---
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lVUTFyTnZkMEJCK3ZuVEVWZDFEQVV0QW03dTNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF3d0tZMngxYzNSbGNpMWpZVEFlRncweU1qRXhNRGN5TVRVMU5UbGFGdzB6TWpFeApNRFF5TVRVMU5UbGFNQlV4RXpBUkJnTlZCQU1NQ21Oc2RYTjBaWEl0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdnM5emFhNkxGdExWQlRpWG9Fb21xM0Y3SjJiVWljU0VpOWRJbFRPTWsKd3luM0MvTWJncGpQYXlwRVJFTHpUQXYxRERJTzhCWmhvT1J5cVhQSHlNQTV6SURWblY3aE9NYUFXY3diSkVwRApmRlF1ZUVVYTVVL3J3ajU5YzR4cW1sa2VUN2paR3Nyc21QaXY1UGpQVGRNbDdUSFhQOGJjNm1kR05odkpabUZtCm9QVERvRktiMi8xQm9JVVBXbGpmVXhEM1QxaXNvQ3JPVDF6UDNpcHBKcFVUKzJzV2V6cHVDRlhLaTl5cXlQcEwKdVErZ3UvL3NSRHlFMjc0c0ljSVVKaDQ0RkNFM3FmSWNpVGtaMU1Vc2ZtSU1jM2EwNUs3R2R2bTFQK2Y1Z1VWMQpPUERBYVEvNWxKd2x2eWNXZjllRGVUWmJibERTeDJNWVFHOFJvWU9BMm1EcEFnTUJBQUdqVXpCUk1CMEdBMVVkCkRnUVdCQlMrOFR3eE50UzBjUy9tTDdTaitrWEhnY1RoM2pBZkJnTlZIU01FR0RBV2dCUys4VHd4TnRTMGNTL20KTDdTaitrWEhnY1RoM2pBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBMApHaGRZQk55UG5pWTR2a3ZsenhLYkMxQ29zU2tPdkhqT0pNYlgvR3BqeDd3djFEUlZGbXd3OXRhb2FtVVFBa1gyClQ1WEg4MGFwUlk1R1RRVE9BQUlpTXZZTFhCRkErS1RJYzQrdWZhWTVETTFDWEllLzFzeDRHQlkzbW4rZXNROHAKV2tkejhNNUJtN3RBN09LQzIvUFFtSlhMNWhwQytvdkNoQUtOVEdPVHd1N3BoTmJ6dUhHTkYzUlJTNmx1ZURaTQpHaGYwRm9OeFRBL2JmZFowWWhkS2pqanRRV1RsVXhUL05Nditrc3orNkhtTENMUmNvNXYxdkpDREJtcUYwaG4xCkp4TU9xR2oxQ3M3bW5OTDRYNldhQ0E4VU1jRXZyRTMxR0w1S1JTSDh0RlBPQTY4ZEV4cnNNY3RHekhtU25YYWMKZ1E5Y3FlcWpIbmRhckFJSmRYcGsKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHZzOXphYTZMRnRMVkIKVGlYb0VvbXEzRjdKMmJVaWNTRWk5ZElsVE9Na3d5bjNDL01iZ3BqUGF5cEVSRUx6VEF2MURESU84Qlpob09SeQpxWFBIeU1BNXpJRFZuVjdoT01hQVdjd2JKRXBEZkZRdWVFVWE1VS9yd2o1OWM0eHFtbGtlVDdqWkdzcnNtUGl2CjVQalBUZE1sN1RIWFA4YmM2bWRHTmh2SlptRm1vUFREb0ZLYjIvMUJvSVVQV2xqZlV4RDNUMWlzb0NyT1QxelAKM2lwcEpwVVQrMnNXZXpwdUNGWEtpOXlxeVBwTHVRK2d1Ly9zUkR5RTI3NHNJY0lVSmg0NEZDRTNxZkljaVRrWgoxTVVzZm1JTWMzYTA1SzdHZHZtMVArZjVnVVYxT1BEQWFRLzVsSndsdnljV2Y5ZURlVFpiYmxEU3gyTVlRRzhSCm9ZT0EybURwQWdNQkFBRUNnZ0VBRVpNblU2UHQ3NjlCMVdlU2o2OFJSVFBxWnNRVnUvQmR3THVUbEh6TVVERVgKaWZlb005bUoxUFpyWjAwMmQvSjQwM2NaRWYrUU1va0tpdTRwOFNsaXo3SVM5YWFYMHUxWDM0Z0Y5eXo4WFhHWApsZjhuT1BNOGZvR1QxWnlqM0ZxVUEyME90V3RabXNxVi9FYU9hQnV4aWkrM2xtdkVpOFRMZk9wQmRBMHp3Y09SCnl2TVViMlExdUVNREk3cHpwSGZrOGc1ajBlUHlDUjlwSklPWFZ1Y1hCZW13WFhGOTVIZHNtV25VN2ZUVEc2K20KSTgzR2pGOTRTQTByWWRUNFR4WlA0cUt1eGdPK1JJelNxckE0NGNOdHZyalBvSVRsWThwcjRnaVJDeVBiTVNWawpiYXBaeHRuUE5iOE1ndG1xeHFSZnVndWVmaFkrcmlzVlcrdVhKK29ORVFLQmdRRHdPRnZEc09ocnpsVmFucmVqCk9HdndNVGtOR0JlUC9iNVFSZXVFRi9NMFlDZjBZRWN1OWFBVThhSVdOWnpsUElFVEpqOVB0Q1EyU1MrWnc3SVoKTkU0NHJTZ2REZUI2TTE1elBRUndYeUxPc1JJSTVPTHYrSWtMTm5meGplWkJuNE1ZK1RiaVRFc1F0ZmpaVjJKVQoyQzVPa2EyL1I4U3l3ZUc0VURrRFp1YlBjUUtCZ1FEL2NzejhST3ZGUTJLKzhTSXVMSmtmWUw1N2RmY21rWXNkClQ4Y0prbENmc2U0WnQ2RWhZNkE1THlVUkpJRTRwQkRwRzd1VkdhdURpM244YVJ3cFMxSjNuYno4RXgzeGNnWFYKaUNuV3J5eGlzMnh3UjJsVGhiZHllNzg5dWZ5NE9OcHlUYW9LU21VYTk1RzB4TUoraEYyOUxZcGlaVXhRNGtsWgpQRE1saWE1YytRS0JnSCt5RmVYQzV1cFg5cnVEWDY4ZVVSS1B0L29qOG5LU3VsWkZ0TnExT0kyQkIvdzZLZHptCnFVQTQ2cWJQdlNXR3NqNlJ1Rm9RTXFmQTQ5TGpXb3RYYUxWc0pzUzdHYmNjRTN0QzFsYzkyMnp3Wjl2ZWdGeDgKUzYxd09QWnBMaHQ0UmVKQ3FGQkhxaWVwOUN6azdOcVpTSlJ2a0dMOExhMndydUtoa28waWFGT2hBb0dCQU1ZTwp2NHAwOFl5LzQ0Y0NOU3N4M3dNcUltWmRIMlJqQWthV3ZVN1poL05acEsrQjVjZWFrL2JpYTgzdnpOVWF1QlhWCkw4cTUzWGFmcE5Ra3R2WDVkWlpTMGQxc0FSSmNBdFA5djlxNWRTT04wK3oySVY3bDFVZEpWUXpKOEh6eGI4V2kKRzgzZ3dxVjNBQnoxVll0OG02VjY4c201bXNNM3dBRVZJTjdnOGpVWkFvR0JBS2NKQ0NUczJRSUl4SGFmQVNLMQpZWG1XRG9aZVdod0JtTThlSVNvNzZtU2pYK2Q2cDRadWNUTXZITkRJNEVSQ0RIeVc4OWprRVF1NUxkR2NpbW1pCnNlTEo2WENEOTVkTEVBWWdMTU96UC9IMjFPQUR6ZjMvQk04SHVoaWxjbzZkRTRKalV4bkdnOGY5QXJhTlkwMC8KREJJRlhJcHpNbEFQUkVEd1JaUjFhcWRpCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
  name: cluster-ca
  namespace: cert-manager
type: kubernetes.io/tls
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    force: update
  name: cluster-ca
spec:
  ca:
    secretName: cluster-ca
---
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
  namespace: pinniped-supervisor
  name: okta
spec:
  issuer: https://dev-XXXX.okta.com
  authorizationConfig:
    additionalScopes: [offline_access, groups, email]
    allowPasswordGrant: false
  claims:
    username: sub
    groups: groups
  client:
    secretName: okta-client-credentials
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pinniped-internal
  namespace: pinniped-supervisor
spec:
  secretName: pinniped-supervisor-internal-tls
  secretTemplate:
    labels: {}
  commonName: "pinniped-supervisor.blog.tremolo.dev"
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  dnsNames:
    - "pinniped-supervisor.blog.tremolo.dev"
  issuerRef:
    name: cluster-ca
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: config.supervisor.pinniped.dev/v1alpha1
kind: FederationDomain
metadata:
  name: blog-demo-cp
  namespace: pinniped-supervisor
spec:
  issuer: "https://pinniped-supervisor.blog.tremolo.dev/cp-issuer"
  tls:
    secretName: pinniped-supervisor-internal-tls