diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go
index 1f59a970..1e342226 100644
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -202,38 +202,11 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	}
 
 	if !flags.concierge.disabled {
-		credentialIssuer, err := lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
+		credentialIssuer, err := waitForCredentialIssuer(ctx, clientset, flags, deps)
 		if err != nil {
 			return err
 		}
 
-		if !flags.concierge.skipWait {
-			ticker := time.NewTicker(2 * time.Second)
-			defer ticker.Stop()
-
-			deadline, _ := ctx.Deadline()
-			attempts := 1
-
-			for {
-				if !hasPendingStrategy(credentialIssuer) {
-					break
-				}
-				deps.log.Info("waiting for CredentialIssuer pending strategies to finish",
-					"attempts", attempts,
-					"remaining", time.Until(deadline).Round(time.Second).String(),
-				)
-				select {
-				case <-ctx.Done():
-					return ctx.Err()
-				case <-ticker.C:
-					credentialIssuer, err = lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
-					if err != nil {
-						return err
-					}
-				}
-			}
-		}
-
 		authenticator, err := lookupAuthenticator(
 			clientset,
 			flags.concierge.authenticatorType,
@@ -320,6 +293,41 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	return writeConfigAsYAML(out, kubeconfig)
 }
 
+func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.Interface, flags getKubeconfigParams, deps kubeconfigDeps) (*configv1alpha1.CredentialIssuer, error) {
+	credentialIssuer, err := lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
+	if err != nil {
+		return nil, err
+	}
+
+	if !flags.concierge.skipWait {
+		ticker := time.NewTicker(2 * time.Second)
+		defer ticker.Stop()
+
+		deadline, _ := ctx.Deadline()
+		attempts := 1
+
+		for {
+			if !hasPendingStrategy(credentialIssuer) {
+				break
+			}
+			deps.log.Info("waiting for CredentialIssuer pending strategies to finish",
+				"attempts", attempts,
+				"remaining", time.Until(deadline).Round(time.Second).String(),
+			)
+			select {
+			case <-ctx.Done():
+				return nil, ctx.Err()
+			case <-ticker.C:
+				credentialIssuer, err = lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+	return credentialIssuer, nil
+}
+
 func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log logr.Logger) error {
 	// Autodiscover the --concierge-mode.
 	frontend, err := getConciergeFrontend(credentialIssuer, flags.concierge.mode)
diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go
index 7409be90..d9c2742d 100644
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@@ -405,7 +405,6 @@ func TestImpersonationProxy(t *testing.T) {
 
 		// func to create kubectl commands with a kubeconfig
 		kubectlCommand := func(timeout context.Context, args ...string) (*exec.Cmd, *bytes.Buffer, *bytes.Buffer) {
-
 			allArgs := append([]string{"--kubeconfig", kubeconfigPath}, args...)
 			//nolint:gosec // we are not performing malicious argument injection against ourselves
 			kubectlCmd := exec.CommandContext(timeout, "kubectl", allArgs...)