When deploying TKGm Management cluster I Identity Management can be enabled and configured. This can be done even after the Management cluster has been deployed as specified in our docs https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid/2-5/tkg/mgmt-iam-configure-id-mgmt.html#idp-workload

It can happen that overtime you might want to change this settings or add some new filters. 

Enabling and Configure Identity Management in an Existing Deployment will create a new secret which will add the values of the Identity Management. 

When generating the secret for the Pinniped add-on: tanzu management-cluster create CLUSTER-NAME --dry-run -f CLUSTER-CONFIG-FILE > CLUSTER-NAME-example-secret.yaml

We willl see that the secret is named as per below. 

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tkg.tanzu.vmware.com/addon-type: authentication/pinniped
  labels:
    clusterctl.cluster.x-k8s.io/move: ""
    tkg.tanzu.vmware.com/addon-name: pinniped
    tkg.tanzu.vmware.com/cluster-name: cluster-name
  name: mgmt-cluster-name-pinniped-package
  namespace: tkg-system

Therefore if we edit this secret directly on our clusters that have already enabled Identity Management and save it, that will reconcile the pinniped application and push this changes across the entire package.