waiting for Build API to reload configuration")
+			time.Sleep(5 * time.Second)
+
+			By("checking /v1/auth/config endpoint returns OIDC config")
+			cmd = exec.Command("kubectl", "get", "route", "ado-build-api",
+				"-n", namespace, "-o", "jsonpath={.spec.host}")
+			output, err := utils.Run(cmd)
+			if err != nil {
+				Skip("Build API route not found")
+			}
+			apiURL := "https://" + strings.TrimSpace(string(output))
+
+			cmd = exec.Command("curl", "-k", "-s", apiURL+"/v1/auth/config")
+			output, err = utils.Run(cmd)
+			Expect(err).NotTo(HaveOccurred())
+			response := string(output)
+			Expect(response).To(ContainSubstring("jwt"))
+			Expect(response).To(ContainSubstring("clientId"))
+
+			By("cleaning up OIDC ConfigMap")
+			cmd = exec.Command("kubectl", "delete", "configmap", "ado-build-api-authentication",
+				"-n", namespace, "--ignore-not-found=true")
+			_, _ = utils.Run(cmd)
+		})
+	})
+
+	Context("Internal JWT Validation", func() {
+		It("should reject tokens with empty subject", func() {
+			// This is tested via unit tests, but we verify the Build API
+			// properly validates internal JWTs in e2e context
+			By("verifying Build API pod is running")
+			cmd := exec.Command("kubectl", "get", "pod", "-l", "app=ado-build-api",
+				"-n", namespace, "-o", "jsonpath={.items[0].status.phase}")
+			output, err := utils.Run(cmd)
+			if err != nil {
+				Skip("Build API pod not found")
+			}
+			Expect(strings.TrimSpace(string(output))).To(Equal("Running"))
+		})
+	})
+})

From b7200fc7fd83d58f5b1ad50337c557b79d5ea957 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Wed, 28 Jan 2026 20:47:57 +0200
Subject: [PATCH 06/10] Add OIDC operatorconfig info

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 api/v1alpha1/operatorconfig_types.go          |  28 ++
 api/v1alpha1/zz_generated.deepcopy.go         |  50 ++-
 ....sdv.cloud.redhat.com_operatorconfigs.yaml | 347 ++++++++++++++++++
 cmd/caib/auth/config.go                       |   7 +-
 cmd/caib/auth/config_test.go                  |  11 -
 ....sdv.cloud.redhat.com_operatorconfigs.yaml | 347 ++++++++++++++++++
 .../samples/automotive_v1_operatorconfig.yaml |  22 +-
 internal/buildapi/auth_config.go              |  49 ++-
 internal/buildapi/integration_test.go         |   7 +-
 internal/buildapi/internal_jwt_test.go        |  42 +--
 internal/buildapi/server.go                   |  92 +++--
 .../controller/operatorconfig/controller.go   |  26 +-
 .../controller/operatorconfig/resources.go    |  50 +--
 .../operatorconfig/resources_test.go          |  38 ++
 test/e2e/e2e_test.go                          |  97 +++--
 15 files changed, 1027 insertions(+), 186 deletions(-)
 create mode 100644 internal/controller/operatorconfig/resources_test.go

diff --git a/api/v1alpha1/operatorconfig_types.go b/api/v1alpha1/operatorconfig_types.go
index f00547e0..0680ae7f 100644
--- a/api/v1alpha1/operatorconfig_types.go
+++ b/api/v1alpha1/operatorconfig_types.go
@@ -19,6 +19,7 @@ package v1alpha1
 import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiserverv1beta1 "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
 )
 
 // BuildConfig defines configuration options for build operations
@@ -98,6 +99,33 @@ type BuildAPIConfig struct {
 	// Default: 120 (2 hours)
 	// +optional
 	MaxLogStreamDurationMinutes int32 `json:"maxLogStreamDurationMinutes,omitempty"`
+
+	// Authentication configuration for the Build API server.
+	// +optional
+	Authentication *AuthenticationConfig `json:"authentication,omitempty"`
+}
+
+// AuthenticationConfig defines authentication methods for the Build API.
+type AuthenticationConfig struct {
+	// Internal authentication configuration.
+	// +optional
+	Internal *InternalAuthConfig `json:"internal,omitempty"`
+
+	// JWT authentication configuration for OIDC providers.
+	// +optional
+	JWT []apiserverv1beta1.JWTAuthenticator `json:"jwt,omitempty"`
+
+	// OIDC client ID for caib CLI.
+	// +optional
+	ClientID string `json:"clientId,omitempty"`
+}
+
+// InternalAuthConfig defines the built-in authentication configuration.
+type InternalAuthConfig struct {
+	// Prefix to add to the subject claim of issued tokens.
+	// +kubebuilder:default="internal:"
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
 }
 
 // OperatorConfigSpec defines the desired state of OperatorConfig
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 91ce1bb8..a1ab4ee9 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -24,6 +24,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -71,9 +72,41 @@ func (in *AuthSecretReference) DeepCopy() *AuthSecretReference {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationConfig) DeepCopyInto(out *AuthenticationConfig) {
+	*out = *in
+	if in.Internal != nil {
+		in, out := &in.Internal, &out.Internal
+		*out = new(InternalAuthConfig)
+		**out = **in
+	}
+	if in.JWT != nil {
+		in, out := &in.JWT, &out.JWT
+		*out = make([]v1beta1.JWTAuthenticator, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfig.
+func (in *AuthenticationConfig) DeepCopy() *AuthenticationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthenticationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BuildAPIConfig) DeepCopyInto(out *BuildAPIConfig) {
 	*out = *in
+	if in.Authentication != nil {
+		in, out := &in.Authentication, &out.Authentication
+		*out = new(AuthenticationConfig)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildAPIConfig.
@@ -637,6 +670,21 @@ func (in *ImageStatus) DeepCopy() *ImageStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InternalAuthConfig) DeepCopyInto(out *InternalAuthConfig) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InternalAuthConfig.
+func (in *InternalAuthConfig) DeepCopy() *InternalAuthConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(InternalAuthConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JumpstarterConfig) DeepCopyInto(out *JumpstarterConfig) {
 	*out = *in
@@ -773,7 +821,7 @@ func (in *OperatorConfigSpec) DeepCopyInto(out *OperatorConfigSpec) {
 	if in.BuildAPI != nil {
 		in, out := &in.BuildAPI, &out.BuildAPI
 		*out = new(BuildAPIConfig)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.Jumpstarter != nil {
 		in, out := &in.Jumpstarter, &out.Jumpstarter
diff --git a/bundle/manifests/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml b/bundle/manifests/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml
index 7cbc946a..a48e7fc3 100644
--- a/bundle/manifests/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml
+++ b/bundle/manifests/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml
@@ -52,6 +52,353 @@ spec:
               buildAPI:
                 description: BuildAPI defines configuration for the Build API server
                 properties:
+                  authentication:
+                    description: Authentication configuration for the Build API server.
+                    properties:
+                      clientId:
+                        description: OIDC client ID for caib CLI.
+                        type: string
+                      internal:
+                        description: Internal authentication configuration.
+                        properties:
+                          prefix:
+                            default: 'internal:'
+                            description: Prefix to add to the subject claim of issued
+                              tokens.
+                            type: string
+                        type: object
+                      jwt:
+                        description: JWT authentication configuration for OIDC providers.
+                        items:
+                          description: JWTAuthenticator provides the configuration
+                            for a single JWT authenticator.
+                          properties:
+                            claimMappings:
+                              description: claimMappings points claims of a token
+                                to be treated as user attributes.
+                              properties:
+                                extra:
+                                  description: |-
+                                    extra represents an option for the extra attribute.
+                                    expression must produce a string or string array value.
+                                    If the value is empty, the extra mapping will not be present.
+
+                                    hard-coded extra key/value
+                                    - key: "foo"
+                                      valueExpression: "'bar'"
+                                    This will result in an extra attribute - foo: ["bar"]
+
+                                    hard-coded key, value copying claim value
+                                    - key: "foo"
+                                      valueExpression: "claims.some_claim"
+                                    This will result in an extra attribute - foo: [value of some_claim]
+
+                                    hard-coded key, value derived from claim value
+                                    - key: "admin"
+                                      valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
+                                    This will result in:
+                                     - if is_admin claim is present and true, extra attribute - admin: ["true"]
+                                     - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
+                                  items:
+                                    description: ExtraMapping provides the configuration
+                                      for a single extra mapping.
+                                    properties:
+                                      key:
+                                        description: |-
+                                          key is a string to use as the extra attribute key.
+                                          key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+                                          subdomain as defined by RFC 1123. All characters trailing the first "/" must
+                                          be valid HTTP Path characters as defined by RFC 3986.
+                                          key must be lowercase.
+                                          Required to be unique.
+                                        type: string
+                                      valueExpression:
+                                        description: |-
+                                          valueExpression is a CEL expression to extract extra attribute value.
+                                          valueExpression must produce a string or string array value.
+                                          "", [], and null values are treated as the extra mapping not being present.
+                                          Empty string values contained within a string array are filtered out.
+
+                                          CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                          - 'claims' is a map of claim names to claim values.
+                                            For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                            Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                          Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+                                        type: string
+                                    required:
+                                    - key
+                                    - valueExpression
+                                    type: object
+                                  type: array
+                                groups:
+                                  description: |-
+                                    groups represents an option for the groups attribute.
+                                    The claim's value must be a string or string array claim.
+                                    If groups.claim is set, the prefix must be specified (and can be the empty string).
+                                    If groups.expression is set, the expression must produce a string or string array value.
+                                     "", [], and null values are treated as the group mapping not being present.
+                                  properties:
+                                    claim:
+                                      description: |-
+                                        claim is the JWT claim to use.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                    expression:
+                                      description: |-
+                                        expression represents the expression which will be evaluated by CEL.
+
+                                        CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                        - 'claims' is a map of claim names to claim values.
+                                          For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                          Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                        Mutually exclusive with claim and prefix.
+                                      type: string
+                                    prefix:
+                                      description: |-
+                                        prefix is prepended to claim's value to prevent clashes with existing names.
+                                        prefix needs to be set if claim is set and can be the empty string.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                  type: object
+                                uid:
+                                  description: |-
+                                    uid represents an option for the uid attribute.
+                                    Claim must be a singular string claim.
+                                    If uid.expression is set, the expression must produce a string value.
+                                  properties:
+                                    claim:
+                                      description: |-
+                                        claim is the JWT claim to use.
+                                        Either claim or expression must be set.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                    expression:
+                                      description: |-
+                                        expression represents the expression which will be evaluated by CEL.
+
+                                        CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                        - 'claims' is a map of claim names to claim values.
+                                          For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                          Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                        Mutually exclusive with claim.
+                                      type: string
+                                  type: object
+                                username:
+                                  description: |-
+                                    username represents an option for the username attribute.
+                                    The claim's value must be a singular string.
+                                    Same as the --oidc-username-claim and --oidc-username-prefix flags.
+                                    If username.expression is set, the expression must produce a string value.
+                                    If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
+                                    username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
+                                    An example claim validation rule expression that matches the validation automatically
+                                    applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. By explicitly comparing
+                                    the value to true, we let type-checking see the result will be a boolean, and to make sure a non-boolean email_verified
+                                    claim will be caught at runtime.
+
+                                    In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
+                                    the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
+                                    For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
+                                    For prefix:
+                                        (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
+                                            set username.prefix=""
+                                        (2) --oidc-username-prefix="" and  --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
+                                            behavior using authentication config, set username.prefix="<value of issuer.url>#"
+                                        (3) --oidc-username-prefix="<value>". For the same behavior using authentication config, set username.prefix="<value>"
+                                  properties:
+                                    claim:
+                                      description: |-
+                                        claim is the JWT claim to use.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                    expression:
+                                      description: |-
+                                        expression represents the expression which will be evaluated by CEL.
+
+                                        CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                        - 'claims' is a map of claim names to claim values.
+                                          For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                          Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                        Mutually exclusive with claim and prefix.
+                                      type: string
+                                    prefix:
+                                      description: |-
+                                        prefix is prepended to claim's value to prevent clashes with existing names.
+                                        prefix needs to be set if claim is set and can be the empty string.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                  type: object
+                              required:
+                              - username
+                              type: object
+                            claimValidationRules:
+                              description: claimValidationRules are rules that are
+                                applied to validate token claims to authenticate users.
+                              items:
+                                description: ClaimValidationRule provides the configuration
+                                  for a single claim validation rule.
+                                properties:
+                                  claim:
+                                    description: |-
+                                      claim is the name of a required claim.
+                                      Same as --oidc-required-claim flag.
+                                      Only string claim keys are supported.
+                                      Mutually exclusive with expression and message.
+                                    type: string
+                                  expression:
+                                    description: |-
+                                      expression represents the expression which will be evaluated by CEL.
+                                      Must produce a boolean.
+
+                                      CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                      - 'claims' is a map of claim names to claim values.
+                                        For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                        Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+                                      Must return true for the validation to pass.
+
+                                      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                      Mutually exclusive with claim and requiredValue.
+                                    type: string
+                                  message:
+                                    description: |-
+                                      message customizes the returned error message when expression returns false.
+                                      message is a literal string.
+                                      Mutually exclusive with claim and requiredValue.
+                                    type: string
+                                  requiredValue:
+                                    description: |-
+                                      requiredValue is the value of a required claim.
+                                      Same as --oidc-required-claim flag.
+                                      Only string claim values are supported.
+                                      If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
+                                      Mutually exclusive with expression and message.
+                                    type: string
+                                type: object
+                              type: array
+                            issuer:
+                              description: issuer contains the basic OIDC provider
+                                connection options.
+                              properties:
+                                audienceMatchPolicy:
+                                  description: |-
+                                    audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
+                                    Allowed values are:
+                                    1. "MatchAny" when multiple audiences are specified and
+                                    2. empty (or unset) or "MatchAny" when a single audience is specified.
+
+                                    - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
+                                    For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).
+
+                                    - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).
+
+                                    For more nuanced audience validation, use claimValidationRules.
+                                      example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.
+                                  type: string
+                                audiences:
+                                  description: |-
+                                    audiences is the set of acceptable audiences the JWT must be issued to.
+                                    At least one of the entries must match the "aud" claim in presented JWTs.
+                                    Same value as the --oidc-client-id flag (though this field supports an array).
+                                    Required to be non-empty.
+                                  items:
+                                    type: string
+                                  type: array
+                                certificateAuthority:
+                                  description: |-
+                                    certificateAuthority contains PEM-encoded certificate authority certificates
+                                    used to validate the connection when fetching discovery information.
+                                    If unset, the system verifier is used.
+                                    Same value as the content of the file referenced by the --oidc-ca-file flag.
+                                  type: string
+                                discoveryURL:
+                                  description: |-
+                                    discoveryURL, if specified, overrides the URL used to fetch discovery
+                                    information instead of using "{url}/.well-known/openid-configuration".
+                                    The exact value specified is used, so "/.well-known/openid-configuration"
+                                    must be included in discoveryURL if needed.
+
+                                    The "issuer" field in the fetched discovery information must match the "issuer.url" field
+                                    in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT.
+                                    This is for scenarios where the well-known and jwks endpoints are hosted at a different
+                                    location than the issuer (such as locally in the cluster).
+
+                                    Example:
+                                    A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace'
+                                    and discovery information is available at '/.well-known/openid-configuration'.
+                                    discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration"
+                                    certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate
+                                    must be set to 'oidc.oidc-namespace'.
+
+                                    curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field)
+                                    {
+                                        issuer: "https://oidc.example.com" (.url field)
+                                    }
+
+                                    discoveryURL must be different from url.
+                                    Required to be unique across all JWT authenticators.
+                                    Note that egress selection configuration is not used for this network connection.
+                                  type: string
+                                url:
+                                  description: |-
+                                    url points to the issuer URL in a format https://url or https://url/path.
+                                    This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
+                                    Same value as the --oidc-issuer-url flag.
+                                    Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL.
+                                    Required to be unique across all JWT authenticators.
+                                    Note that egress selection configuration is not used for this network connection.
+                                  type: string
+                              required:
+                              - audiences
+                              - url
+                              type: object
+                            userValidationRules:
+                              description: |-
+                                userValidationRules are rules that are applied to final user before completing authentication.
+                                These allow invariants to be applied to incoming identities such as preventing the
+                                use of the system: prefix that is commonly used by Kubernetes components.
+                                The validation rules are logically ANDed together and must all return true for the validation to pass.
+                              items:
+                                description: UserValidationRule provides the configuration
+                                  for a single user info validation rule.
+                                properties:
+                                  expression:
+                                    description: |-
+                                      expression represents the expression which will be evaluated by CEL.
+                                      Must return true for the validation to pass.
+
+                                      CEL expressions have access to the contents of UserInfo, organized into CEL variable:
+                                      - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
+                                         Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
+                                         API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
+
+                                      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+                                    type: string
+                                  message:
+                                    description: |-
+                                      message customizes the returned error message when rule returns false.
+                                      message is a literal string.
+                                    type: string
+                                required:
+                                - expression
+                                type: object
+                              type: array
+                          required:
+                          - claimMappings
+                          - issuer
+                          type: object
+                        type: array
+                    type: object
                   maxLogStreamDurationMinutes:
                     description: |-
                       MaxLogStreamDurationMinutes is the maximum duration for log streaming in minutes
diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index e777c5fc..93ee86ca 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -2,7 +2,6 @@
 package auth
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -14,12 +13,8 @@ import (
 
 // GetOIDCConfigFromAPI fetches OIDC configuration from the Build API server.
 func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
-	insecureTLS := strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1"
 	client := &http.Client{
-		Timeout: 10 * time.Second,
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS},
-		},
+		Timeout: 30 * time.Second,
 	}
 
 	configURL := strings.TrimSuffix(serverURL, "/") + "/v1/auth/config"
diff --git a/cmd/caib/auth/config_test.go b/cmd/caib/auth/config_test.go
index 7869f7d2..5619a9a4 100644
--- a/cmd/caib/auth/config_test.go
+++ b/cmd/caib/auth/config_test.go
@@ -13,22 +13,11 @@ import (
 
 var _ = Describe("GetOIDCConfigFromAPI", func() {
 	var server *httptest.Server
-	var originalEnv string
-
-	BeforeEach(func() {
-		originalEnv = os.Getenv("CAIB_INSECURE_TLS")
-		_ = os.Unsetenv("CAIB_INSECURE_TLS")
-	})
 
 	AfterEach(func() {
 		if server != nil {
 			server.Close()
 		}
-		if originalEnv != "" {
-			_ = os.Setenv("CAIB_INSECURE_TLS", originalEnv)
-		} else {
-			_ = os.Unsetenv("CAIB_INSECURE_TLS")
-		}
 	})
 
 	It("should return config when API returns valid OIDC configuration", func() {
diff --git a/config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml b/config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml
index f49a7e30..05344cac 100644
--- a/config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml
+++ b/config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml
@@ -52,6 +52,353 @@ spec:
               buildAPI:
                 description: BuildAPI defines configuration for the Build API server
                 properties:
+                  authentication:
+                    description: Authentication configuration for the Build API server.
+                    properties:
+                      clientId:
+                        description: OIDC client ID for caib CLI.
+                        type: string
+                      internal:
+                        description: Internal authentication configuration.
+                        properties:
+                          prefix:
+                            default: 'internal:'
+                            description: Prefix to add to the subject claim of issued
+                              tokens.
+                            type: string
+                        type: object
+                      jwt:
+                        description: JWT authentication configuration for OIDC providers.
+                        items:
+                          description: JWTAuthenticator provides the configuration
+                            for a single JWT authenticator.
+                          properties:
+                            claimMappings:
+                              description: claimMappings points claims of a token
+                                to be treated as user attributes.
+                              properties:
+                                extra:
+                                  description: |-
+                                    extra represents an option for the extra attribute.
+                                    expression must produce a string or string array value.
+                                    If the value is empty, the extra mapping will not be present.
+
+                                    hard-coded extra key/value
+                                    - key: "foo"
+                                      valueExpression: "'bar'"
+                                    This will result in an extra attribute - foo: ["bar"]
+
+                                    hard-coded key, value copying claim value
+                                    - key: "foo"
+                                      valueExpression: "claims.some_claim"
+                                    This will result in an extra attribute - foo: [value of some_claim]
+
+                                    hard-coded key, value derived from claim value
+                                    - key: "admin"
+                                      valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
+                                    This will result in:
+                                     - if is_admin claim is present and true, extra attribute - admin: ["true"]
+                                     - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
+                                  items:
+                                    description: ExtraMapping provides the configuration
+                                      for a single extra mapping.
+                                    properties:
+                                      key:
+                                        description: |-
+                                          key is a string to use as the extra attribute key.
+                                          key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+                                          subdomain as defined by RFC 1123. All characters trailing the first "/" must
+                                          be valid HTTP Path characters as defined by RFC 3986.
+                                          key must be lowercase.
+                                          Required to be unique.
+                                        type: string
+                                      valueExpression:
+                                        description: |-
+                                          valueExpression is a CEL expression to extract extra attribute value.
+                                          valueExpression must produce a string or string array value.
+                                          "", [], and null values are treated as the extra mapping not being present.
+                                          Empty string values contained within a string array are filtered out.
+
+                                          CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                          - 'claims' is a map of claim names to claim values.
+                                            For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                            Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                          Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+                                        type: string
+                                    required:
+                                    - key
+                                    - valueExpression
+                                    type: object
+                                  type: array
+                                groups:
+                                  description: |-
+                                    groups represents an option for the groups attribute.
+                                    The claim's value must be a string or string array claim.
+                                    If groups.claim is set, the prefix must be specified (and can be the empty string).
+                                    If groups.expression is set, the expression must produce a string or string array value.
+                                     "", [], and null values are treated as the group mapping not being present.
+                                  properties:
+                                    claim:
+                                      description: |-
+                                        claim is the JWT claim to use.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                    expression:
+                                      description: |-
+                                        expression represents the expression which will be evaluated by CEL.
+
+                                        CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                        - 'claims' is a map of claim names to claim values.
+                                          For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                          Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                        Mutually exclusive with claim and prefix.
+                                      type: string
+                                    prefix:
+                                      description: |-
+                                        prefix is prepended to claim's value to prevent clashes with existing names.
+                                        prefix needs to be set if claim is set and can be the empty string.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                  type: object
+                                uid:
+                                  description: |-
+                                    uid represents an option for the uid attribute.
+                                    Claim must be a singular string claim.
+                                    If uid.expression is set, the expression must produce a string value.
+                                  properties:
+                                    claim:
+                                      description: |-
+                                        claim is the JWT claim to use.
+                                        Either claim or expression must be set.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                    expression:
+                                      description: |-
+                                        expression represents the expression which will be evaluated by CEL.
+
+                                        CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                        - 'claims' is a map of claim names to claim values.
+                                          For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                          Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                        Mutually exclusive with claim.
+                                      type: string
+                                  type: object
+                                username:
+                                  description: |-
+                                    username represents an option for the username attribute.
+                                    The claim's value must be a singular string.
+                                    Same as the --oidc-username-claim and --oidc-username-prefix flags.
+                                    If username.expression is set, the expression must produce a string value.
+                                    If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
+                                    username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
+                                    An example claim validation rule expression that matches the validation automatically
+                                    applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. By explicitly comparing
+                                    the value to true, we let type-checking see the result will be a boolean, and to make sure a non-boolean email_verified
+                                    claim will be caught at runtime.
+
+                                    In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
+                                    the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
+                                    For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
+                                    For prefix:
+                                        (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
+                                            set username.prefix=""
+                                        (2) --oidc-username-prefix="" and  --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
+                                            behavior using authentication config, set username.prefix="<value of issuer.url>#"
+                                        (3) --oidc-username-prefix="<value>". For the same behavior using authentication config, set username.prefix="<value>"
+                                  properties:
+                                    claim:
+                                      description: |-
+                                        claim is the JWT claim to use.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                    expression:
+                                      description: |-
+                                        expression represents the expression which will be evaluated by CEL.
+
+                                        CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                        - 'claims' is a map of claim names to claim values.
+                                          For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                          Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+                                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                        Mutually exclusive with claim and prefix.
+                                      type: string
+                                    prefix:
+                                      description: |-
+                                        prefix is prepended to claim's value to prevent clashes with existing names.
+                                        prefix needs to be set if claim is set and can be the empty string.
+                                        Mutually exclusive with expression.
+                                      type: string
+                                  type: object
+                              required:
+                              - username
+                              type: object
+                            claimValidationRules:
+                              description: claimValidationRules are rules that are
+                                applied to validate token claims to authenticate users.
+                              items:
+                                description: ClaimValidationRule provides the configuration
+                                  for a single claim validation rule.
+                                properties:
+                                  claim:
+                                    description: |-
+                                      claim is the name of a required claim.
+                                      Same as --oidc-required-claim flag.
+                                      Only string claim keys are supported.
+                                      Mutually exclusive with expression and message.
+                                    type: string
+                                  expression:
+                                    description: |-
+                                      expression represents the expression which will be evaluated by CEL.
+                                      Must produce a boolean.
+
+                                      CEL expressions have access to the contents of the token claims, organized into CEL variable:
+                                      - 'claims' is a map of claim names to claim values.
+                                        For example, a variable named 'sub' can be accessed as 'claims.sub'.
+                                        Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+                                      Must return true for the validation to pass.
+
+                                      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                                      Mutually exclusive with claim and requiredValue.
+                                    type: string
+                                  message:
+                                    description: |-
+                                      message customizes the returned error message when expression returns false.
+                                      message is a literal string.
+                                      Mutually exclusive with claim and requiredValue.
+                                    type: string
+                                  requiredValue:
+                                    description: |-
+                                      requiredValue is the value of a required claim.
+                                      Same as --oidc-required-claim flag.
+                                      Only string claim values are supported.
+                                      If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
+                                      Mutually exclusive with expression and message.
+                                    type: string
+                                type: object
+                              type: array
+                            issuer:
+                              description: issuer contains the basic OIDC provider
+                                connection options.
+                              properties:
+                                audienceMatchPolicy:
+                                  description: |-
+                                    audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
+                                    Allowed values are:
+                                    1. "MatchAny" when multiple audiences are specified and
+                                    2. empty (or unset) or "MatchAny" when a single audience is specified.
+
+                                    - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
+                                    For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).
+
+                                    - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).
+
+                                    For more nuanced audience validation, use claimValidationRules.
+                                      example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.
+                                  type: string
+                                audiences:
+                                  description: |-
+                                    audiences is the set of acceptable audiences the JWT must be issued to.
+                                    At least one of the entries must match the "aud" claim in presented JWTs.
+                                    Same value as the --oidc-client-id flag (though this field supports an array).
+                                    Required to be non-empty.
+                                  items:
+                                    type: string
+                                  type: array
+                                certificateAuthority:
+                                  description: |-
+                                    certificateAuthority contains PEM-encoded certificate authority certificates
+                                    used to validate the connection when fetching discovery information.
+                                    If unset, the system verifier is used.
+                                    Same value as the content of the file referenced by the --oidc-ca-file flag.
+                                  type: string
+                                discoveryURL:
+                                  description: |-
+                                    discoveryURL, if specified, overrides the URL used to fetch discovery
+                                    information instead of using "{url}/.well-known/openid-configuration".
+                                    The exact value specified is used, so "/.well-known/openid-configuration"
+                                    must be included in discoveryURL if needed.
+
+                                    The "issuer" field in the fetched discovery information must match the "issuer.url" field
+                                    in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT.
+                                    This is for scenarios where the well-known and jwks endpoints are hosted at a different
+                                    location than the issuer (such as locally in the cluster).
+
+                                    Example:
+                                    A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace'
+                                    and discovery information is available at '/.well-known/openid-configuration'.
+                                    discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration"
+                                    certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate
+                                    must be set to 'oidc.oidc-namespace'.
+
+                                    curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field)
+                                    {
+                                        issuer: "https://oidc.example.com" (.url field)
+                                    }
+
+                                    discoveryURL must be different from url.
+                                    Required to be unique across all JWT authenticators.
+                                    Note that egress selection configuration is not used for this network connection.
+                                  type: string
+                                url:
+                                  description: |-
+                                    url points to the issuer URL in a format https://url or https://url/path.
+                                    This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
+                                    Same value as the --oidc-issuer-url flag.
+                                    Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL.
+                                    Required to be unique across all JWT authenticators.
+                                    Note that egress selection configuration is not used for this network connection.
+                                  type: string
+                              required:
+                              - audiences
+                              - url
+                              type: object
+                            userValidationRules:
+                              description: |-
+                                userValidationRules are rules that are applied to final user before completing authentication.
+                                These allow invariants to be applied to incoming identities such as preventing the
+                                use of the system: prefix that is commonly used by Kubernetes components.
+                                The validation rules are logically ANDed together and must all return true for the validation to pass.
+                              items:
+                                description: UserValidationRule provides the configuration
+                                  for a single user info validation rule.
+                                properties:
+                                  expression:
+                                    description: |-
+                                      expression represents the expression which will be evaluated by CEL.
+                                      Must return true for the validation to pass.
+
+                                      CEL expressions have access to the contents of UserInfo, organized into CEL variable:
+                                      - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
+                                         Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
+                                         API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
+
+                                      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+                                    type: string
+                                  message:
+                                    description: |-
+                                      message customizes the returned error message when rule returns false.
+                                      message is a literal string.
+                                    type: string
+                                required:
+                                - expression
+                                type: object
+                              type: array
+                          required:
+                          - claimMappings
+                          - issuer
+                          type: object
+                        type: array
+                    type: object
                   maxLogStreamDurationMinutes:
                     description: |-
                       MaxLogStreamDurationMinutes is the maximum duration for log streaming in minutes
diff --git a/config/samples/automotive_v1_operatorconfig.yaml b/config/samples/automotive_v1_operatorconfig.yaml
index 32ec8fe1..bc556e3d 100644
--- a/config/samples/automotive_v1_operatorconfig.yaml
+++ b/config/samples/automotive_v1_operatorconfig.yaml
@@ -41,4 +41,24 @@ spec:
     # - key: "node.kubernetes.io/dedicated"
     #   operator: "Equal"
     #   value: "automotive"
-    #   effect: "NoExecute"
\ No newline at end of file
+    #   effect: "NoExecute"
+
+  # BuildAPI configuration for the Build API server
+  buildAPI:
+    # Optional: Authentication configuration for OIDC/JWT providers
+    # authentication:
+    #   # OIDC client ID for caib CLI
+    #   clientId: "caib-cli"
+    #   # Internal authentication configuration
+    #   internal:
+    #     prefix: "internal:"
+    #   # JWT/OIDC authentication providers
+    #   jwt:
+    #     - issuer:
+    #         url: "https://sso.redhat.com/auth/realms/EmployeeIDP"
+    #         audiences:
+    #           - "caib-cli"
+    #       claimMappings:
+    #         username:
+    #           claim: "preferred_username"
+    #           prefix: ""
\ No newline at end of file
diff --git a/internal/buildapi/auth_config.go b/internal/buildapi/auth_config.go
index a321c6d3..80d023a6 100644
--- a/internal/buildapi/auth_config.go
+++ b/internal/buildapi/auth_config.go
@@ -6,13 +6,16 @@ import (
 	"os"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	apiserverv1beta1 "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
-	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+	oidcauth "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 
+	automotivev1alpha1 "github.com/centos-automotive-suite/automotive-dev-operator/api/v1alpha1"
 	apiserver "k8s.io/apiserver/pkg/apis/apiserver"
 )
 
@@ -136,9 +139,10 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 
 	jwtAuthenticators := make([]authenticator.Token, 0, len(config.JWT))
 	for _, jwtAuthenticator := range config.JWT {
-		var oidcCAContent oidc.CAContentProvider
+		var oidcCAContent oidcauth.CAContentProvider
 		if jwtAuthenticator.Issuer.CertificateAuthority != "" {
 			var oidcCAError error
+			// Try to read CA from file, or use it as inline PEM
 			if _, err := os.Stat(jwtAuthenticator.Issuer.CertificateAuthority); err == nil {
 				oidcCAContent, oidcCAError = dynamiccertificates.NewDynamicCAContentFromFile(
 					"oidc-authenticator",
@@ -161,10 +165,10 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 			return nil, err
 		}
 
-		oidcAuth, err := oidc.New(ctx, oidc.Options{
+		oidcAuth, err := oidcauth.New(ctx, oidcauth.Options{
 			JWTAuthenticator:     jwtAuthenticatorUnversioned,
 			CAContentProvider:    oidcCAContent,
-			SupportedSigningAlgs: oidc.AllValidSigningAlgorithms(),
+			SupportedSigningAlgs: oidcauth.AllValidSigningAlgorithms(),
 		})
 		if err != nil {
 			return nil, err
@@ -173,3 +177,40 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 	}
 	return tokenunion.NewFailOnError(jwtAuthenticators...), nil
 }
+
+// loadAuthenticationConfigurationFromOperatorConfig loads authentication configuration directly from OperatorConfig CRD.
+func loadAuthenticationConfigurationFromOperatorConfig(ctx context.Context, k8sClient client.Client, namespace string) (*AuthenticationConfiguration, authenticator.Token, string, error) {
+	operatorConfig := &automotivev1alpha1.OperatorConfig{}
+	key := types.NamespacedName{Name: "config", Namespace: namespace}
+
+	if err := k8sClient.Get(ctx, key, operatorConfig); err != nil {
+		return nil, nil, "", fmt.Errorf("failed to get OperatorConfig %s/%s: %w", namespace, "config", err)
+	}
+
+	// Check if authentication is configured
+	if operatorConfig.Spec.BuildAPI == nil || operatorConfig.Spec.BuildAPI.Authentication == nil {
+		return nil, nil, "", nil // No authentication configured
+	}
+
+	auth := operatorConfig.Spec.BuildAPI.Authentication
+	config := &AuthenticationConfiguration{
+		ClientID: auth.ClientID,
+		Internal: InternalAuthConfig{
+			Prefix: "internal:",
+		},
+		JWT: auth.JWT,
+	}
+
+	// Set internal prefix if provided
+	if auth.Internal != nil && auth.Internal.Prefix != "" {
+		config.Internal.Prefix = auth.Internal.Prefix
+	}
+
+	// Build authenticator from JWT configuration
+	authn, err := newJWTAuthenticator(ctx, *config)
+	if err != nil {
+		return nil, nil, "", fmt.Errorf("failed to create JWT authenticator: %w", err)
+	}
+
+	return config, authn, config.Internal.Prefix, nil
+}
diff --git a/internal/buildapi/integration_test.go b/internal/buildapi/integration_test.go
index 2536b981..d1dc1e8b 100644
--- a/internal/buildapi/integration_test.go
+++ b/internal/buildapi/integration_test.go
@@ -104,8 +104,8 @@ var _ = Describe("APIServer Manual Testing", func() {
 		fmt.Println("   go run ./cmd/build-api/")
 		fmt.Println()
 		fmt.Println("2. Test endpoints:")
-		fmt.Println("   curl http://localhost:8080/v1/healthz")
-		fmt.Println("   curl http://localhost:8080/v1/openapi.yaml")
+		fmt.Println("   GET http://localhost:8080/v1/healthz")
+		fmt.Println("   GET http://localhost:8080/v1/openapi.yaml")
 		fmt.Println()
 		fmt.Println("3. Test with authentication:")
 		fmt.Println("   # Get your token:")
@@ -116,7 +116,8 @@ var _ = Describe("APIServer Manual Testing", func() {
 		fmt.Println("   " + cmd)
 		fmt.Println()
 		fmt.Println("   # Test authenticated endpoint:")
-		fmt.Println("   curl -H 'Authorization: Bearer YOUR_TOKEN' http://localhost:8080/v1/builds")
+		fmt.Println("   GET http://localhost:8080/v1/builds")
+		fmt.Println("   Header: Authorization: Bearer YOUR_TOKEN")
 		fmt.Println()
 		fmt.Println("4. Environment variables:")
 		fmt.Println("   export GIN_MODE=debug          # Enable debug mode")
diff --git a/internal/buildapi/internal_jwt_test.go b/internal/buildapi/internal_jwt_test.go
index f2c7b4c3..8d2170d0 100644
--- a/internal/buildapi/internal_jwt_test.go
+++ b/internal/buildapi/internal_jwt_test.go
@@ -1,7 +1,6 @@
 package buildapi
 
 import (
-	"testing"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -9,11 +8,6 @@ import (
 	. "github.com/onsi/gomega"    //nolint:revive
 )
 
-func TestInternalJWT(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "Internal JWT Suite")
-}
-
 var _ = Describe("validateInternalJWT", func() {
 	var cfg *internalJWTConfig
 	var key []byte
@@ -36,9 +30,9 @@ var _ = Describe("validateInternalJWT", func() {
 
 	It("should reject token with empty subject", func() {
 		claims := jwt.RegisteredClaims{
-			Issuer:   "test-issuer",
-			Audience: jwt.ClaimStrings{"test-audience"},
-			Subject:  "", // Empty subject
+			Issuer:    "test-issuer",
+			Audience:  jwt.ClaimStrings{"test-audience"},
+			Subject:   "", // Empty subject
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -52,9 +46,9 @@ var _ = Describe("validateInternalJWT", func() {
 
 	It("should accept valid token with non-empty subject", func() {
 		claims := jwt.RegisteredClaims{
-			Issuer:   "test-issuer",
-			Audience: jwt.ClaimStrings{"test-audience"},
-			Subject:  "test-user",
+			Issuer:    "test-issuer",
+			Audience:  jwt.ClaimStrings{"test-audience"},
+			Subject:   "test-user",
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -68,9 +62,9 @@ var _ = Describe("validateInternalJWT", func() {
 
 	It("should reject token with wrong issuer", func() {
 		claims := jwt.RegisteredClaims{
-			Issuer:   "wrong-issuer",
-			Audience: jwt.ClaimStrings{"test-audience"},
-			Subject:  "test-user",
+			Issuer:    "wrong-issuer",
+			Audience:  jwt.ClaimStrings{"test-audience"},
+			Subject:   "test-user",
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -84,9 +78,9 @@ var _ = Describe("validateInternalJWT", func() {
 
 	It("should reject token with wrong audience", func() {
 		claims := jwt.RegisteredClaims{
-			Issuer:   "test-issuer",
-			Audience: jwt.ClaimStrings{"wrong-audience"},
-			Subject:  "test-user",
+			Issuer:    "test-issuer",
+			Audience:  jwt.ClaimStrings{"wrong-audience"},
+			Subject:   "test-user",
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -100,9 +94,9 @@ var _ = Describe("validateInternalJWT", func() {
 
 	It("should reject expired token", func() {
 		claims := jwt.RegisteredClaims{
-			Issuer:   "test-issuer",
-			Audience: jwt.ClaimStrings{"test-audience"},
-			Subject:  "test-user",
+			Issuer:    "test-issuer",
+			Audience:  jwt.ClaimStrings{"test-audience"},
+			Subject:   "test-user",
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(-time.Hour)),
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -134,9 +128,9 @@ var _ = Describe("validateInternalJWT", func() {
 	It("should reject token with invalid signature", func() {
 		wrongKey := []byte("wrong-secret-key-32-bytes-long!")
 		claims := jwt.RegisteredClaims{
-			Issuer:   "test-issuer",
-			Audience: jwt.ClaimStrings{"test-audience"},
-			Subject:  "test-user",
+			Issuer:    "test-issuer",
+			Audience:  jwt.ClaimStrings{"test-audience"},
+			Subject:   "test-user",
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
diff --git a/internal/buildapi/server.go b/internal/buildapi/server.go
index 60cc4942..79f888fb 100644
--- a/internal/buildapi/server.go
+++ b/internal/buildapi/server.go
@@ -120,46 +120,74 @@ func NewAPIServerWithLimits(addr string, logger logr.Logger, limits APILimits) *
 		a.internalJWT = cfg
 		logger.Info("internal JWT auth enabled", "issuer", cfg.issuer, "audience", cfg.audience)
 	}
-	// Try to load from config file (supports both 'config' and 'authentication.yaml' keys)
-	authConfigPath := os.Getenv("AUTH_CONFIG_PATH")
-	if authConfigPath == "" {
-		authConfigPath = "/etc/build-api/config"
-	}
-	logger.Info("loading authentication config", "path", authConfigPath)
-	// Try 'config' first (Jumpstarter style), then fallback to 'authentication.yaml'
-	cfg, authn, prefix, err := loadAuthenticationConfigurationFromFile(context.Background(), authConfigPath)
-	if err != nil {
-		logger.Info("primary config path failed, trying fallback", "primary_path", authConfigPath, "error", err)
-		// Try fallback path if primary path fails (but only if it's not a directory)
-		fallbackPath := "/etc/build-api/authentication.yaml"
-		if info, statErr := os.Stat(fallbackPath); statErr == nil && !info.IsDir() {
-			if fallbackCfg, fallbackAuthn, fallbackPrefix, fallbackErr := loadAuthenticationConfigurationFromFile(context.Background(), fallbackPath); fallbackErr == nil {
-				cfg = fallbackCfg
-				authn = fallbackAuthn
-				prefix = fallbackPrefix
-				logger.Info("loaded authentication config from fallback path", "path", fallbackPath)
+
+	// Try to load authentication configuration directly from OperatorConfig CRD
+	namespace := resolveNamespace()
+	logger.Info("attempting to load authentication config from OperatorConfig", "namespace", namespace)
+	k8sClient, err := a.getCatalogClient()
+	if err == nil {
+		cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(context.Background(), k8sClient, namespace)
+		if err == nil && cfg != nil {
+			a.authConfig = cfg
+			a.externalJWT = authn
+			a.internalPrefix = prefix
+			if cfg.ClientID != "" {
+				a.oidcClientID = cfg.ClientID
+			}
+			if len(cfg.JWT) > 0 {
+				logger.Info("loaded authentication config from OperatorConfig", "jwt_count", len(cfg.JWT), "namespace", namespace, "client_id", cfg.ClientID)
 			} else {
-				logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_path", fallbackPath, "fallback_err", fallbackErr)
+				logger.Info("authentication config loaded from OperatorConfig but no JWT issuers configured", "namespace", namespace)
 			}
+		} else if err != nil {
+			logger.Info("failed to load authentication config from OperatorConfig, trying file fallback", "namespace", namespace, "error", err)
 		} else {
-			logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_is_dir", statErr == nil && info.IsDir())
+			logger.Info("no authentication config in OperatorConfig, trying file fallback", "namespace", namespace)
 		}
-	} else if cfg == nil {
-		logger.Info("authentication config file not found or empty", "path", authConfigPath)
 	} else {
-		logger.Info("loaded authentication config", "path", authConfigPath, "jwt_count", len(cfg.JWT))
+		logger.Info("failed to create k8s client for OperatorConfig, trying file fallback", "error", err)
 	}
-	if cfg != nil {
-		a.authConfig = cfg
-		a.externalJWT = authn
-		a.internalPrefix = prefix
-		if cfg.ClientID != "" {
-			a.oidcClientID = cfg.ClientID
+
+	// Fallback to file-based config if OperatorConfig doesn't have auth config or failed to load
+	if a.authConfig == nil {
+		authConfigPath := os.Getenv("AUTH_CONFIG_PATH")
+		if authConfigPath == "" {
+			authConfigPath = "/etc/build-api/config"
 		}
-		if len(cfg.JWT) > 0 {
-			logger.Info("external OIDC auth enabled", "issuers", len(cfg.JWT))
+		logger.Info("loading authentication config from file", "path", authConfigPath)
+		cfg, authn, prefix, err := loadAuthenticationConfigurationFromFile(context.Background(), authConfigPath)
+		if err != nil {
+			logger.Info("primary config path failed, trying fallback", "primary_path", authConfigPath, "error", err)
+			fallbackPath := "/etc/build-api/authentication.yaml"
+			if info, statErr := os.Stat(fallbackPath); statErr == nil && !info.IsDir() {
+				if fallbackCfg, fallbackAuthn, fallbackPrefix, fallbackErr := loadAuthenticationConfigurationFromFile(context.Background(), fallbackPath); fallbackErr == nil {
+					cfg = fallbackCfg
+					authn = fallbackAuthn
+					prefix = fallbackPrefix
+					logger.Info("loaded authentication config from fallback path", "path", fallbackPath)
+				} else {
+					logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_path", fallbackPath, "fallback_err", fallbackErr)
+				}
+			} else {
+				logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_is_dir", statErr == nil && info.IsDir())
+			}
+		} else if cfg == nil {
+			logger.Info("authentication config file not found or empty", "path", authConfigPath)
 		} else {
-			logger.Info("authentication config loaded but no JWT issuers configured")
+			logger.Info("loaded authentication config from file", "path", authConfigPath, "jwt_count", len(cfg.JWT))
+		}
+		if cfg != nil {
+			a.authConfig = cfg
+			a.externalJWT = authn
+			a.internalPrefix = prefix
+			if cfg.ClientID != "" {
+				a.oidcClientID = cfg.ClientID
+			}
+			if len(cfg.JWT) > 0 {
+				logger.Info("external OIDC auth enabled", "issuers", len(cfg.JWT))
+			} else {
+				logger.Info("authentication config loaded but no JWT issuers configured")
+			}
 		}
 	}
 	a.router = a.createRouter()
diff --git a/internal/controller/operatorconfig/controller.go b/internal/controller/operatorconfig/controller.go
index 81ffee07..4fe64e26 100644
--- a/internal/controller/operatorconfig/controller.go
+++ b/internal/controller/operatorconfig/controller.go
@@ -234,11 +234,9 @@ func (r *OperatorConfigReconciler) deployBuildAPI(ctx context.Context, owner *au
 		return fmt.Errorf("failed to ensure build-api internal JWT secret: %w", err)
 	}
 
-	// Ensure build-api auth configuration
-	if err := r.ensureBuildAPIAuthConfigMap(ctx); err != nil {
-		r.Log.Error(err, "Failed to ensure build-api auth config")
-		return fmt.Errorf("failed to ensure build-api auth config: %w", err)
-	}
+	// Build API now reads authentication configuration directly from OperatorConfig CRD
+	// No need to generate ConfigMap anymore
+	r.Log.Info("Build API will read authentication config directly from OperatorConfig")
 
 	// Update ServiceAccount with build-api OAuth redirect annotation
 	if err := r.updateBuildAPIServiceAccountAnnotation(ctx); err != nil {
@@ -408,24 +406,6 @@ func (r *OperatorConfigReconciler) ensureBuildAPIInternalJWTSecret(ctx context.C
 	return nil
 }
 
-func (r *OperatorConfigReconciler) ensureBuildAPIAuthConfigMap(ctx context.Context) error {
-	configMap := &corev1.ConfigMap{}
-	err := r.Get(ctx, client.ObjectKey{Name: buildAPIAuthConfigMapName, Namespace: operatorNamespace}, configMap)
-	if err == nil {
-		return nil
-	}
-	if !errors.IsNotFound(err) {
-		return fmt.Errorf("failed to get build-api auth configmap %s: %w", buildAPIAuthConfigMapName, err)
-	}
-
-	configMap = r.buildBuildAPIAuthConfigMap()
-	if err := r.Create(ctx, configMap); err != nil {
-		return fmt.Errorf("failed to create build-api auth configmap %s: %w", buildAPIAuthConfigMapName, err)
-	}
-	r.Log.Info("Created build-api auth configmap", "name", buildAPIAuthConfigMapName)
-	return nil
-}
-
 func (r *OperatorConfigReconciler) createOrUpdate(
 	ctx context.Context,
 	obj client.Object,
diff --git a/internal/controller/operatorconfig/resources.go b/internal/controller/operatorconfig/resources.go
index 8f3544e5..a43259b6 100644
--- a/internal/controller/operatorconfig/resources.go
+++ b/internal/controller/operatorconfig/resources.go
@@ -5,7 +5,6 @@ import (
 	"encoding/base64"
 	"fmt"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -19,8 +18,7 @@ import (
 )
 
 const (
-	defaultOperatorImage      = "quay.io/rh-sdv-cloud/automotive-dev-operator:latest"
-	buildAPIAuthConfigMapName = "ado-build-api-authentication"
+	defaultOperatorImage = "quay.io/rh-sdv-cloud/automotive-dev-operator:latest"
 )
 
 // getOperatorImage returns the operator image from env var or default
@@ -103,13 +101,7 @@ func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []c
 					Protocol:      corev1.ProtocolTCP,
 				},
 			},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      "build-api-auth-config",
-					MountPath: "/etc/build-api",
-					ReadOnly:  true,
-				},
-			},
+			// No volume mounts needed - Build API reads directly from OperatorConfig CRD
 			SecurityContext: &corev1.SecurityContext{
 				AllowPrivilegeEscalation: boolPtr(false),
 			},
@@ -228,18 +220,7 @@ func (r *OperatorConfigReconciler) buildBuildAPIDeployment(isOpenShift bool) *ap
 						},
 					},
 					Containers: r.buildBuildAPIContainers(isOpenShift),
-					Volumes: []corev1.Volume{
-						{
-							Name: "build-api-auth-config",
-							VolumeSource: corev1.VolumeSource{
-								ConfigMap: &corev1.ConfigMapVolumeSource{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: buildAPIAuthConfigMapName,
-									},
-								},
-							},
-						},
-					},
+					// No volumes needed - Build API reads directly from OperatorConfig CRD
 				},
 			},
 		},
@@ -387,31 +368,6 @@ func (r *OperatorConfigReconciler) buildOAuthSecret(name string) *corev1.Secret
 	}
 }
 
-func (r *OperatorConfigReconciler) buildBuildAPIAuthConfigMap() *corev1.ConfigMap {
-	return &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      buildAPIAuthConfigMapName,
-			Namespace: operatorNamespace,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":      "automotive-dev-operator",
-				"app.kubernetes.io/component": "build-api",
-				"app.kubernetes.io/part-of":   "automotive-dev-operator",
-			},
-		},
-		Data: map[string]string{
-			"config": strings.TrimSpace(defaultAuthenticationConfig()), // Use 'config' key to match Jumpstarter
-		},
-	}
-}
-
-func defaultAuthenticationConfig() string {
-	return `
-internal:
-  prefix: "internal:"
-jwt: []
-`
-}
-
 func (r *OperatorConfigReconciler) buildInternalJWTSecret(name string) (*corev1.Secret, error) {
 	signingKey, err := generateRandomToken(32)
 	if err != nil {
diff --git a/internal/controller/operatorconfig/resources_test.go b/internal/controller/operatorconfig/resources_test.go
new file mode 100644
index 00000000..261a8cfb
--- /dev/null
+++ b/internal/controller/operatorconfig/resources_test.go
@@ -0,0 +1,38 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package operatorconfig
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2" //nolint:revive
+	. "github.com/onsi/gomega"    //nolint:revive
+)
+
+func TestResources(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "OperatorConfig Resources Suite")
+}
+
+var _ = Describe("OperatorConfig Resources", func() {
+	// Tests for resource generation functions that are still in use
+	// (e.g. buildInternalJWTSecret, etc.)
+	// ConfigMap-related functions have been removed as we now read directly from OperatorConfig CRD
+	It("placeholder test", func() {
+		Expect(true).To(BeTrue())
+	})
+})
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 6bc070a0..54392b4f 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -17,7 +17,10 @@ limitations under the License.
 package e2e
 
 import (
+	"crypto/tls"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"os/exec"
 	"strings"
@@ -335,7 +338,18 @@ var _ = Describe("OIDC Authentication", Ordered, func() {
 	BeforeAll(func() {
 		By("creating manager namespace")
 		cmd := exec.Command("kubectl", "create", "ns", namespace)
-		_, _ = utils.Run(cmd)
+		_, _ = utils.Run(cmd) // Ignore error if namespace already exists
+
+		By("installing CRDs")
+		cmd = exec.Command("make", "install")
+		_, err := utils.Run(cmd)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("waiting for OperatorConfig CRD to be established")
+		cmd = exec.Command("kubectl", "wait", "--for=condition=established", "--timeout=60s",
+			"crd/operatorconfigs.automotive.sdv.cloud.redhat.com")
+		_, err = utils.Run(cmd)
+		Expect(err).NotTo(HaveOccurred())
 	})
 
 	AfterAll(func() {
@@ -356,45 +370,50 @@ var _ = Describe("OIDC Authentication", Ordered, func() {
 			apiURL := "https://" + strings.TrimSpace(string(output))
 
 			By("checking /v1/auth/config endpoint returns 404 when OIDC not configured")
-			cmd = exec.Command("curl", "-k", "-s", "-o", "/dev/null", "-w", "%{http_code}",
-				apiURL+"/v1/auth/config")
-			output, err = utils.Run(cmd)
+			client := &http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				},
+			}
+			resp, err := client.Get(apiURL + "/v1/auth/config")
 			Expect(err).NotTo(HaveOccurred())
+			defer func() {
+				_ = resp.Body.Close()
+			}()
 			// Should return 404 or 200 with empty JWT array
-			statusCode := strings.TrimSpace(string(output))
-			Expect(statusCode).To(Or(Equal("404"), Equal("200")))
+			statusCode := resp.StatusCode
+			Expect(statusCode).To(Or(Equal(404), Equal(200)))
 		})
 
 		It("should handle OIDC configuration when provided", func() {
-			By("creating OIDC ConfigMap")
-			oidcConfigYAML := `
-apiVersion: v1
-kind: ConfigMap
+			By("creating OperatorConfig with OIDC authentication")
+			operatorConfigYAML := `
+apiVersion: automotive.sdv.cloud.redhat.com/v1alpha1
+kind: OperatorConfig
 metadata:
-  name: ado-build-api-authentication
+  name: config
   namespace: automotive-dev-operator-system
-data:
-  authentication.yaml: |
-    apiVersion: apiserver.config.k8s.io/v1beta1
-    kind: AuthenticationConfiguration
-    jwt:
-      - issuer:
-          url: https://issuer.example.com
-          audiences:
-            - test-audience
-        claimMappings:
-          username:
-            claim: preferred_username
-            prefix: ""
-    clientId: test-client-id
+spec:
+  buildAPI:
+    authentication:
+      clientId: test-client-id
+      jwt:
+        - issuer:
+            url: https://issuer.example.com
+            audiences:
+              - test-audience
+          claimMappings:
+            username:
+              claim: preferred_username
+              prefix: ""
 `
 			cmd := exec.Command("kubectl", "apply", "-f", "-")
-			cmd.Stdin = strings.NewReader(oidcConfigYAML)
+			cmd.Stdin = strings.NewReader(operatorConfigYAML)
 			_, err := utils.Run(cmd)
 			ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
-			By("waiting for Build API to reload configuration")
-			time.Sleep(5 * time.Second)
+			By("waiting for operator to reconcile and Build API to reload configuration")
+			time.Sleep(10 * time.Second)
 
 			By("checking /v1/auth/config endpoint returns OIDC config")
 			cmd = exec.Command("kubectl", "get", "route", "ado-build-api",
@@ -405,16 +424,26 @@ data:
 			}
 			apiURL := "https://" + strings.TrimSpace(string(output))
 
-			cmd = exec.Command("curl", "-k", "-s", apiURL+"/v1/auth/config")
-			output, err = utils.Run(cmd)
+			client := &http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				},
+			}
+			resp, err := client.Get(apiURL + "/v1/auth/config")
 			Expect(err).NotTo(HaveOccurred())
-			response := string(output)
+			defer func() {
+				_ = resp.Body.Close()
+			}()
+			Expect(resp.StatusCode).To(Equal(200))
+			body, err := io.ReadAll(resp.Body)
+			Expect(err).NotTo(HaveOccurred())
+			response := string(body)
 			Expect(response).To(ContainSubstring("jwt"))
 			Expect(response).To(ContainSubstring("clientId"))
 
-			By("cleaning up OIDC ConfigMap")
-			cmd = exec.Command("kubectl", "delete", "configmap", "ado-build-api-authentication",
-				"-n", namespace, "--ignore-not-found=true")
+			By("cleaning up OIDC configuration from OperatorConfig")
+			cmd = exec.Command("kubectl", "patch", "operatorconfig", "config",
+				"-n", namespace, "--type=json", "-p", `[{"op": "remove", "path": "/spec/buildAPI/authentication"}]`)
 			_, _ = utils.Run(cmd)
 		})
 	})

From 7717b66b3091a2f2ae1ffc4aa4f3d768ae8021ce Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Thu, 29 Jan 2026 14:54:06 +0200
Subject: [PATCH 07/10] Add option for caib CAIB_INSECURE_TLS=true for testing
 and insecure conection

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 cmd/caib/auth/config.go  | 11 ++++++++++-
 cmd/caib/auth/oidc.go    | 23 +++++++++++++++++++++--
 cmd/caib/auth/wrapper.go | 12 +++++++++++-
 3 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index 93ee86ca..488008fe 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -2,6 +2,7 @@
 package auth
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -13,8 +14,16 @@ import (
 
 // GetOIDCConfigFromAPI fetches OIDC configuration from the Build API server.
 func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
+	transport := &http.Transport{}
+
+	// Check for insecure TLS flag
+	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
 	client := &http.Client{
-		Timeout: 30 * time.Second,
+		Timeout:   30 * time.Second,
+		Transport: transport,
 	}
 
 	configURL := strings.TrimSuffix(serverURL, "/") + "/v1/auth/config"
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
index 8a8f6f98..800006ea 100644
--- a/cmd/caib/auth/oidc.go
+++ b/cmd/caib/auth/oidc.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -279,7 +280,16 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 
-	client := &http.Client{Timeout: 30 * time.Second}
+	transport := &http.Transport{}
+	// Check for insecure TLS flag
+	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
+	client := &http.Client{
+		Timeout:   30 * time.Second,
+		Transport: transport,
+	}
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", err
@@ -319,7 +329,16 @@ type DiscoveryDocument struct {
 }
 
 func (a *OIDCAuth) getDiscovery(discoveryURL string) (*DiscoveryDocument, error) {
-	client := &http.Client{Timeout: 10 * time.Second}
+	transport := &http.Transport{}
+	// Check for insecure TLS flag
+	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
+	client := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: transport,
+	}
 	resp, err := client.Get(discoveryURL)
 	if err != nil {
 		return nil, err
diff --git a/cmd/caib/auth/wrapper.go b/cmd/caib/auth/wrapper.go
index 2e8772f0..f43828d6 100644
--- a/cmd/caib/auth/wrapper.go
+++ b/cmd/caib/auth/wrapper.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 
 	buildapiclient "github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/client"
@@ -86,5 +87,14 @@ func CreateClientWithReauth(ctx context.Context, serverURL string, authToken *st
 		}
 	}
 
-	return buildapiclient.New(serverURL, buildapiclient.WithAuthToken(tokenValue))
+	// Configure TLS options
+	var opts []buildapiclient.Option
+	opts = append(opts, buildapiclient.WithAuthToken(tokenValue))
+
+	// Check for insecure TLS flag
+	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
+		opts = append(opts, buildapiclient.WithInsecureTLS())
+	}
+
+	return buildapiclient.New(serverURL, opts...)
 }

From 32aaa32a584b79da3808ae0fcd3e2e4d57ff0a27 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Sat, 31 Jan 2026 20:49:41 +0200
Subject: [PATCH 08/10] Add fixes to OIDC flow

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 Dockerfile                                    |   1 -
 cmd/caib/auth/config.go                       |  13 +-
 cmd/caib/auth/oidc.go                         |  15 +-
 cmd/caib/auth/wrapper.go                      |  22 +-
 cmd/caib/main.go                              |  48 ++-
 internal/buildapi/auth_config.go              | 108 +-----
 internal/buildapi/client_tokens.go            |  15 +-
 internal/buildapi/server.go                   | 333 ++++++++++--------
 .../controller/operatorconfig/resources.go    |  92 +++--
 test/e2e/e2e_test.go                          | 122 +++++--
 10 files changed, 401 insertions(+), 368 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6c2ccc90..a051c75c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,6 @@ WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY --from=builder /workspace/build-api .
 COPY --from=builder /workspace/init-secrets .
-# Include CA bundle so OIDC discovery works without custom CA config
 COPY --from=builder /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
 USER 65532:65532
diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index 488008fe..17a1a8df 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -2,7 +2,6 @@
 package auth
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -16,11 +15,6 @@ import (
 func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 	transport := &http.Transport{}
 
-	// Check for insecure TLS flag
-	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-
 	client := &http.Client{
 		Timeout:   30 * time.Second,
 		Transport: transport,
@@ -81,8 +75,13 @@ func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 		return nil, fmt.Errorf("OIDC client ID is required but not provided by the server")
 	}
 
+	issuerURL := jwtConfig.Issuer.URL
+	if issuerURL == "" {
+		return nil, fmt.Errorf("OIDC issuer URL is required but not provided by the server")
+	}
+
 	return &OIDCConfig{
-		IssuerURL: jwtConfig.Issuer.URL,
+		IssuerURL: issuerURL,
 		ClientID:  clientID,
 		Scopes:    []string{"openid", "profile", "email"},
 	}, nil
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
index 800006ea..0ae712cb 100644
--- a/cmd/caib/auth/oidc.go
+++ b/cmd/caib/auth/oidc.go
@@ -5,7 +5,6 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -148,7 +147,7 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	codeChallenge := base64URLEncode(sha256Hash(codeVerifier))
 
 	// Find available port for callback
-	listener, err := net.Listen("tcp", ":0")
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return "", fmt.Errorf("failed to find available port: %w", err)
 	}
@@ -179,7 +178,7 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	errChan := make(chan error, 1)
 
 	server := &http.Server{
-		Addr: fmt.Sprintf(":%d", port),
+		Addr: fmt.Sprintf("127.0.0.1:%d", port),
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path != "/callback" {
 				http.NotFound(w, r)
@@ -281,10 +280,7 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 
 	transport := &http.Transport{}
-	// Check for insecure TLS flag
-	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
+	// Use default TLS settings
 
 	client := &http.Client{
 		Timeout:   30 * time.Second,
@@ -330,10 +326,7 @@ type DiscoveryDocument struct {
 
 func (a *OIDCAuth) getDiscovery(discoveryURL string) (*DiscoveryDocument, error) {
 	transport := &http.Transport{}
-	// Check for insecure TLS flag
-	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
+	// Use default TLS settings
 
 	client := &http.Client{
 		Timeout:   10 * time.Second,
diff --git a/cmd/caib/auth/wrapper.go b/cmd/caib/auth/wrapper.go
index f43828d6..eeb608d7 100644
--- a/cmd/caib/auth/wrapper.go
+++ b/cmd/caib/auth/wrapper.go
@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 
 	buildapiclient "github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/client"
@@ -26,19 +25,15 @@ func IsAuthError(err error) bool {
 // The boolean return indicates whether a fresh auth flow was performed.
 // Returns an error if OIDC is configured but config fetch fails (network/server errors).
 func GetTokenWithReauth(ctx context.Context, serverURL string, currentToken string) (string, bool, error) {
-	// Try to get OIDC config from local config first
-	config, err := GetOIDCConfigFromLocalConfig()
+	// Prefer API config over local: server is source of truth (OperatorConfig).
+	// When server has OIDC disabled or init failed, API returns empty JWT and we should not use local OIDC.
+	config, err := GetOIDCConfigFromAPI(serverURL)
 	if err != nil {
-		// Fallback to Build API
-		config, err = GetOIDCConfigFromAPI(serverURL)
-		if err != nil {
-			// Error fetching config - this is a real error, not "not configured"
-			return "", false, fmt.Errorf("failed to fetch OIDC configuration: %w", err)
-		}
+		// Error fetching config - this is a real error, not "not configured"
+		return "", false, fmt.Errorf("failed to fetch OIDC configuration: %w", err)
 	}
-
-	// If no config available, return empty (auth is optional)
 	if config == nil {
+		// API says no OIDC - do not use local config; caller will use kubeconfig
 		return "", false, nil
 	}
 
@@ -91,10 +86,5 @@ func CreateClientWithReauth(ctx context.Context, serverURL string, authToken *st
 	var opts []buildapiclient.Option
 	opts = append(opts, buildapiclient.WithAuthToken(tokenValue))
 
-	// Check for insecure TLS flag
-	if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
-		opts = append(opts, buildapiclient.WithInsecureTLS())
-	}
-
 	return buildapiclient.New(serverURL, opts...)
 }
diff --git a/cmd/caib/main.go b/cmd/caib/main.go
index 40c52867..5c18f5dc 100644
--- a/cmd/caib/main.go
+++ b/cmd/caib/main.go
@@ -143,16 +143,13 @@ func createBuildAPIClient(serverURL string, authToken *string) (*buildapiclient.
 		opts = append(opts, buildapiclient.WithCACertificate(caCertFile))
 	} else if caCertFile := os.Getenv("REQUESTS_CA_BUNDLE"); caCertFile != "" {
 		opts = append(opts, buildapiclient.WithCACertificate(caCertFile))
-	} else {
-		if strings.EqualFold(os.Getenv("CAIB_INSECURE_TLS"), "true") || os.Getenv("CAIB_INSECURE_TLS") == "1" {
-			opts = append(opts, buildapiclient.WithInsecureTLS())
-		}
 	}
 
 	return buildapiclient.New(serverURL, opts...)
 }
 
-// executeWithReauth executes an API call and automatically retries with re-authentication on auth errors
+// executeWithReauth executes an API call and automatically retries with re-authentication on auth errors.
+// On 401: first retries with OIDC re-auth; if that still returns 401, falls back to kubeconfig token and retries once.
 func executeWithReauth(serverURL string, authToken *string, fn func(*buildapiclient.Client) error) error {
 	ctx := context.Background()
 
@@ -170,23 +167,54 @@ func executeWithReauth(serverURL string, authToken *string, fn func(*buildapicli
 		return err
 	}
 
-	// Auth error - try to re-authenticate
-	fmt.Println("Token is expired, triggering re-authentication")
+	// Auth error (401) - try re-authentication; token may be rejected, not necessarily expired
+	fmt.Println("Authentication failed (401), re-authenticating...")
 
 	newToken, _, err := auth.GetTokenWithReauth(ctx, serverURL, *authToken)
 	if err != nil {
 		return fmt.Errorf("re-authentication failed: %w", err)
 	}
 
-	// Update token and retry
 	*authToken = newToken
+	// If re-auth returned no token (API says OIDC not configured), try kubeconfig before retrying
+	if strings.TrimSpace(*authToken) == "" {
+		if tok, kerr := loadTokenFromKubeconfig(); kerr == nil && strings.TrimSpace(tok) != "" {
+			*authToken = tok
+			client, err = createBuildAPIClient(serverURL, authToken)
+			if err != nil {
+				return err
+			}
+			fmt.Println("Using kubeconfig token, retrying...")
+			return fn(client)
+		}
+	}
+
 	client, err = createBuildAPIClient(serverURL, authToken)
 	if err != nil {
 		return err
 	}
 
-	fmt.Println("Re-authentication successful, retrying...")
-	return fn(client)
+	fmt.Println("Retrying request...")
+	err = fn(client)
+	if err == nil {
+		return nil
+	}
+
+	// Still 401 after OIDC re-auth (e.g. server OIDC broken, or wrong client/audience) - try kubeconfig fallback
+	if !auth.IsAuthError(err) {
+		return err
+	}
+	if tok, kerr := loadTokenFromKubeconfig(); kerr == nil && strings.TrimSpace(tok) != "" {
+		*authToken = tok
+		client, err = createBuildAPIClient(serverURL, authToken)
+		if err != nil {
+			return err
+		}
+		fmt.Println("Attempting kubeconfig fallback...")
+		return fn(client)
+	}
+
+	return err
 }
 
 // extractRegistryCredentials extracts registry URL and returns registry URL and credentials from env vars
diff --git a/internal/buildapi/auth_config.go b/internal/buildapi/auth_config.go
index 80d023a6..7986b325 100644
--- a/internal/buildapi/auth_config.go
+++ b/internal/buildapi/auth_config.go
@@ -13,7 +13,7 @@ import (
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	oidcauth "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/yaml"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	automotivev1alpha1 "github.com/centos-automotive-suite/automotive-dev-operator/api/v1alpha1"
 	apiserver "k8s.io/apiserver/pkg/apis/apiserver"
@@ -31,103 +31,6 @@ type InternalAuthConfig struct {
 	Prefix string `json:"prefix"`
 }
 
-func loadAuthenticationConfigurationFromFile(ctx context.Context, path string) (*AuthenticationConfiguration, authenticator.Token, string, error) {
-	if path == "" {
-		return nil, nil, "", nil
-	}
-	if info, err := os.Stat(path); err == nil && info.IsDir() {
-		return nil, nil, "", fmt.Errorf("path is a directory, not a file: %s", path)
-	}
-	content, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil, "", fmt.Errorf("file not found: %s", path)
-		}
-		return nil, nil, "", fmt.Errorf("failed to read file %s: %w", path, err)
-	}
-
-	var config AuthenticationConfiguration
-
-	var wrapped struct {
-		Authentication AuthenticationConfiguration `yaml:"authentication" json:"authentication"`
-	}
-	wrappedErr := yaml.Unmarshal(content, &wrapped)
-	if wrappedErr == nil {
-		if len(wrapped.Authentication.JWT) > 0 {
-			config = wrapped.Authentication
-		} else if wrapped.Authentication.Internal.Prefix != "" {
-			config = wrapped.Authentication
-		} else {
-			if err := yaml.Unmarshal(content, &config); err != nil {
-				return nil, nil, "", fmt.Errorf("failed to parse auth config: wrapped parse succeeded but JWT empty (jwt_count=0, internal_prefix=%q), direct parse failed: %w. This suggests YAML structure mismatch with Kubernetes JWTAuthenticator format", wrapped.Authentication.Internal.Prefix, err)
-			}
-		}
-	} else {
-		if err := yaml.Unmarshal(content, &config); err != nil {
-			return nil, nil, "", fmt.Errorf("failed to parse auth config (tried wrapped and direct): wrapped_err=%v, direct_err=%w", wrappedErr, err)
-		}
-	}
-
-	if len(config.JWT) == 0 {
-		var raw struct {
-			Authentication struct {
-				ClientID string `yaml:"clientId"`
-				Internal struct {
-					Prefix string `yaml:"prefix"`
-				} `yaml:"internal"`
-				JWT []struct {
-					Issuer struct {
-						URL                  string   `yaml:"url"`
-						Audiences            []string `yaml:"audiences"`
-						CertificateAuthority string   `yaml:"certificateAuthority"`
-					} `yaml:"issuer"`
-					ClaimMappings struct {
-						Username struct {
-							Claim  string `yaml:"claim"`
-							Prefix string `yaml:"prefix"`
-						} `yaml:"username"`
-					} `yaml:"claimMappings"`
-				} `yaml:"jwt"`
-			} `yaml:"authentication"`
-		}
-		if err := yaml.Unmarshal(content, &raw); err == nil && len(raw.Authentication.JWT) > 0 {
-			if config.ClientID == "" {
-				config.ClientID = raw.Authentication.ClientID
-			}
-			if config.Internal.Prefix == "" {
-				config.Internal.Prefix = raw.Authentication.Internal.Prefix
-			}
-			for _, entry := range raw.Authentication.JWT {
-				prefix := entry.ClaimMappings.Username.Prefix
-				jwt := apiserverv1beta1.JWTAuthenticator{
-					Issuer: apiserverv1beta1.Issuer{
-						URL:                  entry.Issuer.URL,
-						Audiences:            entry.Issuer.Audiences,
-						CertificateAuthority: entry.Issuer.CertificateAuthority,
-					},
-					ClaimMappings: apiserverv1beta1.ClaimMappings{
-						Username: apiserverv1beta1.PrefixedClaimOrExpression{
-							Claim:  entry.ClaimMappings.Username.Claim,
-							Prefix: &prefix,
-						},
-					},
-				}
-				config.JWT = append(config.JWT, jwt)
-			}
-		}
-	}
-
-	if config.Internal.Prefix == "" {
-		config.Internal.Prefix = "internal:"
-	}
-
-	authn, err := newJWTAuthenticator(ctx, config)
-	if err != nil {
-		return nil, nil, "", err
-	}
-	return &config, authn, config.Internal.Prefix, nil
-}
-
 func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration) (authenticator.Token, error) {
 	if len(config.JWT) == 0 {
 		return nil, nil
@@ -188,7 +91,10 @@ func loadAuthenticationConfigurationFromOperatorConfig(ctx context.Context, k8sC
 	}
 
 	// Check if authentication is configured
-	if operatorConfig.Spec.BuildAPI == nil || operatorConfig.Spec.BuildAPI.Authentication == nil {
+	if operatorConfig.Spec.BuildAPI == nil {
+		return nil, nil, "", nil // No authentication configured
+	}
+	if operatorConfig.Spec.BuildAPI.Authentication == nil {
 		return nil, nil, "", nil // No authentication configured
 	}
 
@@ -209,7 +115,9 @@ func loadAuthenticationConfigurationFromOperatorConfig(ctx context.Context, k8sC
 	// Build authenticator from JWT configuration
 	authn, err := newJWTAuthenticator(ctx, *config)
 	if err != nil {
-		return nil, nil, "", fmt.Errorf("failed to create JWT authenticator: %w", err)
+		log.FromContext(ctx).Error(err, "failed to create JWT authenticator, will fall back to kubeconfig authentication", "namespace", namespace)
+		// Return config with nil authenticator - this allows kubeconfig fallback to work
+		return config, nil, config.Internal.Prefix, nil
 	}
 
 	return config, authn, config.Internal.Prefix, nil
diff --git a/internal/buildapi/client_tokens.go b/internal/buildapi/client_tokens.go
index c444287c..9aee278a 100644
--- a/internal/buildapi/client_tokens.go
+++ b/internal/buildapi/client_tokens.go
@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 )
 
 const (
@@ -20,9 +21,13 @@ const (
 	clientTokenExpiry = 30 * 24 * time.Hour
 )
 
-func (a *APIServer) authenticateExternalJWT(c *gin.Context, token string) (string, bool) {
-	resp, ok, err := a.externalJWT.AuthenticateToken(c.Request.Context(), token)
-	if err != nil || !ok || resp == nil || resp.User == nil {
+func (a *APIServer) authenticateExternalJWT(c *gin.Context, token string, authn authenticator.Token) (string, bool) {
+	resp, ok, err := authn.AuthenticateToken(c.Request.Context(), token)
+	if err != nil {
+		a.log.Error(err, "OIDC token validation failed")
+		return "", false
+	}
+	if !ok || resp == nil || resp.User == nil {
 		return "", false
 	}
 	username := strings.TrimSpace(resp.User.GetName())
@@ -91,6 +96,10 @@ func (a *APIServer) ensureClientTokenSecret(c *gin.Context, username string, oid
 }
 
 func (a *APIServer) signClientToken(username string) (string, time.Time, error) {
+	if a.internalJWT == nil {
+		return "", time.Time{}, fmt.Errorf("internal JWT is not configured")
+	}
+
 	expiresAt := time.Now().Add(clientTokenExpiry)
 	audience := a.internalJWT.audience
 	if audience == "" {
diff --git a/internal/buildapi/server.go b/internal/buildapi/server.go
index 79f888fb..e49ac42c 100644
--- a/internal/buildapi/server.go
+++ b/internal/buildapi/server.go
@@ -15,6 +15,7 @@ import (
 	"path"
 	"sort"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -32,7 +33,6 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/remotecommand"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/yaml"
 
 	automotivev1alpha1 "github.com/centos-automotive-suite/automotive-dev-operator/api/v1alpha1"
 	"github.com/centos-automotive-suite/automotive-dev-operator/internal/buildapi/catalog"
@@ -82,16 +82,18 @@ func DefaultAPILimits() APILimits {
 
 // APIServer provides the REST API for build operations.
 type APIServer struct {
-	server         *http.Server
-	router         *gin.Engine
-	addr           string
-	log            logr.Logger
-	limits         APILimits
-	internalJWT    *internalJWTConfig
-	externalJWT    authenticator.Token
-	internalPrefix string
-	authConfig     *AuthenticationConfiguration // Store raw config for API exposure
-	oidcClientID   string
+	server              *http.Server
+	router              *gin.Engine
+	addr                string
+	log                 logr.Logger
+	limits              APILimits
+	internalJWT         *internalJWTConfig
+	externalJWT         authenticator.Token
+	internalPrefix      string
+	authConfig          *AuthenticationConfiguration // Store raw config for API exposure
+	oidcClientID        string
+	authConfigMu        sync.RWMutex // Protects externalJWT, authConfig, internalPrefix, oidcClientID
+	lastAuthConfigCheck time.Time    // Last time we checked OperatorConfig
 }
 
 //go:embed openapi.yaml
@@ -126,8 +128,15 @@ func NewAPIServerWithLimits(addr string, logger logr.Logger, limits APILimits) *
 	logger.Info("attempting to load authentication config from OperatorConfig", "namespace", namespace)
 	k8sClient, err := a.getCatalogClient()
 	if err == nil {
-		cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(context.Background(), k8sClient, namespace)
-		if err == nil && cfg != nil {
+		// Use a timeout to avoid blocking server startup indefinitely
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(ctx, k8sClient, namespace)
+		if err != nil {
+			// If OperatorConfig doesn't exist or can't be read, log and continue without OIDC
+			// This allows kubeconfig fallback to work
+			logger.Info("failed to load authentication config from OperatorConfig, will use kubeconfig fallback", "namespace", namespace, "error", err)
+		} else if cfg != nil {
 			a.authConfig = cfg
 			a.externalJWT = authn
 			a.internalPrefix = prefix
@@ -135,60 +144,21 @@ func NewAPIServerWithLimits(addr string, logger logr.Logger, limits APILimits) *
 				a.oidcClientID = cfg.ClientID
 			}
 			if len(cfg.JWT) > 0 {
-				logger.Info("loaded authentication config from OperatorConfig", "jwt_count", len(cfg.JWT), "namespace", namespace, "client_id", cfg.ClientID)
-			} else {
-				logger.Info("authentication config loaded from OperatorConfig but no JWT issuers configured", "namespace", namespace)
-			}
-		} else if err != nil {
-			logger.Info("failed to load authentication config from OperatorConfig, trying file fallback", "namespace", namespace, "error", err)
-		} else {
-			logger.Info("no authentication config in OperatorConfig, trying file fallback", "namespace", namespace)
-		}
-	} else {
-		logger.Info("failed to create k8s client for OperatorConfig, trying file fallback", "error", err)
-	}
-
-	// Fallback to file-based config if OperatorConfig doesn't have auth config or failed to load
-	if a.authConfig == nil {
-		authConfigPath := os.Getenv("AUTH_CONFIG_PATH")
-		if authConfigPath == "" {
-			authConfigPath = "/etc/build-api/config"
-		}
-		logger.Info("loading authentication config from file", "path", authConfigPath)
-		cfg, authn, prefix, err := loadAuthenticationConfigurationFromFile(context.Background(), authConfigPath)
-		if err != nil {
-			logger.Info("primary config path failed, trying fallback", "primary_path", authConfigPath, "error", err)
-			fallbackPath := "/etc/build-api/authentication.yaml"
-			if info, statErr := os.Stat(fallbackPath); statErr == nil && !info.IsDir() {
-				if fallbackCfg, fallbackAuthn, fallbackPrefix, fallbackErr := loadAuthenticationConfigurationFromFile(context.Background(), fallbackPath); fallbackErr == nil {
-					cfg = fallbackCfg
-					authn = fallbackAuthn
-					prefix = fallbackPrefix
-					logger.Info("loaded authentication config from fallback path", "path", fallbackPath)
+				if authn != nil {
+					logger.Info("loaded authentication config from OperatorConfig", "jwt_count", len(cfg.JWT), "namespace", namespace, "client_id", cfg.ClientID)
 				} else {
-					logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_path", fallbackPath, "fallback_err", fallbackErr)
+					logger.Info("OIDC configured in OperatorConfig but initialization failed, externalJWT set to nil to enable kubeconfig fallback", "jwt_count", len(cfg.JWT), "namespace", namespace)
+					// Ensure externalJWT is nil so clients don't try to use OIDC tokens
+					a.externalJWT = nil
 				}
 			} else {
-				logger.Error(err, "failed to load authentication config; external OIDC auth disabled", "primary_path", authConfigPath, "fallback_is_dir", statErr == nil && info.IsDir())
+				logger.Info("authentication config loaded from OperatorConfig but no JWT issuers configured", "namespace", namespace)
 			}
-		} else if cfg == nil {
-			logger.Info("authentication config file not found or empty", "path", authConfigPath)
 		} else {
-			logger.Info("loaded authentication config from file", "path", authConfigPath, "jwt_count", len(cfg.JWT))
-		}
-		if cfg != nil {
-			a.authConfig = cfg
-			a.externalJWT = authn
-			a.internalPrefix = prefix
-			if cfg.ClientID != "" {
-				a.oidcClientID = cfg.ClientID
-			}
-			if len(cfg.JWT) > 0 {
-				logger.Info("external OIDC auth enabled", "issuers", len(cfg.JWT))
-			} else {
-				logger.Info("authentication config loaded but no JWT issuers configured")
-			}
+			logger.Info("no authentication config in OperatorConfig, will use kubeconfig fallback", "namespace", namespace)
 		}
+	} else {
+		logger.Info("failed to create k8s client for OperatorConfig, will use kubeconfig fallback", "error", err)
 	}
 	a.router = a.createRouter()
 	a.server = &http.Server{Addr: addr, Handler: a.router}
@@ -1709,6 +1679,29 @@ func getRESTConfigFromRequest(_ *gin.Context) (*rest.Config, error) {
 	return cfgCopy, nil
 }
 
+// getKubernetesClient creates a controller-runtime client for accessing Kubernetes resources
+func getKubernetesClient() (client.Client, error) {
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		kubeconfig := os.Getenv("KUBECONFIG")
+		cfg, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to build kube config: %w", err)
+		}
+	}
+
+	scheme := runtime.NewScheme()
+	if err := automotivev1alpha1.AddToScheme(scheme); err != nil {
+		return nil, fmt.Errorf("failed to add scheme: %w", err)
+	}
+
+	k8sClient, err := client.New(cfg, client.Options{Scheme: scheme})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create k8s client: %w", err)
+	}
+	return k8sClient, nil
+}
+
 func getClientFromRequest(c *gin.Context) (client.Client, error) {
 	cfg, err := getRESTConfigFromRequest(c)
 	if err != nil {
@@ -1733,60 +1726,156 @@ func getClientFromRequest(c *gin.Context) (client.Client, error) {
 	return k8sClient, nil
 }
 
+// refreshAuthConfigIfNeeded periodically checks and refreshes authentication configuration from OperatorConfig
+func (a *APIServer) refreshAuthConfigIfNeeded() {
+	a.authConfigMu.Lock()
+	defer a.authConfigMu.Unlock()
+
+	// Check if it's time to refresh (every 60 seconds)
+	if time.Since(a.lastAuthConfigCheck) < 60*time.Second {
+		return
+	}
+	a.lastAuthConfigCheck = time.Now()
+
+	namespace := resolveNamespace()
+	k8sClient, err := getKubernetesClient()
+	if err != nil {
+		a.log.Error(err, "failed to get k8s client for auth config refresh", "namespace", namespace)
+		return
+	}
+
+	// Use a separate context with timeout to avoid canceling OIDC initialization
+	refreshCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(refreshCtx, k8sClient, namespace)
+	if err != nil {
+		// If refresh fails, log but don't clear existing config - allow kubeconfig fallback
+		a.log.Error(err, "failed to load authentication config from OperatorConfig during refresh, keeping existing config", "namespace", namespace)
+		return
+	}
+
+	if cfg == nil {
+		// Only clear if explicitly nil (no auth config)
+		a.authConfig = nil
+		a.externalJWT = nil
+		a.internalPrefix = ""
+		return
+	}
+
+	// Update config fields
+	a.authConfig = cfg
+	a.internalPrefix = prefix
+	if cfg.ClientID != "" {
+		a.oidcClientID = cfg.ClientID
+	}
+
+	// Update authenticator - if we got a new one, use it; otherwise clear it to force kubeconfig fallback
+	if authn != nil {
+		a.externalJWT = authn
+	} else {
+		// authn is nil - this can happen if:
+		// 1. No JWT issuers configured (len(config.JWT) == 0)
+		// 2. OIDC initialization failed (network/TLS issues)
+		if len(cfg.JWT) == 0 {
+			a.externalJWT = nil
+		} else {
+			// OIDC is configured but initialization failed - clear authenticator to force kubeconfig fallback
+			// This prevents clients from trying to use OIDC tokens that won't work
+			a.externalJWT = nil
+		}
+	}
+}
+
 func (a *APIServer) authenticateRequest(c *gin.Context) (string, string, bool) {
+	// Refresh auth config if needed (checks OperatorConfig periodically)
+	a.refreshAuthConfigIfNeeded()
+
 	token := extractBearerToken(c)
 	if token == "" {
 		return "", "", false
 	}
 
-	if a.internalJWT != nil {
-		if subject, ok := validateInternalJWT(token, a.internalJWT); ok {
+	// Try internal JWT first
+	a.authConfigMu.RLock()
+	internalJWT := a.internalJWT
+	internalPrefix := a.internalPrefix
+	a.authConfigMu.RUnlock()
+
+	if internalJWT != nil {
+		if subject, ok := validateInternalJWT(token, internalJWT); ok {
 			username := subject
-			if a.internalPrefix != "" {
-				username = a.internalPrefix + username
+			if internalPrefix != "" {
+				username = internalPrefix + username
 			}
+			a.log.Info("Internal JWT authentication successful", "username", username)
 			return username, "internal", true
 		}
 	}
 
-	if a.externalJWT != nil {
-		if username, ok := a.authenticateExternalJWT(c, token); ok {
+	// Try external JWT (OIDC)
+	a.authConfigMu.RLock()
+	externalJWT := a.externalJWT
+	a.authConfigMu.RUnlock()
+
+	if externalJWT != nil {
+		if username, ok := a.authenticateExternalJWT(c, token, externalJWT); ok {
 			// Store OIDC token in secret after successful authentication
 			if a.internalJWT != nil {
 				if err := a.ensureClientTokenSecret(c, username, token); err != nil {
 					a.log.Error(err, "failed to ensure client token secret", "username", username)
 				}
 			}
+			a.log.Info("External JWT authentication successful", "username", username)
 			return username, "external", true
 		}
 	}
 
+	// Fallback to kubeconfig TokenReview authentication
 	cfg, err := getRESTConfigFromRequest(c)
 	if err != nil {
+		a.log.Error(err, "Failed to get REST config for TokenReview fallback")
 		return "", "", false
 	}
 
 	clientset, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
+		a.log.Error(err, "Failed to create Kubernetes client for TokenReview")
 		return "", "", false
 	}
 
 	tr := &authnv1.TokenReview{Spec: authnv1.TokenReviewSpec{Token: token}}
 	res, err := clientset.AuthenticationV1().TokenReviews().Create(c.Request.Context(), tr, metav1.CreateOptions{})
-	if err == nil && res.Status.Authenticated {
-		return res.Status.User.Username, "k8s", true
+	if err != nil {
+		a.log.Error(err, "TokenReview API call failed")
+		return "", "", false
+	}
+	if res.Status.Authenticated {
+		username := res.Status.User.Username
+		if username == "" {
+			return "", "", false
+		}
+		return username, "k8s", true
+	}
+	// Log detailed error information
+	if res.Status.Error != "" {
+		a.log.Info("TokenReview authentication failed", "error", res.Status.Error)
 	}
 	return "", "", false
 }
 
-// extractBearerToken extracts the bearer token from the request
+// extractBearerToken extracts the bearer token from the request.
 func extractBearerToken(c *gin.Context) string {
 	authHeader := c.Request.Header.Get("Authorization")
 	token, _ := strings.CutPrefix(authHeader, "Bearer ")
-	if token == "" {
-		token = c.Request.Header.Get("X-Forwarded-Access-Token")
+	if token != "" {
+		return strings.TrimSpace(token)
+	}
+	token = c.Request.Header.Get("X-Forwarded-Access-Token")
+	if token != "" {
+		return strings.TrimSpace(token)
 	}
-	return strings.TrimSpace(token)
+	return ""
 }
 
 func (a *APIServer) resolveRequester(c *gin.Context) string {
@@ -1800,6 +1889,9 @@ func (a *APIServer) resolveRequester(c *gin.Context) string {
 
 // handleGetAuthConfig returns OIDC configuration for clients (no auth required)
 func (a *APIServer) handleGetAuthConfig(c *gin.Context) {
+	// Refresh auth config if needed
+	a.refreshAuthConfigIfNeeded()
+
 	type OIDCConfigResponse struct {
 		ClientID string `json:"clientId,omitempty"`
 		JWT      []struct {
@@ -1816,29 +1908,41 @@ func (a *APIServer) handleGetAuthConfig(c *gin.Context) {
 		} `json:"jwt"`
 	}
 
+	// Read auth config with mutex
+	a.authConfigMu.RLock()
+	clientID := a.oidcClientID
+	authConfig := a.authConfig
+	a.authConfigMu.RUnlock()
+
 	response := OIDCConfigResponse{
-		ClientID: a.oidcClientID,
+		ClientID: clientID,
 	}
 
 	// Validate clientId matches at least one audience if both are set
-	if a.oidcClientID != "" && a.authConfig != nil {
+	if clientID != "" && authConfig != nil {
 		clientIDInAudience := false
-		for _, jwtConfig := range a.authConfig.JWT {
+		for _, jwtConfig := range authConfig.JWT {
 			for _, audience := range jwtConfig.Issuer.Audiences {
-				if audience == a.oidcClientID {
+				if audience == clientID {
 					clientIDInAudience = true
 					break
 				}
 			}
 		}
-		if !clientIDInAudience && len(a.authConfig.JWT) > 0 {
-			a.log.Info("OIDC clientId does not match any JWT audience", "clientId", a.oidcClientID)
+		if !clientIDInAudience && len(authConfig.JWT) > 0 {
+			a.log.Info("OIDC clientId does not match any JWT audience", "clientId", clientID)
 		}
 	}
 
-	// Try to get from parsed config first
-	if a.authConfig != nil && len(a.authConfig.JWT) > 0 {
-		for _, jwtConfig := range a.authConfig.JWT {
+	// Only return OIDC config if externalJWT is actually working (not nil)
+	// If externalJWT is nil, OIDC isn't working and clients should use kubeconfig
+	a.authConfigMu.RLock()
+	externalJWTWorking := a.externalJWT != nil
+	a.authConfigMu.RUnlock()
+
+	// Try to get from parsed config first, but only if OIDC is actually working
+	if authConfig != nil && len(authConfig.JWT) > 0 && externalJWTWorking {
+		for _, jwtConfig := range authConfig.JWT {
 			prefix := ""
 			if jwtConfig.ClaimMappings.Username.Prefix != nil {
 				prefix = *jwtConfig.ClaimMappings.Username.Prefix
@@ -1878,71 +1982,6 @@ func (a *APIServer) handleGetAuthConfig(c *gin.Context) {
 				},
 			})
 		}
-	} else {
-		// Fallback: Try to read and parse ConfigMap directly if parsed config is empty
-		// This handles the case where YAML structure doesn't match Kubernetes types exactly
-		configPath := os.Getenv("AUTH_CONFIG_PATH")
-		if configPath == "" {
-			configPath = "/etc/build-api/config"
-		}
-		if content, err := os.ReadFile(configPath); err == nil {
-			// Try to parse as simple YAML to extract issuer URLs
-			var rawConfig struct {
-				Authentication struct {
-					JWT []struct {
-						Issuer struct {
-							URL       string   `yaml:"url" json:"url"`
-							Audiences []string `yaml:"audiences" json:"audiences"`
-						} `yaml:"issuer" json:"issuer"`
-						ClaimMappings struct {
-							Username struct {
-								Claim  string `yaml:"claim" json:"claim"`
-								Prefix string `yaml:"prefix" json:"prefix"`
-							} `yaml:"username" json:"username"`
-						} `yaml:"claimMappings" json:"claimMappings"`
-					} `yaml:"jwt" json:"jwt"`
-				} `yaml:"authentication" json:"authentication"`
-			}
-			if err := yaml.Unmarshal(content, &rawConfig); err == nil && len(rawConfig.Authentication.JWT) > 0 {
-				// Successfully parsed with simple struct
-				for _, jwt := range rawConfig.Authentication.JWT {
-					response.JWT = append(response.JWT, struct {
-						Issuer struct {
-							URL       string   `json:"url"`
-							Audiences []string `json:"audiences,omitempty"`
-						} `json:"issuer"`
-						ClaimMappings struct {
-							Username struct {
-								Claim  string `json:"claim"`
-								Prefix string `json:"prefix,omitempty"`
-							} `json:"username"`
-						} `json:"claimMappings"`
-					}{
-						Issuer: struct {
-							URL       string   `json:"url"`
-							Audiences []string `json:"audiences,omitempty"`
-						}{
-							URL:       jwt.Issuer.URL,
-							Audiences: jwt.Issuer.Audiences,
-						},
-						ClaimMappings: struct {
-							Username struct {
-								Claim  string `json:"claim"`
-								Prefix string `json:"prefix,omitempty"`
-							} `json:"username"`
-						}{
-							Username: struct {
-								Claim  string `json:"claim"`
-								Prefix string `json:"prefix,omitempty"`
-							}{
-								Claim:  jwt.ClaimMappings.Username.Claim,
-								Prefix: jwt.ClaimMappings.Username.Prefix,
-							},
-						},
-					})
-				}
-			}
-		}
 	}
 
 	// If no config, return empty
diff --git a/internal/controller/operatorconfig/resources.go b/internal/controller/operatorconfig/resources.go
index a43259b6..bd76fd28 100644
--- a/internal/controller/operatorconfig/resources.go
+++ b/internal/controller/operatorconfig/resources.go
@@ -31,6 +31,49 @@ func getOperatorImage() string {
 
 // buildBuildAPIContainers builds the container list for build-API deployment, conditionally including oauth-proxy
 func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []corev1.Container {
+	buildAPIEnv := []corev1.EnvVar{
+		{
+			Name: "BUILD_API_NAMESPACE",
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					FieldPath: "metadata.namespace",
+				},
+			},
+		},
+		{
+			Name: "INTERNAL_JWT_ISSUER",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: internalJWTSecretName,
+					},
+					Key: "issuer",
+				},
+			},
+		},
+		{
+			Name: "INTERNAL_JWT_AUDIENCE",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: internalJWTSecretName,
+					},
+					Key: "audience",
+				},
+			},
+		},
+		{
+			Name: "INTERNAL_JWT_KEY",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: internalJWTSecretName,
+					},
+					Key: "signing-key",
+				},
+			},
+		},
+	}
 	containers := []corev1.Container{
 		{
 			Name:            "build-api",
@@ -47,53 +90,7 @@ func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []c
 					corev1.ResourceMemory: resource.MustParse("512Mi"),
 				},
 			},
-			Env: []corev1.EnvVar{
-				{
-					Name: "BUILD_API_NAMESPACE",
-					ValueFrom: &corev1.EnvVarSource{
-						FieldRef: &corev1.ObjectFieldSelector{
-							FieldPath: "metadata.namespace",
-						},
-					},
-				},
-				{
-					Name:  "AUTH_CONFIG_PATH",
-					Value: "/etc/build-api/config",
-				},
-				{
-					Name: "INTERNAL_JWT_ISSUER",
-					ValueFrom: &corev1.EnvVarSource{
-						SecretKeyRef: &corev1.SecretKeySelector{
-							LocalObjectReference: corev1.LocalObjectReference{
-								Name: internalJWTSecretName,
-							},
-							Key: "issuer",
-						},
-					},
-				},
-				{
-					Name: "INTERNAL_JWT_AUDIENCE",
-					ValueFrom: &corev1.EnvVarSource{
-						SecretKeyRef: &corev1.SecretKeySelector{
-							LocalObjectReference: corev1.LocalObjectReference{
-								Name: internalJWTSecretName,
-							},
-							Key: "audience",
-						},
-					},
-				},
-				{
-					Name: "INTERNAL_JWT_KEY",
-					ValueFrom: &corev1.EnvVarSource{
-						SecretKeyRef: &corev1.SecretKeySelector{
-							LocalObjectReference: corev1.LocalObjectReference{
-								Name: internalJWTSecretName,
-							},
-							Key: "signing-key",
-						},
-					},
-				},
-			},
+			Env: buildAPIEnv,
 			Ports: []corev1.ContainerPort{
 				{
 					Name:          "http",
@@ -123,6 +120,7 @@ func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []c
 				"--cookie-secret=$(COOKIE_SECRET)",
 				"--cookie-secure=false",
 				"--pass-access-token=true",
+				"--pass-user-bearer-token=true",
 				"--pass-user-headers=true",
 				"--request-logging=true",
 				"--skip-auth-regex=^/healthz",
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 54392b4f..d62b1f0a 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -34,6 +34,18 @@ import (
 
 const namespace = "automotive-dev-operator-system"
 
+// getBuildAPIURL returns the Build API URL when an OpenShift Route exists, or "" otherwise.
+// OIDC e2e tests that need to call the API run only on OpenShift (when Route exists).
+func getBuildAPIURL() string {
+	cmd := exec.Command("kubectl", "get", "route", "ado-build-api",
+		"-n", namespace, "-o", "jsonpath={.spec.host}")
+	output, err := utils.Run(cmd)
+	if err != nil || strings.TrimSpace(string(output)) == "" {
+		return ""
+	}
+	return "https://" + strings.TrimSpace(string(output))
+}
+
 var _ = Describe("controller", Ordered, func() {
 	BeforeAll(func() {
 		By("creating manager namespace")
@@ -336,38 +348,103 @@ func containsMiddle(s, substr string) bool {
 
 var _ = Describe("OIDC Authentication", Ordered, func() {
 	BeforeAll(func() {
+		var err error
+		var projectimage = "example.com/automotive-dev-operator:v0.0.1"
+
 		By("creating manager namespace")
 		cmd := exec.Command("kubectl", "create", "ns", namespace)
 		_, _ = utils.Run(cmd) // Ignore error if namespace already exists
 
+		By("building the manager(Operator) image")
+		cmd = exec.Command("make", "docker-build", fmt.Sprintf("IMG=%s", projectimage))
+		_, err = utils.Run(cmd)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("loading the manager(Operator) image on Kind")
+		err = utils.LoadImageToKindClusterWithName(projectimage)
+		Expect(err).NotTo(HaveOccurred())
+
 		By("installing CRDs")
 		cmd = exec.Command("make", "install")
-		_, err := utils.Run(cmd)
+		_, err = utils.Run(cmd)
 		Expect(err).NotTo(HaveOccurred())
 
-		By("waiting for OperatorConfig CRD to be established")
-		cmd = exec.Command("kubectl", "wait", "--for=condition=established", "--timeout=60s",
-			"crd/operatorconfigs.automotive.sdv.cloud.redhat.com")
+		By("deploying the controller-manager")
+		cmd = exec.Command("make", "deploy", fmt.Sprintf("IMG=%s", projectimage))
 		_, err = utils.Run(cmd)
 		Expect(err).NotTo(HaveOccurred())
+
+		By("validating that the controller-manager pod is running")
+		verifyControllerUp := func() error {
+			cmd = exec.Command("kubectl", "get",
+				"pods", "-l", "control-plane=controller-manager",
+				"-o", "go-template={{ range .items }}"+
+					"{{ if not .metadata.deletionTimestamp }}"+
+					"{{ .metadata.name }}"+
+					"{{ \"\\n\" }}{{ end }}{{ end }}",
+				"-n", namespace,
+			)
+			podOutput, err := utils.Run(cmd)
+			if err != nil {
+				return err
+			}
+			podNames := utils.GetNonEmptyLines(string(podOutput))
+			if len(podNames) != 1 {
+				return fmt.Errorf("expect 1 controller pods running, but got %d", len(podNames))
+			}
+			cmd = exec.Command("kubectl", "get",
+				"pods", podNames[0], "-o", "jsonpath={.status.phase}",
+				"-n", namespace,
+			)
+			status, err := utils.Run(cmd)
+			if err != nil {
+				return err
+			}
+			if string(status) != "Running" {
+				return fmt.Errorf("controller pod in %s status", status)
+			}
+			return nil
+		}
+		Eventually(verifyControllerUp, time.Minute, time.Second).Should(Succeed())
+
+		By("creating baseline OperatorConfig without OIDC")
+		cmd = exec.Command("kubectl", "apply", "-f", "config/samples/automotive_v1_operatorconfig.yaml")
+		_, err = utils.Run(cmd)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("waiting for Build API deployment")
+		verifyBuildAPIDeployment := func() error {
+			cmd = exec.Command("kubectl", "get", "deployment", "ado-build-api",
+				"-n", namespace, "-o", "jsonpath={.status.availableReplicas}")
+			output, err := utils.Run(cmd)
+			if err != nil {
+				return err
+			}
+			if strings.TrimSpace(string(output)) != "1" {
+				return fmt.Errorf("build-api deployment not available, replicas: %s", output)
+			}
+			return nil
+		}
+		Eventually(verifyBuildAPIDeployment, 3*time.Minute, 5*time.Second).Should(Succeed())
+
+		// OIDC HTTP tests require an OpenShift Route; on kind there is no Route so we skip the suite
+		if getBuildAPIURL() == "" {
+			Skip("OIDC e2e requires OpenShift Route (ado-build-api); skipping on kind")
+		}
 	})
 
 	AfterAll(func() {
 		By("removing manager namespace")
 		cmd := exec.Command("kubectl", "delete", "ns", namespace, "--timeout=60s")
 		_, _ = utils.Run(cmd)
+		// Give namespace time to terminate before next suite (no hard fail if slow)
+		time.Sleep(30 * time.Second)
 	})
 
 	Context("Build API OIDC Configuration", func() {
 		It("should return 404 when OIDC is not configured", func() {
-			By("getting Build API route")
-			cmd := exec.Command("kubectl", "get", "route", "ado-build-api",
-				"-n", namespace, "-o", "jsonpath={.spec.host}")
-			output, err := utils.Run(cmd)
-			if err != nil {
-				Skip("Build API route not found - OIDC tests require Build API to be deployed")
-			}
-			apiURL := "https://" + strings.TrimSpace(string(output))
+			By("getting Build API URL")
+			apiURL := getBuildAPIURL()
 
 			By("checking /v1/auth/config endpoint returns 404 when OIDC not configured")
 			client := &http.Client{
@@ -416,14 +493,10 @@ spec:
 			time.Sleep(10 * time.Second)
 
 			By("checking /v1/auth/config endpoint returns OIDC config")
-			cmd = exec.Command("kubectl", "get", "route", "ado-build-api",
-				"-n", namespace, "-o", "jsonpath={.spec.host}")
-			output, err := utils.Run(cmd)
-			if err != nil {
-				Skip("Build API route not found")
+			apiURL := getBuildAPIURL()
+			if apiURL == "" {
+				Skip("Build API Route not found (OpenShift required)")
 			}
-			apiURL := "https://" + strings.TrimSpace(string(output))
-
 			client := &http.Client{
 				Transport: &http.Transport{
 					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
@@ -437,9 +510,7 @@ spec:
 			Expect(resp.StatusCode).To(Equal(200))
 			body, err := io.ReadAll(resp.Body)
 			Expect(err).NotTo(HaveOccurred())
-			response := string(body)
-			Expect(response).To(ContainSubstring("jwt"))
-			Expect(response).To(ContainSubstring("clientId"))
+			Expect(string(body)).To(And(ContainSubstring("jwt"), ContainSubstring("clientId")))
 
 			By("cleaning up OIDC configuration from OperatorConfig")
 			cmd = exec.Command("kubectl", "patch", "operatorconfig", "config",
@@ -449,11 +520,10 @@ spec:
 	})
 
 	Context("Internal JWT Validation", func() {
-		It("should reject tokens with empty subject", func() {
-			// This is tested via unit tests, but we verify the Build API
-			// properly validates internal JWTs in e2e context
+		It("should have Build API pod running", func() {
+			// Verify the Build API pod is running
 			By("verifying Build API pod is running")
-			cmd := exec.Command("kubectl", "get", "pod", "-l", "app=ado-build-api",
+			cmd := exec.Command("kubectl", "get", "pod", "-l", "app.kubernetes.io/component=build-api",
 				"-n", namespace, "-o", "jsonpath={.items[0].status.phase}")
 			output, err := utils.Run(cmd)
 			if err != nil {

From 60dd391cf50da1a726de609cbba7c77acb0cf39f Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Sun, 1 Feb 2026 11:27:10 +0200
Subject: [PATCH 09/10] Add minor fixes to the OIDC flow and token rotation

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 cmd/caib/auth/config.go                       | 11 +++-
 cmd/caib/auth/oidc.go                         | 24 +++----
 .../controller/operatorconfig/controller.go   | 40 ++++++++++++
 test/e2e/e2e_test.go                          | 62 +++++++++++++++++--
 4 files changed, 119 insertions(+), 18 deletions(-)

diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index 17a1a8df..874ddb45 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -2,6 +2,8 @@
 package auth
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -13,8 +15,13 @@ import (
 
 // GetOIDCConfigFromAPI fetches OIDC configuration from the Build API server.
 func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
-	transport := &http.Transport{}
-
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		pool = x509.NewCertPool()
+	}
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{RootCAs: pool},
+	}
 	client := &http.Client{
 		Timeout:   30 * time.Second,
 		Transport: transport,
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
index 0ae712cb..ae9a6989 100644
--- a/cmd/caib/auth/oidc.go
+++ b/cmd/caib/auth/oidc.go
@@ -146,16 +146,12 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	}
 	codeChallenge := base64URLEncode(sha256Hash(codeVerifier))
 
-	// Find available port for callback
+	// Bind callback server to a port and keep the listener so no other process can claim it
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return "", fmt.Errorf("failed to find available port: %w", err)
 	}
 	port := listener.Addr().(*net.TCPAddr).Port
-	if err := listener.Close(); err != nil {
-		return "", fmt.Errorf("failed to close listener: %w", err)
-	}
-
 	redirectURI := fmt.Sprintf("http://localhost:%d/callback", port)
 
 	// Build authorization URL
@@ -178,7 +174,6 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	errChan := make(chan error, 1)
 
 	server := &http.Server{
-		Addr: fmt.Sprintf("127.0.0.1:%d", port),
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path != "/callback" {
 				http.NotFound(w, r)
@@ -217,7 +212,7 @@ func (a *OIDCAuth) authenticate(ctx context.Context) (string, error) {
 	}
 
 	go func() {
-		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
 			errChan <- fmt.Errorf("callback server error: %w", err)
 		}
 	}()
@@ -314,7 +309,9 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 	if token == "" {
 		token = tokenResp.AccessToken
 	}
-
+	if token == "" {
+		return "", fmt.Errorf("token endpoint returned neither id_token nor access_token")
+	}
 	return token, nil
 }
 
@@ -362,7 +359,10 @@ func (a *OIDCAuth) loadTokenCache() error {
 	if err := json.Unmarshal(data, &cache); err != nil {
 		return err
 	}
-
+	// Reject cache if issuer changed (e.g. different OIDC provider) so we fetch a new token
+	if cache.Issuer != a.config.IssuerURL {
+		return fmt.Errorf("cached token issuer %q does not match current config %q", cache.Issuer, a.config.IssuerURL)
+	}
 	a.tokenCache = &cache
 	return nil
 }
@@ -427,13 +427,13 @@ func openBrowser(url string) error {
 	switch runtime.GOOS {
 	case "windows":
 		cmd = "cmd"
-		args = []string{"/c", "start"}
+		args = []string{"/c", "start", "", url}
 	case "darwin":
 		cmd = "open"
+		args = []string{url}
 	default:
 		cmd = "xdg-open"
+		args = []string{url}
 	}
-
-	args = append(args, url)
 	return exec.Command(cmd, args...).Start()
 }
diff --git a/internal/controller/operatorconfig/controller.go b/internal/controller/operatorconfig/controller.go
index 4fe64e26..c03737c2 100644
--- a/internal/controller/operatorconfig/controller.go
+++ b/internal/controller/operatorconfig/controller.go
@@ -4,6 +4,7 @@ package operatorconfig
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/go-logr/logr"
 	routev1 "github.com/openshift/api/route/v1"
@@ -386,6 +387,8 @@ func (r *OperatorConfigReconciler) cleanupBuildAPI(ctx context.Context) error {
 	return nil
 }
 
+const internalJWTExpiryThreshold = 30 * 24 * time.Hour // Regenerate when within 30 days of expiry
+
 func (r *OperatorConfigReconciler) ensureBuildAPIInternalJWTSecret(ctx context.Context, _ *automotivev1alpha1.OperatorConfig) error {
 	secret := &corev1.Secret{}
 	err := r.Get(ctx, client.ObjectKey{Name: internalJWTSecretName, Namespace: operatorNamespace}, secret)
@@ -402,7 +405,44 @@ func (r *OperatorConfigReconciler) ensureBuildAPIInternalJWTSecret(ctx context.C
 			return fmt.Errorf("failed to create internal JWT secret %s: %w", internalJWTSecretName, err)
 		}
 		r.Log.Info("Created internal JWT secret", "name", internalJWTSecretName)
+		return nil
+	}
+	// Secret exists: check expiry and regenerate if expired or within threshold
+	expiresAtBytes, ok := secret.Data["expires-at"]
+	if !ok {
+		// No expires-at (old secret format), regenerate
+		r.Log.Info("Internal JWT secret missing expires-at, regenerating", "name", internalJWTSecretName)
+		return r.regenerateInternalJWTSecret(ctx)
+	}
+	expiresAt, err := time.Parse(time.RFC3339, string(expiresAtBytes))
+	if err != nil {
+		r.Log.Info("Internal JWT secret has invalid expires-at, regenerating", "name", internalJWTSecretName, "error", err)
+		return r.regenerateInternalJWTSecret(ctx)
+	}
+	if time.Until(expiresAt) < internalJWTExpiryThreshold {
+		r.Log.Info("Internal JWT secret expired or expiring soon, regenerating", "name", internalJWTSecretName, "expiresAt", expiresAt)
+		return r.regenerateInternalJWTSecret(ctx)
+	}
+	return nil
+}
+
+func (r *OperatorConfigReconciler) regenerateInternalJWTSecret(ctx context.Context) error {
+	secret, err := r.buildInternalJWTSecret(internalJWTSecretName)
+	if err != nil {
+		return fmt.Errorf("failed to build internal JWT secret: %w", err)
+	}
+	existing := &corev1.Secret{}
+	if err := r.Get(ctx, client.ObjectKey{Name: internalJWTSecretName, Namespace: operatorNamespace}, existing); err != nil {
+		if !errors.IsNotFound(err) {
+			return err
+		}
+		return r.Create(ctx, secret)
+	}
+	secret.SetResourceVersion(existing.GetResourceVersion())
+	if err := r.Update(ctx, secret); err != nil {
+		return fmt.Errorf("failed to update internal JWT secret %s: %w", internalJWTSecretName, err)
 	}
+	r.Log.Info("Regenerated internal JWT secret", "name", internalJWTSecretName)
 	return nil
 }
 
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index d62b1f0a..0e92b178 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -34,6 +34,14 @@ import (
 
 const namespace = "automotive-dev-operator-system"
 
+// hasOpenShiftRouteCRD returns true when the OpenShift Route CRD exists (OpenShift cluster).
+// On Kind there is no Route CRD, so OIDC suite can skip before creating any resources.
+func hasOpenShiftRouteCRD() bool {
+	cmd := exec.Command("kubectl", "get", "crd", "routes.route.openshift.io")
+	_, err := utils.Run(cmd)
+	return err == nil
+}
+
 // getBuildAPIURL returns the Build API URL when an OpenShift Route exists, or "" otherwise.
 // OIDC e2e tests that need to call the API run only on OpenShift (when Route exists).
 func getBuildAPIURL() string {
@@ -48,6 +56,17 @@ func getBuildAPIURL() string {
 
 var _ = Describe("controller", Ordered, func() {
 	BeforeAll(func() {
+		By("waiting for namespace to not exist (in case previous suite left it terminating)")
+		waitForNamespaceGone := func() error {
+			cmd := exec.Command("kubectl", "get", "ns", namespace)
+			_, err := utils.Run(cmd)
+			if err != nil {
+				return nil // namespace gone, we can create it
+			}
+			return fmt.Errorf("namespace still exists or terminating")
+		}
+		Eventually(waitForNamespaceGone, 3*time.Minute, 5*time.Second).Should(Succeed())
+
 		By("creating manager namespace")
 		cmd := exec.Command("kubectl", "create", "ns", namespace)
 		_, _ = utils.Run(cmd)
@@ -347,10 +366,17 @@ func containsMiddle(s, substr string) bool {
 }
 
 var _ = Describe("OIDC Authentication", Ordered, func() {
+	var oidcSuiteCreatedNamespace bool
+
 	BeforeAll(func() {
 		var err error
 		var projectimage = "example.com/automotive-dev-operator:v0.0.1"
 
+		if !hasOpenShiftRouteCRD() {
+			Skip("OIDC e2e requires OpenShift (Route CRD); skipping on kind")
+		}
+		oidcSuiteCreatedNamespace = true
+
 		By("creating manager namespace")
 		cmd := exec.Command("kubectl", "create", "ns", namespace)
 		_, _ = utils.Run(cmd) // Ignore error if namespace already exists
@@ -427,18 +453,46 @@ var _ = Describe("OIDC Authentication", Ordered, func() {
 		}
 		Eventually(verifyBuildAPIDeployment, 3*time.Minute, 5*time.Second).Should(Succeed())
 
-		// OIDC HTTP tests require an OpenShift Route; on kind there is no Route so we skip the suite
 		if getBuildAPIURL() == "" {
 			Skip("OIDC e2e requires OpenShift Route (ado-build-api); skipping on kind")
 		}
 	})
 
 	AfterAll(func() {
+		if !oidcSuiteCreatedNamespace {
+			return
+		}
+		By("deleting OperatorConfig so namespace can terminate cleanly")
+		cmd := exec.Command("kubectl", "delete", "operatorconfig", "--all", "-n", namespace, "--timeout=30s")
+		_, _ = utils.Run(cmd)
+
+		By("waiting for OperatorConfig to be fully removed (finalizer cleared)")
+		waitForOperatorConfigGone := func() error {
+			cmd := exec.Command("kubectl", "get", "operatorconfig", "-n", namespace, "-o", "name")
+			output, err := utils.Run(cmd)
+			if err != nil {
+				return nil
+			}
+			if strings.TrimSpace(string(output)) == "" {
+				return nil
+			}
+			return fmt.Errorf("operatorconfig still present")
+		}
+		Eventually(waitForOperatorConfigGone, 2*time.Minute, 5*time.Second).Should(Succeed())
+
 		By("removing manager namespace")
-		cmd := exec.Command("kubectl", "delete", "ns", namespace, "--timeout=60s")
+		cmd = exec.Command("kubectl", "delete", "ns", namespace, "--timeout=120s")
 		_, _ = utils.Run(cmd)
-		// Give namespace time to terminate before next suite (no hard fail if slow)
-		time.Sleep(30 * time.Second)
+		By("waiting for namespace deletion to complete before next suite")
+		waitForNamespaceGone := func() error {
+			cmd := exec.Command("kubectl", "get", "ns", namespace)
+			_, err := utils.Run(cmd)
+			if err != nil {
+				return nil // namespace gone
+			}
+			return fmt.Errorf("namespace still exists or terminating")
+		}
+		Eventually(waitForNamespaceGone, 5*time.Minute, 10*time.Second).Should(Succeed())
 	})
 
 	Context("Build API OIDC Configuration", func() {

From bd29a68e32cad4e5f69588150fba70df6b933348 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Sun, 1 Feb 2026 19:38:13 +0200
Subject: [PATCH 10/10] Fix internal token passing and remove cancel ctx

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 cmd/caib/auth/config.go                       |  6 ++--
 cmd/caib/auth/oidc.go                         |  6 ++--
 cmd/caib/main.go                              |  3 +-
 internal/buildapi/auth_config.go              | 30 +++++++++++++++++--
 internal/buildapi/client_tokens.go            |  1 -
 internal/buildapi/server.go                   | 22 +++++++-------
 .../controller/operatorconfig/resources.go    |  1 +
 7 files changed, 47 insertions(+), 22 deletions(-)

diff --git a/cmd/caib/auth/config.go b/cmd/caib/auth/config.go
index 874ddb45..68b6d8f4 100644
--- a/cmd/caib/auth/config.go
+++ b/cmd/caib/auth/config.go
@@ -41,8 +41,10 @@ func GetOIDCConfigFromAPI(serverURL string) (*OIDCConfig, error) {
 		_ = resp.Body.Close()
 	}()
 
-	if resp.StatusCode == http.StatusNotFound {
-		// OIDC not configured - this is expected, return nil config without error
+	switch resp.StatusCode {
+	case http.StatusNotFound:
+		return nil, nil
+	case http.StatusForbidden, http.StatusUnauthorized:
 		return nil, nil
 	}
 
diff --git a/cmd/caib/auth/oidc.go b/cmd/caib/auth/oidc.go
index ae9a6989..826eac28 100644
--- a/cmd/caib/auth/oidc.go
+++ b/cmd/caib/auth/oidc.go
@@ -304,10 +304,10 @@ func (a *OIDCAuth) exchangeCodeForToken(ctx context.Context, tokenEndpoint, code
 		return "", err
 	}
 
-	// Prefer id_token, fallback to access_token
-	token := tokenResp.IDToken
+	// Prefer access_token, fallback to id_token
+	token := tokenResp.AccessToken
 	if token == "" {
-		token = tokenResp.AccessToken
+		token = tokenResp.IDToken
 	}
 	if token == "" {
 		return "", fmt.Errorf("token endpoint returned neither id_token nor access_token")
diff --git a/cmd/caib/main.go b/cmd/caib/main.go
index 5c18f5dc..f5cee5ba 100644
--- a/cmd/caib/main.go
+++ b/cmd/caib/main.go
@@ -118,7 +118,7 @@ func createBuildAPIClient(serverURL string, authToken *string) (*buildapiclient.
 				fmt.Println("OIDC authentication successful")
 			}
 		} else {
-			// OIDC not configured (no error, no token) - safe to fall back to kubeconfig
+			// OIDC not configured in OperatorConfig
 			if tok, err := loadTokenFromKubeconfig(); err == nil && strings.TrimSpace(tok) != "" {
 				*authToken = tok
 			}
@@ -149,7 +149,6 @@ func createBuildAPIClient(serverURL string, authToken *string) (*buildapiclient.
 }
 
 // executeWithReauth executes an API call and automatically retries with re-authentication on auth errors.
-// On 401: first retries with OIDC re-auth; if that still returns 401, falls back to kubeconfig token and retries once.
 func executeWithReauth(serverURL string, authToken *string, fn func(*buildapiclient.Client) error) error {
 	ctx := context.Background()
 
diff --git a/internal/buildapi/auth_config.go b/internal/buildapi/auth_config.go
index 7986b325..e8bf4153 100644
--- a/internal/buildapi/auth_config.go
+++ b/internal/buildapi/auth_config.go
@@ -32,7 +32,9 @@ type InternalAuthConfig struct {
 }
 
 func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration) (authenticator.Token, error) {
+	logger := log.FromContext(ctx)
 	if len(config.JWT) == 0 {
+		logger.Info("No JWT issuers configured")
 		return nil, nil
 	}
 
@@ -42,8 +44,11 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 
 	jwtAuthenticators := make([]authenticator.Token, 0, len(config.JWT))
 	for _, jwtAuthenticator := range config.JWT {
+		issuerURL := jwtAuthenticator.Issuer.URL
+		hasCustomCA := jwtAuthenticator.Issuer.CertificateAuthority != ""
+
 		var oidcCAContent oidcauth.CAContentProvider
-		if jwtAuthenticator.Issuer.CertificateAuthority != "" {
+		if hasCustomCA {
 			var oidcCAError error
 			// Try to read CA from file, or use it as inline PEM
 			if _, err := os.Stat(jwtAuthenticator.Issuer.CertificateAuthority); err == nil {
@@ -59,12 +64,14 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 				)
 			}
 			if oidcCAError != nil {
+				logger.Error(oidcCAError, "Failed to load CA certificate", "issuer", issuerURL)
 				return nil, oidcCAError
 			}
 		}
 
 		var jwtAuthenticatorUnversioned apiserver.JWTAuthenticator
 		if err := scheme.Convert(&jwtAuthenticator, &jwtAuthenticatorUnversioned, nil); err != nil {
+			logger.Error(err, "Failed to convert JWT authenticator config", "issuer", issuerURL)
 			return nil, err
 		}
 
@@ -74,10 +81,12 @@ func newJWTAuthenticator(ctx context.Context, config AuthenticationConfiguration
 			SupportedSigningAlgs: oidcauth.AllValidSigningAlgorithms(),
 		})
 		if err != nil {
+			logger.Error(err, "Failed to create OIDC authenticator", "issuer", issuerURL)
 			return nil, err
 		}
 		jwtAuthenticators = append(jwtAuthenticators, oidcAuth)
 	}
+	logger.Info("JWT authenticators configured", "count", len(jwtAuthenticators))
 	return tokenunion.NewFailOnError(jwtAuthenticators...), nil
 }
 
@@ -99,12 +108,29 @@ func loadAuthenticationConfigurationFromOperatorConfig(ctx context.Context, k8sC
 	}
 
 	auth := operatorConfig.Spec.BuildAPI.Authentication
+
+	// Deep copy JWT config to avoid modifying the original CRD data
+	// and ensure Prefix pointers are properly set (k8s OIDC authenticator requires non-nil Prefix when Claim is set)
+	jwtCopy := make([]apiserverv1beta1.JWTAuthenticator, len(auth.JWT))
+	for i, jwt := range auth.JWT {
+		jwtCopy[i] = jwt
+		// Ensure Prefix is not nil when Claim is set (k8s OIDC requirement)
+		if jwt.ClaimMappings.Username.Claim != "" && jwt.ClaimMappings.Username.Prefix == nil {
+			emptyPrefix := ""
+			jwtCopy[i].ClaimMappings.Username.Prefix = &emptyPrefix
+		}
+		if jwt.ClaimMappings.Groups.Claim != "" && jwt.ClaimMappings.Groups.Prefix == nil {
+			emptyPrefix := ""
+			jwtCopy[i].ClaimMappings.Groups.Prefix = &emptyPrefix
+		}
+	}
+
 	config := &AuthenticationConfiguration{
 		ClientID: auth.ClientID,
 		Internal: InternalAuthConfig{
 			Prefix: "internal:",
 		},
-		JWT: auth.JWT,
+		JWT: jwtCopy,
 	}
 
 	// Set internal prefix if provided
diff --git a/internal/buildapi/client_tokens.go b/internal/buildapi/client_tokens.go
index 9aee278a..ca688267 100644
--- a/internal/buildapi/client_tokens.go
+++ b/internal/buildapi/client_tokens.go
@@ -34,7 +34,6 @@ func (a *APIServer) authenticateExternalJWT(c *gin.Context, token string, authn
 	if username == "" {
 		return "", false
 	}
-	// Note: OIDC token storage is handled in server.go after this returns
 	return username, true
 }
 
diff --git a/internal/buildapi/server.go b/internal/buildapi/server.go
index e49ac42c..9da1b713 100644
--- a/internal/buildapi/server.go
+++ b/internal/buildapi/server.go
@@ -128,10 +128,10 @@ func NewAPIServerWithLimits(addr string, logger logr.Logger, limits APILimits) *
 	logger.Info("attempting to load authentication config from OperatorConfig", "namespace", namespace)
 	k8sClient, err := a.getCatalogClient()
 	if err == nil {
-		// Use a timeout to avoid blocking server startup indefinitely
-		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-		defer cancel()
-		cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(ctx, k8sClient, namespace)
+		// IMPORTANT: Use context.Background() without cancel - the OIDC authenticator does lazy
+		// initialization in the background and needs the context to remain valid after this function returns.
+		// Using a cancellable context would kill the background JWKS fetch.
+		cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(context.Background(), k8sClient, namespace)
 		if err != nil {
 			// If OperatorConfig doesn't exist or can't be read, log and continue without OIDC
 			// This allows kubeconfig fallback to work
@@ -1744,11 +1744,7 @@ func (a *APIServer) refreshAuthConfigIfNeeded() {
 		return
 	}
 
-	// Use a separate context with timeout to avoid canceling OIDC initialization
-	refreshCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
-	defer cancel()
-
-	cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(refreshCtx, k8sClient, namespace)
+	cfg, authn, prefix, err := loadAuthenticationConfigurationFromOperatorConfig(context.Background(), k8sClient, namespace)
 	if err != nil {
 		// If refresh fails, log but don't clear existing config - allow kubeconfig fallback
 		a.log.Error(err, "failed to load authentication config from OperatorConfig during refresh, keeping existing config", "namespace", namespace)
@@ -1808,7 +1804,6 @@ func (a *APIServer) authenticateRequest(c *gin.Context) (string, string, bool) {
 			if internalPrefix != "" {
 				username = internalPrefix + username
 			}
-			a.log.Info("Internal JWT authentication successful", "username", username)
 			return username, "internal", true
 		}
 	}
@@ -1826,7 +1821,6 @@ func (a *APIServer) authenticateRequest(c *gin.Context) (string, string, bool) {
 					a.log.Error(err, "failed to ensure client token secret", "username", username)
 				}
 			}
-			a.log.Info("External JWT authentication successful", "username", username)
 			return username, "external", true
 		}
 	}
@@ -1984,7 +1978,11 @@ func (a *APIServer) handleGetAuthConfig(c *gin.Context) {
 		}
 	}
 
-	// If no config, return empty
+	// OIDC not configured or not working, return 404 so clients use kubeconfig without trying OIDC
+	if len(response.JWT) == 0 {
+		c.AbortWithStatus(http.StatusNotFound)
+		return
+	}
 	c.JSON(http.StatusOK, response)
 }
 
diff --git a/internal/controller/operatorconfig/resources.go b/internal/controller/operatorconfig/resources.go
index bd76fd28..20189644 100644
--- a/internal/controller/operatorconfig/resources.go
+++ b/internal/controller/operatorconfig/resources.go
@@ -125,6 +125,7 @@ func (r *OperatorConfigReconciler) buildBuildAPIContainers(isOpenShift bool) []c
 				"--request-logging=true",
 				"--skip-auth-regex=^/healthz",
 				"--skip-auth-regex=^/v1/",
+				"--skip-auth-regex=/v1/",
 				"--email-domain=*",
 				"--skip-provider-button=true",
 				"--upstream-timeout=0",