From 0f25657a35bf01b917f83e537795e08c12c62e64 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 11:39:26 -0500
Subject: [PATCH] Rename WebhookIdentityProvider to WebhookAuthenticator.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 apis/concierge/authentication/doc.go.tmpl     |   2 +-
 .../authentication/v1alpha1/doc.go.tmpl       |   2 +-
 .../authentication/v1alpha1/register.go.tmpl  |   4 +-
 .../authentication/v1alpha1/types_tls.go.tmpl |   2 +-
 .../v1alpha1/types_webhook.go.tmpl            |  30 +--
 cmd/pinniped/cmd/exchange_credential.go       |   2 +-
 cmd/pinniped/cmd/get_kubeconfig.go            |   2 +-
 cmd/pinniped/cmd/get_kubeconfig_test.go       |   6 +-
 ...e.pinniped.dev_webhookauthenticators.yaml} |  29 ++-
 deploy/concierge/z0_crd_overlay.yaml          |   2 +-
 doc/demo.md                                   |   4 +-
 generated/1.17/README.adoc                    |  38 ++--
 .../1.17/apis/concierge/authentication/doc.go |   2 +-
 .../concierge/authentication/v1alpha1/doc.go  |   2 +-
 .../authentication/v1alpha1/register.go       |   4 +-
 .../authentication/v1alpha1/types_tls.go      |   2 +-
 .../authentication/v1alpha1/types_webhook.go  |  30 +--
 .../v1alpha1/zz_generated.deepcopy.go         |  38 ++--
 .../v1alpha1/authentication_client.go         |   6 +-
 .../fake/fake_authentication_client.go        |   4 +-
 .../fake/fake_webhookauthenticator.go         | 127 ++++++++++++
 .../fake/fake_webhookidentityprovider.go      | 127 ------------
 .../v1alpha1/generated_expansion.go           |   2 +-
 .../v1alpha1/webhookauthenticator.go          | 178 +++++++++++++++++
 .../v1alpha1/webhookidentityprovider.go       | 178 -----------------
 .../authentication/v1alpha1/interface.go      |  10 +-
 .../v1alpha1/webhookauthenticator.go          |  76 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  76 --------
 .../informers/externalversions/generic.go     |   4 +-
 .../v1alpha1/expansion_generated.go           |  12 +-
 .../v1alpha1/webhookauthenticator.go          |  81 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  81 --------
 .../client/openapi/zz_generated.openapi.go    | 176 ++++++++---------
 ...ge.pinniped.dev_webhookauthenticators.yaml |  29 ++-
 generated/1.18/README.adoc                    |  38 ++--
 .../1.18/apis/concierge/authentication/doc.go |   2 +-
 .../concierge/authentication/v1alpha1/doc.go  |   2 +-
 .../authentication/v1alpha1/register.go       |   4 +-
 .../authentication/v1alpha1/types_tls.go      |   2 +-
 .../authentication/v1alpha1/types_webhook.go  |  30 +--
 .../v1alpha1/zz_generated.deepcopy.go         |  38 ++--
 .../v1alpha1/authentication_client.go         |   6 +-
 .../fake/fake_authentication_client.go        |   4 +-
 .../fake/fake_webhookauthenticator.go         | 129 +++++++++++++
 .../fake/fake_webhookidentityprovider.go      | 129 -------------
 .../v1alpha1/generated_expansion.go           |   2 +-
 .../v1alpha1/webhookauthenticator.go          | 182 ++++++++++++++++++
 .../v1alpha1/webhookidentityprovider.go       | 182 ------------------
 .../authentication/v1alpha1/interface.go      |  10 +-
 .../v1alpha1/webhookauthenticator.go          |  77 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  77 --------
 .../informers/externalversions/generic.go     |   4 +-
 .../v1alpha1/expansion_generated.go           |  12 +-
 .../v1alpha1/webhookauthenticator.go          |  81 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  81 --------
 .../client/openapi/zz_generated.openapi.go    | 176 ++++++++---------
 ...e.pinniped.dev_webhookauthenticators.yaml} |  29 ++-
 generated/1.19/README.adoc                    |  38 ++--
 .../1.19/apis/concierge/authentication/doc.go |   2 +-
 .../concierge/authentication/v1alpha1/doc.go  |   2 +-
 .../authentication/v1alpha1/register.go       |   4 +-
 .../authentication/v1alpha1/types_tls.go      |   2 +-
 .../authentication/v1alpha1/types_webhook.go  |  30 +--
 .../v1alpha1/zz_generated.deepcopy.go         |  38 ++--
 .../v1alpha1/authentication_client.go         |   6 +-
 .../fake/fake_authentication_client.go        |   4 +-
 .../fake/fake_webhookauthenticator.go         | 129 +++++++++++++
 .../fake/fake_webhookidentityprovider.go      | 129 -------------
 .../v1alpha1/generated_expansion.go           |   2 +-
 .../v1alpha1/webhookauthenticator.go          | 182 ++++++++++++++++++
 .../v1alpha1/webhookidentityprovider.go       | 182 ------------------
 .../authentication/v1alpha1/interface.go      |  10 +-
 .../v1alpha1/webhookauthenticator.go          |  77 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  77 --------
 .../informers/externalversions/generic.go     |   4 +-
 .../v1alpha1/expansion_generated.go           |  12 +-
 .../v1alpha1/webhookauthenticator.go          |  86 +++++++++
 .../v1alpha1/webhookidentityprovider.go       |  86 ---------
 .../client/openapi/zz_generated.openapi.go    | 178 ++++++++---------
 ...e.pinniped.dev_webhookauthenticators.yaml} |  29 ++-
 ...pinniped.dev_webhookidentityproviders.yaml | 149 --------------
 hack/lib/tilt/Tiltfile                        |   2 +-
 hack/update.sh                                |   2 +-
 internal/client/client_test.go                |   4 +-
 .../identityprovider/idpcache/cache_test.go   |   2 +-
 .../webhookcachecleaner.go                    |  10 +-
 .../webhookcachecleaner_test.go               |  14 +-
 .../webhookcachefiller/webhookcachefiller.go  |  16 +-
 .../webhookcachefiller_test.go                |  20 +-
 .../controllermanager/prepare_controllers.go  |   4 +-
 .../concierge_credentialrequest_test.go       |   2 +-
 test/integration/kube_api_discovery_test.go   |   9 +-
 test/library/client.go                        |  16 +-
 test/library/env.go                           |  24 +--
 94 files changed, 2043 insertions(+), 2205 deletions(-)
 rename deploy/concierge/{authentication.concierge.pinniped.dev_webhookidentityproviders.yaml => authentication.concierge.pinniped.dev_webhookauthenticators.yaml} (89%)
 create mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
 delete mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
 create mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
 rename deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml (89%)
 create mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
 delete mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
 create mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
 rename generated/{1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml} (89%)
 create mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
 delete mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
 create mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
 rename generated/{1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml} (89%)
 delete mode 100644 generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml

diff --git a/apis/concierge/authentication/doc.go.tmpl b/apis/concierge/authentication/doc.go.tmpl
index c8558463..78e81bd6 100644
--- a/apis/concierge/authentication/doc.go.tmpl
+++ b/apis/concierge/authentication/doc.go.tmpl
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/apis/concierge/authentication/v1alpha1/doc.go.tmpl b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
index 4bd09774..f1ad1a86 100644
--- a/apis/concierge/authentication/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/apis/concierge/authentication/v1alpha1/register.go.tmpl b/apis/concierge/authentication/v1alpha1/register.go.tmpl
index b372270d..1a5163da 100644
--- a/apis/concierge/authentication/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
index 2f2098c9..f882f2d6 100644
--- a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
index 6e476337..8124597a 100644
--- a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go
index 0e8d99d7..481165fb 100644
--- a/cmd/pinniped/cmd/exchange_credential.go
+++ b/cmd/pinniped/cmd/exchange_credential.go
@@ -144,7 +144,7 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 	switch strings.ToLower(idpType) {
 	case "webhook":
 		idp.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
-		idp.Kind = "WebhookIdentityProvider"
+		idp.Kind = "WebhookAuthenticator"
 	default:
 		return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidIDPType, idpType)
 	}
diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go
index fa6935af..a0349eed 100644
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@@ -187,7 +187,7 @@ func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (str
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
-	webhooks, err := clientset.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
+	webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return "", "", err
 	}
diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go
index 23d920c5..43079173 100644
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@@ -256,8 +256,8 @@ func TestRun(t *testing.T) {
 				cmd.flags.idpType = ""
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
-						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
 					), nil
 				}
 			},
@@ -349,7 +349,7 @@ func TestRun(t *testing.T) {
 
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
 						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba72..9ae6152e 100644
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/deploy/concierge/z0_crd_overlay.yaml b/deploy/concierge/z0_crd_overlay.yaml
index 61f4c93e..c5050f04 100644
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@@ -10,7 +10,7 @@ metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
 
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.authentication.concierge.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookauthenticators.authentication.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
diff --git a/doc/demo.md b/doc/demo.md
index 8b6cef40..4d6fcafe 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -118,12 +118,12 @@ as the identity provider.
    If you would prefer to customize the available options, please see [deploy/concierge/README.md](../deploy/concierge/README.md)
    for instructions on how to deploy using `ytt`.
 
-1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using local-user-authenticator.
+1. Create a `WebhookAuthenticator` object to configure Pinniped to authenticate using local-user-authenticator.
 
     ```bash
     cat <<EOF | kubectl create --namespace pinniped -f -
     apiVersion: authentication.concierge.pinniped.dev/v1alpha1
-    kind: WebhookIdentityProvider
+    kind: WebhookAuthenticator
     metadata:
       name: local-user-authenticator
     spec:
diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc
index 081abb12..e004e05e 100644
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -13,7 +13,7 @@
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
 === authentication.concierge.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 
 
 
@@ -24,7 +24,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -42,11 +42,11 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various identity providers.
+Configuration for configuring TLS on various authenticators.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -56,14 +56,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
+==== WebhookAuthenticator 
 
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+WebhookAuthenticator describes the configuration of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorlist[$$WebhookAuthenticatorList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -71,21 +71,21 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]__ | Spec for configuring the authenticator.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]__ | Status of the authenticator.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec"]
+==== WebhookAuthenticatorSpec 
 
-Spec for configuring a webhook identity provider.
+Spec for configuring a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -96,20 +96,20 @@ Spec for configuring a webhook identity provider.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus"]
+==== WebhookAuthenticatorStatus 
 
-Status of a webhook identity provider.
+Status of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of the authenticator's current state.
 |===
 
 
diff --git a/generated/1.17/apis/concierge/authentication/doc.go b/generated/1.17/apis/concierge/authentication/doc.go
index c8558463..78e81bd6 100644
--- a/generated/1.17/apis/concierge/authentication/doc.go
+++ b/generated/1.17/apis/concierge/authentication/doc.go
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
index 8cd69dfa..52b71edd 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/register.go b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
index b372270d..1a5163da 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
index 2f2098c9..f882f2d6 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
index 6e476337..8124597a 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
index cb0f46c8..a4e27af7 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -54,18 +54,18 @@ func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
-func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProvider)
+	out := new(WebhookAuthenticator)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -73,13 +73,13 @@ func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]WebhookIdentityProvider, len(*in))
+		*out = make([]WebhookAuthenticator, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,18 +87,18 @@ func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
-func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderList)
+	out := new(WebhookAuthenticatorList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -106,7 +106,7 @@ func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
@@ -116,18 +116,18 @@ func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
-func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderSpec)
+	out := new(WebhookAuthenticatorSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
@@ -139,12 +139,12 @@ func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProvid
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
-func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderStatus)
+	out := new(WebhookAuthenticatorStatus)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 360fce0f..7455289a 100644
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -13,7 +13,7 @@ import (
 
 type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	WebhookIdentityProvidersGetter
+	WebhookAuthenticatorsGetter
 }
 
 // AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
@@ -21,8 +21,8 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
-	return newWebhookIdentityProviders(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c, namespace)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 331981fa..09e7a1a8 100644
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -15,8 +15,8 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
-	return &FakeWebhookIdentityProviders{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
new file mode 100644
index 00000000..e79d48c2
--- /dev/null
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,127 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+	ns   string
+}
+
+var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
+
+var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookAuthenticator"}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
deleted file mode 100644
index 30681a89..00000000
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
+++ /dev/null
@@ -1,127 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	testing "k8s.io/client-go/testing"
-)
-
-// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
-type FakeWebhookIdentityProviders struct {
-	Fake *FakeAuthenticationV1alpha1
-	ns   string
-}
-
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
-
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *FakeWebhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
-
-	if obj == nil {
-		return nil, err
-	}
-
-	label, _, _ := testing.ExtractFromListOptions(opts)
-	if label == nil {
-		label = labels.Everything()
-	}
-	list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
-	for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
-		if label.Matches(labels.Set(item.Labels)) {
-			list.Items = append(list.Items, item)
-		}
-	}
-	return list, err
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *FakeWebhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
-	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
-
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *FakeWebhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *FakeWebhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
-	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	return err
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *FakeWebhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOptions)
-
-	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
-	return err
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *FakeWebhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
index 69ebc739..e1b1f2b4 100644
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -5,4 +5,4 @@
 
 package v1alpha1
 
-type WebhookIdentityProviderExpansion interface{}
+type WebhookAuthenticatorExpansion interface{}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..584599c0
--- /dev/null
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,178 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(*v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error)
+	Update(*v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(*v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+	ns     string
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Body(webhookAuthenticator).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		Body(webhookAuthenticator).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *webhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		Body(webhookAuthenticator).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 10114517..00000000
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,178 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"time"
-
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
-)
-
-// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
-// A group's client should implement this interface.
-type WebhookIdentityProvidersGetter interface {
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
-}
-
-// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
-type WebhookIdentityProviderInterface interface {
-	Create(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
-	Update(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
-	UpdateStatus(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
-	Delete(name string, options *v1.DeleteOptions) error
-	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
-	Get(name string, options v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	List(opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
-	Watch(opts v1.ListOptions) (watch.Interface, error)
-	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
-	WebhookIdentityProviderExpansion
-}
-
-// webhookIdentityProviders implements WebhookIdentityProviderInterface
-type webhookIdentityProviders struct {
-	client rest.Interface
-	ns     string
-}
-
-// newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
-	return &webhookIdentityProviders{
-		client: c.RESTClient(),
-		ns:     namespace,
-	}
-}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *webhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		VersionedParams(&options, scheme.ParameterCodec).
-		Do().
-		Into(result)
-	return
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *webhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	result = &v1alpha1.WebhookIdentityProviderList{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Do().
-		Into(result)
-	return
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *webhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	opts.Watch = true
-	return c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Watch()
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Post().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Body(webhookIdentityProvider).
-		Do().
-		Into(result)
-	return
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		Body(webhookIdentityProvider).
-		Do().
-		Into(result)
-	return
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-
-func (c *webhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		SubResource("status").
-		Body(webhookIdentityProvider).
-		Do().
-		Into(result)
-	return
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *webhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		Body(options).
-		Do().
-		Error()
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *webhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	var timeout time.Duration
-	if listOptions.TimeoutSeconds != nil {
-		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
-	}
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&listOptions, scheme.ParameterCodec).
-		Timeout(timeout).
-		Body(options).
-		Do().
-		Error()
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *webhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Patch(pt).
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		SubResource(subresources...).
-		Name(name).
-		Body(data).
-		Do().
-		Into(result)
-	return
-}
diff --git a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
index 03455e4a..a4295128 100644
--- a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
@@ -11,8 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-	WebhookIdentityProviders() WebhookIdentityProviderInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
 }
 
 type version struct {
@@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
-	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
diff --git a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..549b47d1
--- /dev/null
+++ b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
diff --git a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 86d3336a..00000000
--- a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	time "time"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
-	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderInformer provides access to a shared informer and lister for
-// WebhookIdentityProviders.
-type WebhookIdentityProviderInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() v1alpha1.WebhookIdentityProviderLister
-}
-
-type webhookIdentityProviderInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
-			},
-		},
-		&authenticationv1alpha1.WebhookIdentityProvider{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
-}
-
-func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
-	return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
-}
diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go
index e6f3f43e..287c3493 100644
--- a/generated/1.17/client/informers/externalversions/generic.go
+++ b/generated/1.17/client/informers/externalversions/generic.go
@@ -42,8 +42,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 
 		// Group=config.pinniped.dev, Version=v1alpha1
 	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
diff --git a/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go b/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
index f0b280e1..25e1ad66 100644
--- a/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
@@ -5,10 +5,10 @@
 
 package v1alpha1
 
-// WebhookIdentityProviderListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderLister.
-type WebhookIdentityProviderListerExpansion interface{}
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
 
-// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderNamespaceLister.
-type WebhookIdentityProviderNamespaceListerExpansion interface{}
+// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorNamespaceLister.
+type WebhookAuthenticatorNamespaceListerExpansion interface{}
diff --git a/generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go b/generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..dcf18bee
--- /dev/null
+++ b/generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorLister helps list WebhookAuthenticators.
+type WebhookAuthenticatorLister interface {
+	// List lists all WebhookAuthenticators in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	WebhookAuthenticatorListerExpansion
+}
+
+// webhookAuthenticatorLister implements the WebhookAuthenticatorLister interface.
+type webhookAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewWebhookAuthenticatorLister returns a new WebhookAuthenticatorLister.
+func NewWebhookAuthenticatorLister(indexer cache.Indexer) WebhookAuthenticatorLister {
+	return &webhookAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all WebhookAuthenticators in the indexer.
+func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
+	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
+type WebhookAuthenticatorNamespaceLister interface {
+	// List lists all WebhookAuthenticators in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
+	WebhookAuthenticatorNamespaceListerExpansion
+}
+
+// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
+// interface.
+type webhookAuthenticatorNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all WebhookAuthenticators in the indexer for a given namespace.
+func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("webhookauthenticator"), name)
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), nil
+}
diff --git a/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 933b303d..00000000
--- a/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
-type WebhookIdentityProviderLister interface {
-	// List lists all WebhookIdentityProviders in the indexer.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
-	WebhookIdentityProviderListerExpansion
-}
-
-// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
-type webhookIdentityProviderLister struct {
-	indexer cache.Indexer
-}
-
-// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
-func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
-	return &webhookIdentityProviderLister{indexer: indexer}
-}
-
-// List lists all WebhookIdentityProviders in the indexer.
-func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
-	return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
-type WebhookIdentityProviderNamespaceLister interface {
-	// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
-	WebhookIdentityProviderNamespaceListerExpansion
-}
-
-// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
-// interface.
-type webhookIdentityProviderNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
-	if err != nil {
-		return nil, err
-	}
-	if !exists {
-		return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), nil
-}
diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go
index b8d43ca3..821f0ba8 100644
--- a/generated/1.17/client/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/openapi/zz_generated.openapi.go
@@ -17,77 +17,77 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                              schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                       schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":         schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":                   schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":                 schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":               schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                           schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                       schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                       schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":                     schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -152,7 +152,7 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
+				Description: "Configuration for configuring TLS on various authenticators.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"certificateAuthorityData": {
@@ -168,11 +168,11 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Description: "WebhookAuthenticator describes the configuration of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -196,14 +196,14 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
+							Description: "Spec for configuring the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
+							Description: "Status of the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus"),
 						},
 					},
 				},
@@ -211,15 +211,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec", "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
+				Description: "List of WebhookAuthenticator objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -247,7 +247,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator"),
 									},
 								},
 							},
@@ -258,15 +258,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
+				Description: "Spec for configuring a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"endpoint": {
@@ -291,11 +291,11 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(r
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
+				Description: "Status of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"conditions": {
@@ -310,7 +310,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
+							Description: "Represents the observations of the authenticator's current state.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba72..9ae6152e 100644
--- a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc
index ca7a442f..3dc20e72 100644
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@@ -13,7 +13,7 @@
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
 === authentication.concierge.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 
 
 
@@ -24,7 +24,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -42,11 +42,11 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various identity providers.
+Configuration for configuring TLS on various authenticators.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -56,14 +56,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
+==== WebhookAuthenticator 
 
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+WebhookAuthenticator describes the configuration of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorlist[$$WebhookAuthenticatorList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -71,21 +71,21 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]__ | Spec for configuring the authenticator.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]__ | Status of the authenticator.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec"]
+==== WebhookAuthenticatorSpec 
 
-Spec for configuring a webhook identity provider.
+Spec for configuring a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -96,20 +96,20 @@ Spec for configuring a webhook identity provider.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus"]
+==== WebhookAuthenticatorStatus 
 
-Status of a webhook identity provider.
+Status of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of the authenticator's current state.
 |===
 
 
diff --git a/generated/1.18/apis/concierge/authentication/doc.go b/generated/1.18/apis/concierge/authentication/doc.go
index c8558463..78e81bd6 100644
--- a/generated/1.18/apis/concierge/authentication/doc.go
+++ b/generated/1.18/apis/concierge/authentication/doc.go
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
index 49cd7430..00a19514 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/register.go b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
index b372270d..1a5163da 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
index 2f2098c9..f882f2d6 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
index 6e476337..8124597a 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
index cb0f46c8..a4e27af7 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -54,18 +54,18 @@ func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
-func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProvider)
+	out := new(WebhookAuthenticator)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -73,13 +73,13 @@ func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]WebhookIdentityProvider, len(*in))
+		*out = make([]WebhookAuthenticator, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,18 +87,18 @@ func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
-func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderList)
+	out := new(WebhookAuthenticatorList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -106,7 +106,7 @@ func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
@@ -116,18 +116,18 @@ func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
-func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderSpec)
+	out := new(WebhookAuthenticatorSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
@@ -139,12 +139,12 @@ func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProvid
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
-func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderStatus)
+	out := new(WebhookAuthenticatorStatus)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 4073c3c6..4b4ff7db 100644
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -13,7 +13,7 @@ import (
 
 type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	WebhookIdentityProvidersGetter
+	WebhookAuthenticatorsGetter
 }
 
 // AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
@@ -21,8 +21,8 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
-	return newWebhookIdentityProviders(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c, namespace)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 73de150f..dfad1675 100644
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -15,8 +15,8 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
-	return &FakeWebhookIdentityProviders{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
new file mode 100644
index 00000000..83adeb87
--- /dev/null
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+	ns   string
+}
+
+var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
+
+var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookAuthenticator"}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
deleted file mode 100644
index 05757ab0..00000000
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	"context"
-
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	testing "k8s.io/client-go/testing"
-)
-
-// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
-type FakeWebhookIdentityProviders struct {
-	Fake *FakeAuthenticationV1alpha1
-	ns   string
-}
-
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
-
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
-
-	if obj == nil {
-		return nil, err
-	}
-
-	label, _, _ := testing.ExtractFromListOptions(opts)
-	if label == nil {
-		label = labels.Everything()
-	}
-	list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
-	for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
-		if label.Matches(labels.Set(item.Labels)) {
-			list.Items = append(list.Items, item)
-		}
-	}
-	return list, err
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
-
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	return err
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts)
-
-	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
-	return err
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
index 69ebc739..e1b1f2b4 100644
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -5,4 +5,4 @@
 
 package v1alpha1
 
-type WebhookIdentityProviderExpansion interface{}
+type WebhookAuthenticatorExpansion interface{}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..2e5b78db
--- /dev/null
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+	ns     string
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 157cb606..00000000
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	"time"
-
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
-)
-
-// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
-// A group's client should implement this interface.
-type WebhookIdentityProvidersGetter interface {
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
-}
-
-// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
-type WebhookIdentityProviderInterface interface {
-	Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
-	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
-	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
-	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
-	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
-	WebhookIdentityProviderExpansion
-}
-
-// webhookIdentityProviders implements WebhookIdentityProviderInterface
-type webhookIdentityProviders struct {
-	client rest.Interface
-	ns     string
-}
-
-// newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
-	return &webhookIdentityProviders{
-		client: c.RESTClient(),
-		ns:     namespace,
-	}
-}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		VersionedParams(&options, scheme.ParameterCodec).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	result = &v1alpha1.WebhookIdentityProviderList{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	opts.Watch = true
-	return c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Watch(ctx)
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Post().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		SubResource("status").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	var timeout time.Duration
-	if listOpts.TimeoutSeconds != nil {
-		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
-	}
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&listOpts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Patch(pt).
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		SubResource(subresources...).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(data).
-		Do(ctx).
-		Into(result)
-	return
-}
diff --git a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
index 4445a99a..14832425 100644
--- a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
@@ -11,8 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-	WebhookIdentityProviders() WebhookIdentityProviderInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
 }
 
 type version struct {
@@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
-	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
diff --git a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..47c511c6
--- /dev/null
+++ b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
diff --git a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 3225aa73..00000000
--- a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	time "time"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
-	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderInformer provides access to a shared informer and lister for
-// WebhookIdentityProviders.
-type WebhookIdentityProviderInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() v1alpha1.WebhookIdentityProviderLister
-}
-
-type webhookIdentityProviderInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
-			},
-		},
-		&authenticationv1alpha1.WebhookIdentityProvider{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
-}
-
-func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
-	return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
-}
diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go
index 0509c7d3..441b1947 100644
--- a/generated/1.18/client/informers/externalversions/generic.go
+++ b/generated/1.18/client/informers/externalversions/generic.go
@@ -42,8 +42,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 
 		// Group=config.pinniped.dev, Version=v1alpha1
 	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
diff --git a/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go b/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
index f0b280e1..25e1ad66 100644
--- a/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
@@ -5,10 +5,10 @@
 
 package v1alpha1
 
-// WebhookIdentityProviderListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderLister.
-type WebhookIdentityProviderListerExpansion interface{}
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
 
-// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderNamespaceLister.
-type WebhookIdentityProviderNamespaceListerExpansion interface{}
+// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorNamespaceLister.
+type WebhookAuthenticatorNamespaceListerExpansion interface{}
diff --git a/generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go b/generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..f6a60ff2
--- /dev/null
+++ b/generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorLister helps list WebhookAuthenticators.
+type WebhookAuthenticatorLister interface {
+	// List lists all WebhookAuthenticators in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	WebhookAuthenticatorListerExpansion
+}
+
+// webhookAuthenticatorLister implements the WebhookAuthenticatorLister interface.
+type webhookAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewWebhookAuthenticatorLister returns a new WebhookAuthenticatorLister.
+func NewWebhookAuthenticatorLister(indexer cache.Indexer) WebhookAuthenticatorLister {
+	return &webhookAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all WebhookAuthenticators in the indexer.
+func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
+	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
+type WebhookAuthenticatorNamespaceLister interface {
+	// List lists all WebhookAuthenticators in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
+	WebhookAuthenticatorNamespaceListerExpansion
+}
+
+// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
+// interface.
+type webhookAuthenticatorNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all WebhookAuthenticators in the indexer for a given namespace.
+func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("webhookauthenticator"), name)
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), nil
+}
diff --git a/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 218cf682..00000000
--- a/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
-type WebhookIdentityProviderLister interface {
-	// List lists all WebhookIdentityProviders in the indexer.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
-	WebhookIdentityProviderListerExpansion
-}
-
-// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
-type webhookIdentityProviderLister struct {
-	indexer cache.Indexer
-}
-
-// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
-func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
-	return &webhookIdentityProviderLister{indexer: indexer}
-}
-
-// List lists all WebhookIdentityProviders in the indexer.
-func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
-	return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
-type WebhookIdentityProviderNamespaceLister interface {
-	// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
-	WebhookIdentityProviderNamespaceListerExpansion
-}
-
-// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
-// interface.
-type webhookIdentityProviderNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
-	if err != nil {
-		return nil, err
-	}
-	if !exists {
-		return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), nil
-}
diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go
index 44332c47..d020267e 100644
--- a/generated/1.18/client/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/openapi/zz_generated.openapi.go
@@ -17,77 +17,77 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                              schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                       schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":         schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":                   schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":                 schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":               schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                           schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                       schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                       schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":                     schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -152,7 +152,7 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
+				Description: "Configuration for configuring TLS on various authenticators.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"certificateAuthorityData": {
@@ -168,11 +168,11 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Description: "WebhookAuthenticator describes the configuration of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -196,14 +196,14 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
+							Description: "Spec for configuring the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
+							Description: "Status of the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus"),
 						},
 					},
 				},
@@ -211,15 +211,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec", "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
+				Description: "List of WebhookAuthenticator objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -247,7 +247,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator"),
 									},
 								},
 							},
@@ -258,15 +258,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
+				Description: "Spec for configuring a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"endpoint": {
@@ -291,11 +291,11 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(r
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
+				Description: "Status of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"conditions": {
@@ -310,7 +310,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
+							Description: "Represents the observations of the authenticator's current state.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba72..9ae6152e 100644
--- a/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc
index 00984654..25625544 100644
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@@ -13,7 +13,7 @@
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
 === authentication.concierge.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 
 
 
@@ -24,7 +24,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -42,11 +42,11 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various identity providers.
+Configuration for configuring TLS on various authenticators.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -56,14 +56,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
+==== WebhookAuthenticator 
 
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+WebhookAuthenticator describes the configuration of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorlist[$$WebhookAuthenticatorList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -71,21 +71,21 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]__ | Spec for configuring the authenticator.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]__ | Status of the authenticator.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec"]
+==== WebhookAuthenticatorSpec 
 
-Spec for configuring a webhook identity provider.
+Spec for configuring a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -96,20 +96,20 @@ Spec for configuring a webhook identity provider.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus"]
+==== WebhookAuthenticatorStatus 
 
-Status of a webhook identity provider.
+Status of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of the authenticator's current state.
 |===
 
 
diff --git a/generated/1.19/apis/concierge/authentication/doc.go b/generated/1.19/apis/concierge/authentication/doc.go
index c8558463..78e81bd6 100644
--- a/generated/1.19/apis/concierge/authentication/doc.go
+++ b/generated/1.19/apis/concierge/authentication/doc.go
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
index 981b832f..57c00e2b 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/register.go b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
index b372270d..1a5163da 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
index 2f2098c9..f882f2d6 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
index 6e476337..8124597a 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
index cb0f46c8..a4e27af7 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -54,18 +54,18 @@ func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
-func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProvider)
+	out := new(WebhookAuthenticator)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -73,13 +73,13 @@ func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]WebhookIdentityProvider, len(*in))
+		*out = make([]WebhookAuthenticator, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,18 +87,18 @@ func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
-func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderList)
+	out := new(WebhookAuthenticatorList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -106,7 +106,7 @@ func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
@@ -116,18 +116,18 @@ func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
-func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderSpec)
+	out := new(WebhookAuthenticatorSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
@@ -139,12 +139,12 @@ func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProvid
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
-func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderStatus)
+	out := new(WebhookAuthenticatorStatus)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index cdfa725e..e3721127 100644
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -13,7 +13,7 @@ import (
 
 type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	WebhookIdentityProvidersGetter
+	WebhookAuthenticatorsGetter
 }
 
 // AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
@@ -21,8 +21,8 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
-	return newWebhookIdentityProviders(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c, namespace)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index f75f4480..f1663bfe 100644
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -15,8 +15,8 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
-	return &FakeWebhookIdentityProviders{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
new file mode 100644
index 00000000..0bc22bc8
--- /dev/null
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+	ns   string
+}
+
+var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
+
+var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookAuthenticator"}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
deleted file mode 100644
index 62fe34a8..00000000
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	"context"
-
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	testing "k8s.io/client-go/testing"
-)
-
-// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
-type FakeWebhookIdentityProviders struct {
-	Fake *FakeAuthenticationV1alpha1
-	ns   string
-}
-
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
-
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
-
-	if obj == nil {
-		return nil, err
-	}
-
-	label, _, _ := testing.ExtractFromListOptions(opts)
-	if label == nil {
-		label = labels.Everything()
-	}
-	list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
-	for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
-		if label.Matches(labels.Set(item.Labels)) {
-			list.Items = append(list.Items, item)
-		}
-	}
-	return list, err
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
-
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	return err
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts)
-
-	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
-	return err
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
index 69ebc739..e1b1f2b4 100644
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -5,4 +5,4 @@
 
 package v1alpha1
 
-type WebhookIdentityProviderExpansion interface{}
+type WebhookAuthenticatorExpansion interface{}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..22289160
--- /dev/null
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+	ns     string
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 1b7c2405..00000000
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	"time"
-
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
-)
-
-// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
-// A group's client should implement this interface.
-type WebhookIdentityProvidersGetter interface {
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
-}
-
-// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
-type WebhookIdentityProviderInterface interface {
-	Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
-	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
-	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
-	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
-	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
-	WebhookIdentityProviderExpansion
-}
-
-// webhookIdentityProviders implements WebhookIdentityProviderInterface
-type webhookIdentityProviders struct {
-	client rest.Interface
-	ns     string
-}
-
-// newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
-	return &webhookIdentityProviders{
-		client: c.RESTClient(),
-		ns:     namespace,
-	}
-}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		VersionedParams(&options, scheme.ParameterCodec).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	result = &v1alpha1.WebhookIdentityProviderList{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	opts.Watch = true
-	return c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Watch(ctx)
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Post().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		SubResource("status").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	var timeout time.Duration
-	if listOpts.TimeoutSeconds != nil {
-		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
-	}
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&listOpts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Patch(pt).
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		SubResource(subresources...).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(data).
-		Do(ctx).
-		Into(result)
-	return
-}
diff --git a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
index bc3981a3..aa656188 100644
--- a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
@@ -11,8 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-	WebhookIdentityProviders() WebhookIdentityProviderInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
 }
 
 type version struct {
@@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
-	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
diff --git a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..1a1e0b51
--- /dev/null
+++ b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
diff --git a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 938349b5..00000000
--- a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	time "time"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
-	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderInformer provides access to a shared informer and lister for
-// WebhookIdentityProviders.
-type WebhookIdentityProviderInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() v1alpha1.WebhookIdentityProviderLister
-}
-
-type webhookIdentityProviderInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
-			},
-		},
-		&authenticationv1alpha1.WebhookIdentityProvider{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
-}
-
-func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
-	return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
-}
diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go
index 6568bab8..16bc4b10 100644
--- a/generated/1.19/client/informers/externalversions/generic.go
+++ b/generated/1.19/client/informers/externalversions/generic.go
@@ -42,8 +42,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 
 		// Group=config.pinniped.dev, Version=v1alpha1
 	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
diff --git a/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go b/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
index f0b280e1..25e1ad66 100644
--- a/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
@@ -5,10 +5,10 @@
 
 package v1alpha1
 
-// WebhookIdentityProviderListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderLister.
-type WebhookIdentityProviderListerExpansion interface{}
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
 
-// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderNamespaceLister.
-type WebhookIdentityProviderNamespaceListerExpansion interface{}
+// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorNamespaceLister.
+type WebhookAuthenticatorNamespaceListerExpansion interface{}
diff --git a/generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go b/generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 00000000..23bbb71d
--- /dev/null
+++ b/generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,86 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorLister helps list WebhookAuthenticators.
+// All objects returned here must be treated as read-only.
+type WebhookAuthenticatorLister interface {
+	// List lists all WebhookAuthenticators in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	WebhookAuthenticatorListerExpansion
+}
+
+// webhookAuthenticatorLister implements the WebhookAuthenticatorLister interface.
+type webhookAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewWebhookAuthenticatorLister returns a new WebhookAuthenticatorLister.
+func NewWebhookAuthenticatorLister(indexer cache.Indexer) WebhookAuthenticatorLister {
+	return &webhookAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all WebhookAuthenticators in the indexer.
+func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
+	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
+// All objects returned here must be treated as read-only.
+type WebhookAuthenticatorNamespaceLister interface {
+	// List lists all WebhookAuthenticators in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
+	WebhookAuthenticatorNamespaceListerExpansion
+}
+
+// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
+// interface.
+type webhookAuthenticatorNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all WebhookAuthenticators in the indexer for a given namespace.
+func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("webhookauthenticator"), name)
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), nil
+}
diff --git a/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index ea078005..00000000
--- a/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
-// All objects returned here must be treated as read-only.
-type WebhookIdentityProviderLister interface {
-	// List lists all WebhookIdentityProviders in the indexer.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
-	WebhookIdentityProviderListerExpansion
-}
-
-// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
-type webhookIdentityProviderLister struct {
-	indexer cache.Indexer
-}
-
-// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
-func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
-	return &webhookIdentityProviderLister{indexer: indexer}
-}
-
-// List lists all WebhookIdentityProviders in the indexer.
-func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
-	return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
-// All objects returned here must be treated as read-only.
-type WebhookIdentityProviderNamespaceLister interface {
-	// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-	// Objects returned here must be treated as read-only.
-	Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
-	WebhookIdentityProviderNamespaceListerExpansion
-}
-
-// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
-// interface.
-type webhookIdentityProviderNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
-	if err != nil {
-		return nil, err
-	}
-	if !exists {
-		return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), nil
-}
diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go
index 24f3440b..7411987d 100644
--- a/generated/1.19/client/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/openapi/zz_generated.openapi.go
@@ -17,78 +17,78 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                              schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                      schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                       schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":         schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":                   schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":                 schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":               schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                           schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                       schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                       schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":                     schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                   schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -153,7 +153,7 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
+				Description: "Configuration for configuring TLS on various authenticators.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"certificateAuthorityData": {
@@ -169,11 +169,11 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Description: "WebhookAuthenticator describes the configuration of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -197,14 +197,14 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
+							Description: "Spec for configuring the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
+							Description: "Status of the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus"),
 						},
 					},
 				},
@@ -212,15 +212,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec", "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
+				Description: "List of WebhookAuthenticator objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -248,7 +248,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator"),
 									},
 								},
 							},
@@ -259,15 +259,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
+				Description: "Spec for configuring a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"endpoint": {
@@ -292,11 +292,11 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(r
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
+				Description: "Status of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"conditions": {
@@ -311,7 +311,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
+							Description: "Represents the observations of the authenticator's current state.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba72..9ae6152e 100644
--- a/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
deleted file mode 100644
index 5e7aba72..00000000
--- a/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ /dev/null
@@ -1,149 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
-  creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
-spec:
-  group: authentication.concierge.pinniped.dev
-  names:
-    categories:
-    - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.endpoint
-      name: Endpoint
-      type: string
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec for configuring the identity provider.
-            properties:
-              endpoint:
-                description: Webhook server endpoint URL.
-                minLength: 1
-                pattern: ^https://
-                type: string
-              tls:
-                description: TLS configuration.
-                properties:
-                  certificateAuthorityData:
-                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
-                      If omitted, a default set of system roots will be trusted.
-                    type: string
-                type: object
-            required:
-            - endpoint
-            type: object
-          status:
-            description: Status of the identity provider.
-            properties:
-              conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
-                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-                x-kubernetes-list-map-keys:
-                - type
-                x-kubernetes-list-type: map
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index 8891632f..7552f743 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -170,7 +170,7 @@ k8s_resource(
         'pinniped-concierge:clusterrolebinding',
         'pinniped-concierge:serviceaccount',
         'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
-        'webhookidentityproviders.authentication.concierge.pinniped.dev:customresourcedefinition',
+        'webhookauthenticators.authentication.concierge.pinniped.dev:customresourcedefinition',
         'v1alpha1.login.concierge.pinniped.dev:apiservice',
     ],
 )
diff --git a/hack/update.sh b/hack/update.sh
index 6a3cb383..027ed354 100755
--- a/hack/update.sh
+++ b/hack/update.sh
@@ -13,7 +13,7 @@ xargs -n 1 -P 8 "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-vers
 # Copy each CRD yaml to the app which should cause it to be installed.
 cp "$ROOT"/generated/1.19/crds/*oidcproviderconfigs.yaml "$ROOT/deploy/supervisor"
 cp "$ROOT"/generated/1.19/crds/*credentialissuerconfigs.yaml "$ROOT/deploy/concierge"
-cp "$ROOT"/generated/1.19/crds/*webhookidentityproviders.yaml "$ROOT/deploy/concierge"
+cp "$ROOT"/generated/1.19/crds/*webhookauthenticators.yaml "$ROOT/deploy/concierge"
 
 # Make sure we didn't miss any new CRDs.
 crdCount=$(find "$ROOT"/generated/1.19/crds/ -maxdepth 1 -type f -name '*.yaml' | wc -l | tr -d ' ')
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index 58ae7a1a..57cbf0d3 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -27,7 +27,7 @@ func TestExchangeToken(t *testing.T) {
 
 	testIDP := corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
+		Kind:     "WebhookAuthenticator",
 		Name:     "test-webhook",
 	}
 
@@ -107,7 +107,7 @@ func TestExchangeToken(t *testing.T) {
 					"token": "test-token",
 					"identityProvider": {
 						"apiGroup": "authentication.concierge.pinniped.dev",
-						"kind": "WebhookIdentityProvider",
+						"kind": "WebhookAuthenticator",
 						"name": "test-webhook"
 					}
 				  },
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go
index 24043bc8..8e2631d3 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/identityprovider/idpcache/cache_test.go
@@ -77,7 +77,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		Spec: loginapi.TokenCredentialRequestSpec{
 			IdentityProvider: corev1.TypedLocalObjectReference{
 				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
-				Kind:     "WebhookIdentityProvider",
+				Kind:     "WebhookAuthenticator",
 				Name:     "test-name",
 			},
 			Token: "test-token",
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
index 48b66351..fcb69416 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
@@ -19,7 +19,7 @@ import (
 )
 
 // New instantiates a new controllerlib.Controller which will garbage collect webhooks from the provided Cache.
-func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller {
+func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
 	return controllerlib.New(
 		controllerlib.Config{
 			Name: "webhookcachecleaner-controller",
@@ -39,7 +39,7 @@ func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProvider
 
 type controller struct {
 	cache       *idpcache.Cache
-	webhookIDPs idpinformers.WebhookIdentityProviderInformer
+	webhookIDPs idpinformers.WebhookAuthenticatorInformer
 	log         logr.Logger
 }
 
@@ -47,11 +47,11 @@ type controller struct {
 func (c *controller) Sync(_ controllerlib.Context) error {
 	webhooks, err := c.webhookIDPs.Lister().List(labels.Everything())
 	if err != nil {
-		return fmt.Errorf("failed to list WebhookIdentityProviders: %w", err)
+		return fmt.Errorf("failed to list WebhookAuthenticators: %w", err)
 	}
 
 	// Index the current webhooks by key.
-	webhooksByKey := map[controllerlib.Key]*auth1alpha1.WebhookIdentityProvider{}
+	webhooksByKey := map[controllerlib.Key]*auth1alpha1.WebhookAuthenticator{}
 	for _, webhook := range webhooks {
 		key := controllerlib.Key{Namespace: webhook.Namespace, Name: webhook.Name}
 		webhooksByKey[key] = webhook
@@ -59,7 +59,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 
 	// Delete any entries from the cache which are no longer in the cluster.
 	for _, key := range c.cache.Keys() {
-		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
+		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookAuthenticator" {
 			continue
 		}
 		if _, exists := webhooksByKey[controllerlib.Key{Namespace: key.Namespace, Name: key.Name}]; !exists {
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
index 28f8effa..d6c82635 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
@@ -25,13 +25,13 @@ func TestController(t *testing.T) {
 
 	testKey1 := idpcache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
-		Kind:      "WebhookIdentityProvider",
+		Kind:      "WebhookAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
 	testKey2 := idpcache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
-		Kind:      "WebhookIdentityProvider",
+		Kind:      "WebhookAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-two",
 	}
@@ -54,7 +54,7 @@ func TestController(t *testing.T) {
 			name:         "no change",
 			initialCache: map[idpcache.Key]idpcache.Value{testKey1: nil},
 			webhookIDPs: []runtime.Object{
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -67,13 +67,13 @@ func TestController(t *testing.T) {
 			name:         "IDPs not yet added",
 			initialCache: nil,
 			webhookIDPs: []runtime.Object{
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
 					},
 				},
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey2.Namespace,
 						Name:      testKey2.Name,
@@ -90,7 +90,7 @@ func TestController(t *testing.T) {
 				testKeyNonwebhook: nil,
 			},
 			webhookIDPs: []runtime.Object{
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -116,7 +116,7 @@ func TestController(t *testing.T) {
 			}
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
index cf664bc4..55ba0c77 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
@@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider.
+// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookAuthenticator.
 package webhookcachefiller
 
 import (
@@ -28,7 +28,7 @@ import (
 )
 
 // New instantiates a new controllerlib.Controller which will populate the provided idpcache.Cache.
-func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller {
+func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
 	return controllerlib.New(
 		controllerlib.Config{
 			Name: "webhookcachefiller-controller",
@@ -48,19 +48,19 @@ func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProvider
 
 type controller struct {
 	cache       *idpcache.Cache
-	webhookIDPs idpinformers.WebhookIdentityProviderInformer
+	webhookIDPs idpinformers.WebhookAuthenticatorInformer
 	log         logr.Logger
 }
 
 // Sync implements controllerlib.Syncer.
 func (c *controller) Sync(ctx controllerlib.Context) error {
-	obj, err := c.webhookIDPs.Lister().WebhookIdentityProviders(ctx.Key.Namespace).Get(ctx.Key.Name)
+	obj, err := c.webhookIDPs.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name)
 	if err != nil && errors.IsNotFound(err) {
-		c.log.Info("Sync() found that the WebhookIdentityProvider does not exist yet or was deleted")
+		c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted")
 		return nil
 	}
 	if err != nil {
-		return fmt.Errorf("failed to get WebhookIdentityProvider %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err)
+		return fmt.Errorf("failed to get WebhookAuthenticator %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err)
 	}
 
 	webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, ioutil.TempFile, clientcmd.WriteToFile)
@@ -70,7 +70,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 
 	c.cache.Store(idpcache.Key{
 		APIGroup:  auth1alpha1.GroupName,
-		Kind:      "WebhookIdentityProvider",
+		Kind:      "WebhookAuthenticator",
 		Namespace: ctx.Key.Namespace,
 		Name:      ctx.Key.Name,
 	}, webhookAuthenticator)
@@ -81,7 +81,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle
 // used to validate TLS connections.
 func newWebhookAuthenticator(
-	spec *auth1alpha1.WebhookIdentityProviderSpec,
+	spec *auth1alpha1.WebhookAuthenticatorSpec,
 	tempfileFunc func(string, string) (*os.File, error),
 	marshalFunc func(clientcmdapi.Config, string) error,
 ) (*webhook.WebhookTokenAuthenticator, error) {
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
index 8172e7f4..79244c3f 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
@@ -43,19 +43,19 @@ func TestController(t *testing.T) {
 			name:    "not found",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			wantLogs: []string{
-				`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookIdentityProvider does not exist yet or was deleted"`,
+				`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`,
 			},
 		},
 		{
 			name:    "invalid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&auth1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: auth1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "invalid url",
 					},
 				},
@@ -66,12 +66,12 @@ func TestController(t *testing.T) {
 			name:    "valid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&auth1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: auth1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://example.com",
 						TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},
 					},
@@ -93,7 +93,7 @@ func TestController(t *testing.T) {
 			cache := idpcache.New()
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
@@ -124,13 +124,13 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 
 	t.Run("marshal failure", func(t *testing.T) {
 		marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError)
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{}, ioutil.TempFile, marshalError)
 		require.Nil(t, res)
 		require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")
 	})
 
 	t.Run("invalid base64", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
 			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
 		}, ioutil.TempFile, clientcmd.WriteToFile)
@@ -139,7 +139,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 	})
 
 	t.Run("valid config with no TLS spec", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
 		}, ioutil.TempFile, clientcmd.WriteToFile)
 		require.NotNil(t, res)
@@ -154,7 +154,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 			_, err = w.Write([]byte(`{}`))
 			require.NoError(t, err)
 		})
-		spec := &auth1alpha1.WebhookIdentityProviderSpec{
+		spec := &auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: url,
 			TLS: &auth1alpha1.TLSSpec{
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index 228551e1..8a3d2acd 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -232,7 +232,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachefiller.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -240,7 +240,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachecleaner.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index fdf240ce..b7196914 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -29,7 +29,7 @@ func TestUnsuccessfulCredentialRequest(t *testing.T) {
 
 	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
+		Kind:     "WebhookAuthenticator",
 		Name:     "some-webhook-that-does-not-exist",
 	}))
 	require.NoError(t, err)
diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go
index 6facc829..68ba3c26 100644
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -106,13 +106,12 @@ func TestGetAPIResourceList(t *testing.T) {
 			resourceByVersion: map[string][]metav1.APIResource{
 				"authentication.concierge.pinniped.dev/v1alpha1": {
 					{
-						Name:         "webhookidentityproviders",
-						SingularName: "webhookidentityprovider",
+						Name:         "webhookauthenticators",
+						SingularName: "webhookauthenticator",
 						Namespaced:   true,
-						Kind:         "WebhookIdentityProvider",
+						Kind:         "WebhookAuthenticator",
 						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
-						ShortNames:   []string{"webhookidp", "webhookidps"},
-						Categories:   []string{"all", "idp", "idps"},
+						Categories:   []string{"all", "authenticator", "authenticators"},
 					},
 				},
 			},
diff --git a/test/library/client.go b/test/library/client.go
index 285968f9..17485e17 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -119,7 +119,7 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi
 	return config
 }
 
-// CreateTestWebhookIDP creates and returns a test WebhookIdentityProvider in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
+// CreateTestWebhookIDP creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
 // automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
 // descibes the test IDP within the test namespace.
 func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
@@ -127,12 +127,12 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	testEnv := IntegrationEnv(t)
 
 	client := NewPinnipedClientset(t)
-	webhooks := client.AuthenticationV1alpha1().WebhookIdentityProviders(testEnv.ConciergeNamespace)
+	webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators(testEnv.ConciergeNamespace)
 
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 
-	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookIdentityProvider{
+	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-webhook-",
 			Labels:       map[string]string{"pinniped.dev/test": ""},
@@ -140,21 +140,21 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 		},
 		Spec: testEnv.TestWebhook,
 	}, metav1.CreateOptions{})
-	require.NoError(t, err, "could not create test WebhookIdentityProvider")
-	t.Logf("created test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+	require.NoError(t, err, "could not create test WebhookAuthenticator")
+	t.Logf("created test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
 
 	t.Cleanup(func() {
 		t.Helper()
-		t.Logf("cleaning up test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+		t.Logf("cleaning up test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
 		deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{})
-		require.NoErrorf(t, err, "could not cleanup test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+		require.NoErrorf(t, err, "could not cleanup test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
 	})
 
 	return corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
+		Kind:     "WebhookAuthenticator",
 		Name:     idp.Name,
 	}
 }
diff --git a/test/library/env.go b/test/library/env.go
index da5afb34..8cba1c11 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -26,18 +26,18 @@ const (
 type TestEnv struct {
 	t *testing.T
 
-	ConciergeNamespace             string                                  `json:"conciergeNamespace"`
-	SupervisorNamespace            string                                  `json:"supervisorNamespace"`
-	ConciergeAppName               string                                  `json:"conciergeAppName"`
-	SupervisorAppName              string                                  `json:"supervisorAppName"`
-	SupervisorCustomLabels         map[string]string                       `json:"supervisorCustomLabels"`
-	ConciergeCustomLabels          map[string]string                       `json:"conciergeCustomLabels"`
-	Capabilities                   map[Capability]bool                     `json:"capabilities"`
-	TestWebhook                    auth1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
-	SupervisorHTTPAddress          string                                  `json:"supervisorHttpAddress"`
-	SupervisorHTTPSAddress         string                                  `json:"supervisorHttpsAddress"`
-	SupervisorHTTPSIngressAddress  string                                  `json:"supervisorHttpsIngressAddress"`
-	SupervisorHTTPSIngressCABundle string                                  `json:"supervisorHttpsIngressCABundle"`
+	ConciergeNamespace             string                               `json:"conciergeNamespace"`
+	SupervisorNamespace            string                               `json:"supervisorNamespace"`
+	ConciergeAppName               string                               `json:"conciergeAppName"`
+	SupervisorAppName              string                               `json:"supervisorAppName"`
+	SupervisorCustomLabels         map[string]string                    `json:"supervisorCustomLabels"`
+	ConciergeCustomLabels          map[string]string                    `json:"conciergeCustomLabels"`
+	Capabilities                   map[Capability]bool                  `json:"capabilities"`
+	TestWebhook                    auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
+	SupervisorHTTPAddress          string                               `json:"supervisorHttpAddress"`
+	SupervisorHTTPSAddress         string                               `json:"supervisorHttpsAddress"`
+	SupervisorHTTPSIngressAddress  string                               `json:"supervisorHttpsIngressAddress"`
+	SupervisorHTTPSIngressCABundle string                               `json:"supervisorHttpsIngressCABundle"`
 
 	TestUser struct {
 		Token            string   `json:"token"`