Rename CredentialIssuerConfig to CredentialIssuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 15:39:43 -06:00 · 2020-11-02 15:39:43 -06:00 · 59263ea733
commit 59263ea733
parent b13a8075e4
88 changed files with 2393 additions and 2406 deletions
--- a/apis/concierge/config/v1alpha1/register.go.tmpl
+++ b/apis/concierge/config/v1alpha1/register.go.tmpl
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go.tmpl
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@ -124,13 +124,13 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 		}
 	}
-	credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientset, c.flags.namespace)
+	credentialIssuer, err := fetchPinnipedCredentialIssuer(clientset, c.flags.namespace)
 	if err != nil {
 		return err
 	}
-	if credentialIssuerConfig.Status.KubeConfigInfo == nil {
+	if credentialIssuer.Status.KubeConfigInfo == nil {
-		return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
+		return constable.Error(`CredentialIssuer "pinniped-config" was missing KubeConfigInfo`)
 	}
 	v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, c.flags.contextOverride)
@ -138,7 +138,7 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, cmd.ErrOrStderr())
+	err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuer, cmd.ErrOrStderr())
 	if err != nil {
 		return err
 	}
@ -153,14 +153,14 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuerConfig *configv1alpha1.CredentialIssuerConfig, warningsWriter io.Writer) error {
+func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuer *configv1alpha1.CredentialIssuer, warningsWriter io.Writer) error {
-	credentialIssuerConfigCA, err := base64.StdEncoding.DecodeString(credentialIssuerConfig.Status.KubeConfigInfo.CertificateAuthorityData)
+	credentialIssuerCA, err := base64.StdEncoding.DecodeString(credentialIssuer.Status.KubeConfigInfo.CertificateAuthorityData)
 	if err != nil {
 		return err
 	}
-	if v1Cluster.Server != credentialIssuerConfig.Status.KubeConfigInfo.Server ||
+	if v1Cluster.Server != credentialIssuer.Status.KubeConfigInfo.Server ||
-		!bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerConfigCA) {
+		!bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerCA) {
-		_, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n"))
+		_, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuer on the cluster. Using local kubeconfig values.\n"))
 		if err != nil {
 			return fmt.Errorf("output write error: %w", err)
 		}
@ -207,31 +207,31 @@ func getDefaultAuthenticator(clientset pinnipedclientset.Interface, namespace st
 	return authenticators[0].authenticatorType, authenticators[0].authenticatorName, nil
 }
-func fetchPinnipedCredentialIssuerConfig(clientset pinnipedclientset.Interface, pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuerConfig, error) {
+func fetchPinnipedCredentialIssuer(clientset pinnipedclientset.Interface, pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuer, error) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
-	credentialIssuerConfigs, err := clientset.ConfigV1alpha1().CredentialIssuerConfigs(pinnipedInstallationNamespace).List(ctx, metav1.ListOptions{})
+	credentialIssuers, err := clientset.ConfigV1alpha1().CredentialIssuers(pinnipedInstallationNamespace).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, err
 	}
-	if len(credentialIssuerConfigs.Items) == 0 {
+	if len(credentialIssuers.Items) == 0 {
 		return nil, constable.Error(fmt.Sprintf(
-			`No CredentialIssuerConfig was found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`,
+			`No CredentialIssuer was found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`,
 			pinnipedInstallationNamespace,
 			pinnipedInstallationNamespace,
 		))
 	}
-	if len(credentialIssuerConfigs.Items) > 1 {
+	if len(credentialIssuers.Items) > 1 {
 		return nil, constable.Error(fmt.Sprintf(
-			`More than one CredentialIssuerConfig was found in namespace "%s"`,
+			`More than one CredentialIssuer was found in namespace "%s"`,
 			pinnipedInstallationNamespace,
 		))
 	}
-	return &credentialIssuerConfigs.Items[0], nil
+	return &credentialIssuers.Items[0], nil
 }
 func newClientConfig(kubeconfigPathOverride string, currentContextName string) clientcmd.ClientConfig {
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@ -170,18 +170,18 @@ func (e expectedKubeconfigYAML) String() string {
 		`, e.clusterCAData, e.clusterServer, e.command, e.pinnipedEndpoint, e.pinnipedCABundle, e.namespace, e.token, e.authenticatorType, e.authenticatorName)
 }
-func newCredentialIssuerConfig(name, namespace, server, certificateAuthorityData string) *configv1alpha1.CredentialIssuerConfig {
+func newCredentialIssuer(name, namespace, server, certificateAuthorityData string) *configv1alpha1.CredentialIssuer {
-	return &configv1alpha1.CredentialIssuerConfig{
+	return &configv1alpha1.CredentialIssuer{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "CredentialIssuerConfig",
+			Kind:       "CredentialIssuer",
 			APIVersion: configv1alpha1.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
 		},
-		Status: configv1alpha1.CredentialIssuerConfigStatus{
+		Status: configv1alpha1.CredentialIssuerStatus{
-			KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+			KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 				Server:                   server,
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(certificateAuthorityData)),
 			},
@ -264,59 +264,59 @@ func TestRun(t *testing.T) {
 			wantError: `multiple authenticators were found in namespace "test-namespace", so --authenticator-name/--authenticator-type must be specified`,
 		},
 		{
-			name: "fail to get CredentialIssuerConfigs",
+			name: "fail to get CredentialIssuers",
 			mocks: func(cmd *getKubeConfigCommand) {
 				clientset := pinnipedfake.NewSimpleClientset()
 				clientset.PrependReactor("*", "*", func(_ coretesting.Action) (bool, runtime.Object, error) {
-					return true, nil, fmt.Errorf("some error getting CredentialIssuerConfigs")
+					return true, nil, fmt.Errorf("some error getting CredentialIssuers")
 				})
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return clientset, nil
 				}
 			},
-			wantError: "some error getting CredentialIssuerConfigs",
+			wantError: "some error getting CredentialIssuers",
 		},
 		{
-			name: "zero CredentialIssuerConfigs found",
+			name: "zero CredentialIssuers found",
 			mocks: func(cmd *getKubeConfigCommand) {
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						newCredentialIssuerConfig("pinniped-config-1", "not-the-test-namespace", "", ""),
+						newCredentialIssuer("pinniped-config-1", "not-the-test-namespace", "", ""),
 					), nil
 				}
 			},
-			wantError: `No CredentialIssuerConfig was found in namespace "test-namespace". Is Pinniped installed on this cluster in namespace "test-namespace"?`,
+			wantError: `No CredentialIssuer was found in namespace "test-namespace". Is Pinniped installed on this cluster in namespace "test-namespace"?`,
 		},
 		{
-			name: "multiple CredentialIssuerConfigs found",
+			name: "multiple CredentialIssuers found",
 			mocks: func(cmd *getKubeConfigCommand) {
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						newCredentialIssuerConfig("pinniped-config-1", "test-namespace", "", ""),
+						newCredentialIssuer("pinniped-config-1", "test-namespace", "", ""),
-						newCredentialIssuerConfig("pinniped-config-2", "test-namespace", "", ""),
+						newCredentialIssuer("pinniped-config-2", "test-namespace", "", ""),
 					), nil
 				}
 			},
-			wantError: `More than one CredentialIssuerConfig was found in namespace "test-namespace"`,
+			wantError: `More than one CredentialIssuer was found in namespace "test-namespace"`,
 		},
 		{
-			name: "CredentialIssuerConfig missing KubeConfigInfo",
+			name: "CredentialIssuer missing KubeConfigInfo",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "", "")
+				ci := newCredentialIssuer("pinniped-config", "test-namespace", "", "")
-				cic.Status.KubeConfigInfo = nil
+				ci.Status.KubeConfigInfo = nil
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
-					return pinnipedfake.NewSimpleClientset(cic), nil
+					return pinnipedfake.NewSimpleClientset(ci), nil
 				}
 			},
-			wantError: `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`,
+			wantError: `CredentialIssuer "pinniped-config" was missing KubeConfigInfo`,
 		},
 		{
 			name: "KubeConfigInfo has invalid base64",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "")
+				ci := newCredentialIssuer("pinniped-config", "test-namespace", "https://example.com", "")
-				cic.Status.KubeConfigInfo.CertificateAuthorityData = "invalid-base64-test-ca"
+				ci.Status.KubeConfigInfo.CertificateAuthorityData = "invalid-base64-test-ca"
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
-					return pinnipedfake.NewSimpleClientset(cic), nil
+					return pinnipedfake.NewSimpleClientset(ci), nil
 				}
 			},
 			wantError: `illegal base64 data at input byte 7`,
@ -324,9 +324,9 @@ func TestRun(t *testing.T) {
 		{
 			name: "success using remote CA data",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://fake-server-url-value", "fake-certificate-authority-data-value")
+				ci := newCredentialIssuer("pinniped-config", "test-namespace", "https://fake-server-url-value", "fake-certificate-authority-data-value")
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
-					return pinnipedfake.NewSimpleClientset(cic), nil
+					return pinnipedfake.NewSimpleClientset(ci), nil
 				}
 			},
 			wantStdout: expectedKubeconfigYAML{
@ -350,11 +350,11 @@ func TestRun(t *testing.T) {
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
 						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-authenticator"}},
-						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
+						newCredentialIssuer("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
 			},
-			wantStderr: `WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.`,
+			wantStderr: `WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuer on the cluster. Using local kubeconfig values.`,
 			wantStdout: expectedKubeconfigYAML{
 				clusterCAData:     "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
 				clusterServer:     "https://fake-server-url-value",
--- a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@ -39,7 +39,7 @@ data:
        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
    names:
      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
-      credentialIssuerConfig: (@= defaultResourceNameWithSuffix("config") @)
+      credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
      apiService: (@= defaultResourceNameWithSuffix("api") @)
    labels: (@= json.encode(labels()).rstrip() @)
    kubeCertAgent:
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@ -4,7 +4,7 @@
 #@ load("@ytt:overlay", "overlay")
 #@ load("helpers.lib.yaml", "labels")
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuerconfigs.config.concierge.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuers.config.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
  #@overlay/match missing_ok=True
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@ -131,14 +131,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer"]
-==== CredentialIssuerConfig 
+==== CredentialIssuer 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfiglist[$$CredentialIssuerConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerlist[$$CredentialIssuerList$$]
 ****
 [cols="25a,75a", options="header"]
@ -146,18 +146,18 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
-==== CredentialIssuerConfigKubeConfigInfo 
+==== CredentialIssuerKubeConfigInfo 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -170,32 +170,32 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus"]
-==== CredentialIssuerConfigStatus 
+==== CredentialIssuerStatus 
 Status of a credential issuer.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfig[$$CredentialIssuerConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
+| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
-==== CredentialIssuerConfigStrategy 
+==== CredentialIssuerStrategy 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
--- a/generated/1.17/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -12,7 +12,7 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@ -20,18 +20,18 @@ func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
-func (in *CredentialIssuerConfig) DeepCopy() *CredentialIssuerConfig {
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfig)
+	out := new(CredentialIssuer)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -39,29 +39,29 @@ func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopyInto(out *CredentialIssuerConfigKubeConfigInfo) {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigKubeConfigInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopy() *CredentialIssuerConfigKubeConfigInfo {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigKubeConfigInfo)
+	out := new(CredentialIssuerKubeConfigInfo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigList) {
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]CredentialIssuerConfig, len(*in))
+		*out = make([]CredentialIssuer, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -69,18 +69,18 @@ func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigLi
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
-func (in *CredentialIssuerConfigList) DeepCopy() *CredentialIssuerConfigList {
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigList)
+	out := new(CredentialIssuerList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -88,46 +88,46 @@ func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStatus) DeepCopyInto(out *CredentialIssuerConfigStatus) {
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
 	if in.Strategies != nil {
 		in, out := &in.Strategies, &out.Strategies
-		*out = make([]CredentialIssuerConfigStrategy, len(*in))
+		*out = make([]CredentialIssuerStrategy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.KubeConfigInfo != nil {
 		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
-		*out = new(CredentialIssuerConfigKubeConfigInfo)
+		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
-func (in *CredentialIssuerConfigStatus) DeepCopy() *CredentialIssuerConfigStatus {
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStatus)
+	out := new(CredentialIssuerStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStrategy) DeepCopyInto(out *CredentialIssuerConfigStrategy) {
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
 	*out = *in
 	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStrategy.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
-func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStrategy {
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStrategy)
+	out := new(CredentialIssuerStrategy)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	CredentialIssuerConfigsGetter
+	CredentialIssuersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface {
+func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuerConfigs(c, namespace)
+	return newCredentialIssuers(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@ -0,0 +1,178 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
 	CredentialIssuers(namespace string) CredentialIssuerInterface
 }
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
 type CredentialIssuerInterface interface {
 	Create(*v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error)
 	Update(*v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error)
 	UpdateStatus(*v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error)
 	Delete(name string, options *v1.DeleteOptions) error
 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
 	Get(name string, options v1.GetOptions) (*v1alpha1.CredentialIssuer, error)
 	List(opts v1.ListOptions) (*v1alpha1.CredentialIssuerList, error)
 	Watch(opts v1.ListOptions) (watch.Interface, error)
 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error)
 	CredentialIssuerExpansion
 }
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuers returns a CredentialIssuers
 func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *credentialIssuers) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do().
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *credentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do().
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *credentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch()
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Body(credentialIssuer).
 		Do().
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		Body(credentialIssuer).
 		Do().
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
 		Body(credentialIssuer).
 		Do().
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(options).
 		Do().
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	var timeout time.Duration
 	if listOptions.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(options).
 		Do().
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *credentialIssuers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		SubResource(subresources...).
 		Name(name).
 		Body(data).
 		Do().
 		Into(result)
 	return
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
@ -1,178 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuerConfigsGetter has a method to return a CredentialIssuerConfigInterface.
 // A group's client should implement this interface.
 type CredentialIssuerConfigsGetter interface {
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface
 }
 // CredentialIssuerConfigInterface has methods to work with CredentialIssuerConfig resources.
 type CredentialIssuerConfigInterface interface {
 	Create(*v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error)
 	Update(*v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error)
 	UpdateStatus(*v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error)
 	Delete(name string, options *v1.DeleteOptions) error
 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
 	Get(name string, options v1.GetOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	List(opts v1.ListOptions) (*v1alpha1.CredentialIssuerConfigList, error)
 	Watch(opts v1.ListOptions) (watch.Interface, error)
 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error)
 	CredentialIssuerConfigExpansion
 }
 // credentialIssuerConfigs implements CredentialIssuerConfigInterface
 type credentialIssuerConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuerConfigs returns a CredentialIssuerConfigs
 func newCredentialIssuerConfigs(c *ConfigV1alpha1Client, namespace string) *credentialIssuerConfigs {
 	return &credentialIssuerConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *credentialIssuerConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do().
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *credentialIssuerConfigs) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do().
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *credentialIssuerConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch()
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Create(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Body(credentialIssuerConfig).
 		Do().
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Update(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		Body(credentialIssuerConfig).
 		Do().
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuerConfigs) UpdateStatus(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		SubResource("status").
 		Body(credentialIssuerConfig).
 		Do().
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *credentialIssuerConfigs) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		Body(options).
 		Do().
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuerConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	var timeout time.Duration
 	if listOptions.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(options).
 		Do().
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *credentialIssuerConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		SubResource(subresources...).
 		Name(name).
 		Body(data).
 		Do().
 		Into(result)
 	return
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.CredentialIssuerConfigInterface {
+func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuerConfigs{c, namespace}
+	return &FakeCredentialIssuers{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@ -0,0 +1,127 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
 var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuer"}
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerList{ListMeta: obj.(*v1alpha1.CredentialIssuerList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOptions)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
@ -1,127 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuerConfigs implements CredentialIssuerConfigInterface
 type FakeCredentialIssuerConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuerconfigsResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuerconfigs"}
 var credentialissuerconfigsKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuerConfig"}
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *FakeCredentialIssuerConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *FakeCredentialIssuerConfigs) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuerconfigsResource, credentialissuerconfigsKind, c.ns, opts), &v1alpha1.CredentialIssuerConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerConfigList{ListMeta: obj.(*v1alpha1.CredentialIssuerConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *FakeCredentialIssuerConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuerconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Create(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Update(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuerConfigs) UpdateStatus(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuerconfigsResource, "status", c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuerConfigs) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuerConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuerconfigsResource, c.ns, listOptions)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *FakeCredentialIssuerConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuerconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type CredentialIssuerConfigExpansion interface{}
+type CredentialIssuerExpansion interface{}
--- a/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@ -0,0 +1,76 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerInformer provides access to a shared informer and lister for
 // CredentialIssuers.
 type CredentialIssuerInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerLister
 }
 type credentialIssuerInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).Watch(options)
 			},
 		},
 		&configv1alpha1.CredentialIssuer{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuer{}, f.defaultInformer)
 }
 func (f *credentialIssuerInformer) Lister() v1alpha1.CredentialIssuerLister {
 	return v1alpha1.NewCredentialIssuerLister(f.Informer().GetIndexer())
 }
--- a/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
@ -1,76 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigInformer provides access to a shared informer and lister for
 // CredentialIssuerConfigs.
 type CredentialIssuerConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerConfigLister
 }
 type credentialIssuerConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).Watch(options)
 			},
 		},
 		&configv1alpha1.CredentialIssuerConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuerConfig{}, f.defaultInformer)
 }
 func (f *credentialIssuerConfigInformer) Lister() v1alpha1.CredentialIssuerConfigLister {
 	return v1alpha1.NewCredentialIssuerConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+	// CredentialIssuers returns a CredentialIssuerInformer.
-	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	CredentialIssuers() CredentialIssuerInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+// CredentialIssuers returns a CredentialIssuerInformer.
-func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
+func (v *version) CredentialIssuers() CredentialIssuerInformer {
-	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &credentialIssuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.17/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.17/client/concierge/informers/externalversions/generic.go
@ -46,8 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 		// Group=config.concierge.pinniped.dev, Version=v1alpha1
-	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuers"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuers().Informer()}, nil
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
--- a/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuer.go
+++ b/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuer.go
@ -0,0 +1,81 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerLister helps list CredentialIssuers.
 type CredentialIssuerLister interface {
 	// List lists all CredentialIssuers in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// CredentialIssuers returns an object that can list and get CredentialIssuers.
 	CredentialIssuers(namespace string) CredentialIssuerNamespaceLister
 	CredentialIssuerListerExpansion
 }
 // credentialIssuerLister implements the CredentialIssuerLister interface.
 type credentialIssuerLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerLister returns a new CredentialIssuerLister.
 func NewCredentialIssuerLister(indexer cache.Indexer) CredentialIssuerLister {
 	return &credentialIssuerLister{indexer: indexer}
 }
 // List lists all CredentialIssuers in the indexer.
 func (s *credentialIssuerLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // CredentialIssuers returns an object that can list and get CredentialIssuers.
 func (s *credentialIssuerLister) CredentialIssuers(namespace string) CredentialIssuerNamespaceLister {
 	return credentialIssuerNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerNamespaceLister helps list and get CredentialIssuers.
 type CredentialIssuerNamespaceLister interface {
 	// List lists all CredentialIssuers in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuer, error)
 	CredentialIssuerNamespaceListerExpansion
 }
 // credentialIssuerNamespaceLister implements the CredentialIssuerNamespaceLister
 // interface.
 type credentialIssuerNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuers in the indexer for a given namespace.
 func (s credentialIssuerNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 func (s credentialIssuerNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuer"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuer), nil
 }
--- a/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
@ -1,81 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigLister helps list CredentialIssuerConfigs.
 type CredentialIssuerConfigLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister
 	CredentialIssuerConfigListerExpansion
 }
 // credentialIssuerConfigLister implements the CredentialIssuerConfigLister interface.
 type credentialIssuerConfigLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerConfigLister returns a new CredentialIssuerConfigLister.
 func NewCredentialIssuerConfigLister(indexer cache.Indexer) CredentialIssuerConfigLister {
 	return &credentialIssuerConfigLister{indexer: indexer}
 }
 // List lists all CredentialIssuerConfigs in the indexer.
 func (s *credentialIssuerConfigLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 func (s *credentialIssuerConfigLister) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister {
 	return credentialIssuerConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerConfigNamespaceLister helps list and get CredentialIssuerConfigs.
 type CredentialIssuerConfigNamespaceLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuerConfig, error)
 	CredentialIssuerConfigNamespaceListerExpansion
 }
 // credentialIssuerConfigNamespaceLister implements the CredentialIssuerConfigNamespaceLister
 // interface.
 type credentialIssuerConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 func (s credentialIssuerConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 func (s credentialIssuerConfigNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuerconfig"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), nil
 }
--- a/generated/1.17/client/concierge/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.17/client/concierge/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// CredentialIssuerConfigListerExpansion allows custom methods to be added to
+// CredentialIssuerListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigLister.
+// CredentialIssuerLister.
-type CredentialIssuerConfigListerExpansion interface{}
+type CredentialIssuerListerExpansion interface{}
-// CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
+// CredentialIssuerNamespaceListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigNamespaceLister.
+// CredentialIssuerNamespaceLister.
-type CredentialIssuerConfigNamespaceListerExpansion interface{}
+type CredentialIssuerNamespaceListerExpansion interface{}
--- a/generated/1.17/client/concierge/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/concierge/openapi/zz_generated.openapi.go
@ -17,73 +17,73 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                    schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                      schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":         schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfig":               schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuer":                   schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo": schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo":     schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigList":           schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerList":               schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus":         schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStatus":             schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStrategy":           schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                     schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":                schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
@ -325,7 +325,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(re
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -353,7 +353,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStatus"),
 						},
 					},
 				},
@ -361,11 +361,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -393,7 +393,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -424,7 +424,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuer"),
 									},
 								},
 							},
@ -435,11 +435,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuer", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -453,7 +453,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"),
 									},
 								},
 							},
@ -462,7 +462,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo"),
 						},
 					},
 				},
@ -470,11 +470,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo", "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo", "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@ -131,14 +131,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer"]
-==== CredentialIssuerConfig 
+==== CredentialIssuer 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfiglist[$$CredentialIssuerConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerlist[$$CredentialIssuerList$$]
 ****
 [cols="25a,75a", options="header"]
@ -146,18 +146,18 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
-==== CredentialIssuerConfigKubeConfigInfo 
+==== CredentialIssuerKubeConfigInfo 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -170,32 +170,32 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus"]
-==== CredentialIssuerConfigStatus 
+==== CredentialIssuerStatus 
 Status of a credential issuer.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfig[$$CredentialIssuerConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
+| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
-==== CredentialIssuerConfigStrategy 
+==== CredentialIssuerStrategy 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
--- a/generated/1.18/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -12,7 +12,7 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@ -20,18 +20,18 @@ func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
-func (in *CredentialIssuerConfig) DeepCopy() *CredentialIssuerConfig {
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfig)
+	out := new(CredentialIssuer)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -39,29 +39,29 @@ func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopyInto(out *CredentialIssuerConfigKubeConfigInfo) {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigKubeConfigInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopy() *CredentialIssuerConfigKubeConfigInfo {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigKubeConfigInfo)
+	out := new(CredentialIssuerKubeConfigInfo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigList) {
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]CredentialIssuerConfig, len(*in))
+		*out = make([]CredentialIssuer, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -69,18 +69,18 @@ func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigLi
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
-func (in *CredentialIssuerConfigList) DeepCopy() *CredentialIssuerConfigList {
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigList)
+	out := new(CredentialIssuerList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -88,46 +88,46 @@ func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStatus) DeepCopyInto(out *CredentialIssuerConfigStatus) {
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
 	if in.Strategies != nil {
 		in, out := &in.Strategies, &out.Strategies
-		*out = make([]CredentialIssuerConfigStrategy, len(*in))
+		*out = make([]CredentialIssuerStrategy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.KubeConfigInfo != nil {
 		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
-		*out = new(CredentialIssuerConfigKubeConfigInfo)
+		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
-func (in *CredentialIssuerConfigStatus) DeepCopy() *CredentialIssuerConfigStatus {
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStatus)
+	out := new(CredentialIssuerStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStrategy) DeepCopyInto(out *CredentialIssuerConfigStrategy) {
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
 	*out = *in
 	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStrategy.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
-func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStrategy {
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStrategy)
+	out := new(CredentialIssuerStrategy)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	CredentialIssuerConfigsGetter
+	CredentialIssuersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface {
+func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuerConfigs(c, namespace)
+	return newCredentialIssuers(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@ -0,0 +1,182 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
 	CredentialIssuers(namespace string) CredentialIssuerInterface
 }
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
 type CredentialIssuerInterface interface {
 	Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (*v1alpha1.CredentialIssuer, error)
 	Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
 	UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuer, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error)
 	CredentialIssuerExpansion
 }
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuers returns a CredentialIssuers
 func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *credentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *credentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *credentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *credentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
@ -1,182 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuerConfigsGetter has a method to return a CredentialIssuerConfigInterface.
 // A group's client should implement this interface.
 type CredentialIssuerConfigsGetter interface {
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface
 }
 // CredentialIssuerConfigInterface has methods to work with CredentialIssuerConfig resources.
 type CredentialIssuerConfigInterface interface {
 	Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerConfigList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error)
 	CredentialIssuerConfigExpansion
 }
 // credentialIssuerConfigs implements CredentialIssuerConfigInterface
 type credentialIssuerConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuerConfigs returns a CredentialIssuerConfigs
 func newCredentialIssuerConfigs(c *ConfigV1alpha1Client, namespace string) *credentialIssuerConfigs {
 	return &credentialIssuerConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *credentialIssuerConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *credentialIssuerConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *credentialIssuerConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuerConfigs) UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *credentialIssuerConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuerConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *credentialIssuerConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.CredentialIssuerConfigInterface {
+func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuerConfigs{c, namespace}
+	return &FakeCredentialIssuers{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@ -0,0 +1,129 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
 var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuer"}
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerList{ListMeta: obj.(*v1alpha1.CredentialIssuerList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
@ -1,129 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuerConfigs implements CredentialIssuerConfigInterface
 type FakeCredentialIssuerConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuerconfigsResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuerconfigs"}
 var credentialissuerconfigsKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuerConfig"}
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *FakeCredentialIssuerConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *FakeCredentialIssuerConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuerconfigsResource, credentialissuerconfigsKind, c.ns, opts), &v1alpha1.CredentialIssuerConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerConfigList{ListMeta: obj.(*v1alpha1.CredentialIssuerConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *FakeCredentialIssuerConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuerconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuerConfigs) UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuerconfigsResource, "status", c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuerConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuerConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuerconfigsResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *FakeCredentialIssuerConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuerconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type CredentialIssuerConfigExpansion interface{}
+type CredentialIssuerExpansion interface{}
--- a/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@ -0,0 +1,77 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerInformer provides access to a shared informer and lister for
 // CredentialIssuers.
 type CredentialIssuerInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerLister
 }
 type credentialIssuerInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.CredentialIssuer{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuer{}, f.defaultInformer)
 }
 func (f *credentialIssuerInformer) Lister() v1alpha1.CredentialIssuerLister {
 	return v1alpha1.NewCredentialIssuerLister(f.Informer().GetIndexer())
 }
--- a/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
@ -1,77 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigInformer provides access to a shared informer and lister for
 // CredentialIssuerConfigs.
 type CredentialIssuerConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerConfigLister
 }
 type credentialIssuerConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.CredentialIssuerConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuerConfig{}, f.defaultInformer)
 }
 func (f *credentialIssuerConfigInformer) Lister() v1alpha1.CredentialIssuerConfigLister {
 	return v1alpha1.NewCredentialIssuerConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+	// CredentialIssuers returns a CredentialIssuerInformer.
-	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	CredentialIssuers() CredentialIssuerInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+// CredentialIssuers returns a CredentialIssuerInformer.
-func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
+func (v *version) CredentialIssuers() CredentialIssuerInformer {
-	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &credentialIssuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.18/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.18/client/concierge/informers/externalversions/generic.go
@ -46,8 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 		// Group=config.concierge.pinniped.dev, Version=v1alpha1
-	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuers"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuers().Informer()}, nil
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
--- a/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuer.go
+++ b/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuer.go
@ -0,0 +1,81 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerLister helps list CredentialIssuers.
 type CredentialIssuerLister interface {
 	// List lists all CredentialIssuers in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// CredentialIssuers returns an object that can list and get CredentialIssuers.
 	CredentialIssuers(namespace string) CredentialIssuerNamespaceLister
 	CredentialIssuerListerExpansion
 }
 // credentialIssuerLister implements the CredentialIssuerLister interface.
 type credentialIssuerLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerLister returns a new CredentialIssuerLister.
 func NewCredentialIssuerLister(indexer cache.Indexer) CredentialIssuerLister {
 	return &credentialIssuerLister{indexer: indexer}
 }
 // List lists all CredentialIssuers in the indexer.
 func (s *credentialIssuerLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // CredentialIssuers returns an object that can list and get CredentialIssuers.
 func (s *credentialIssuerLister) CredentialIssuers(namespace string) CredentialIssuerNamespaceLister {
 	return credentialIssuerNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerNamespaceLister helps list and get CredentialIssuers.
 type CredentialIssuerNamespaceLister interface {
 	// List lists all CredentialIssuers in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuer, error)
 	CredentialIssuerNamespaceListerExpansion
 }
 // credentialIssuerNamespaceLister implements the CredentialIssuerNamespaceLister
 // interface.
 type credentialIssuerNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuers in the indexer for a given namespace.
 func (s credentialIssuerNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 func (s credentialIssuerNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuer"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuer), nil
 }
--- a/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
@ -1,81 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigLister helps list CredentialIssuerConfigs.
 type CredentialIssuerConfigLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister
 	CredentialIssuerConfigListerExpansion
 }
 // credentialIssuerConfigLister implements the CredentialIssuerConfigLister interface.
 type credentialIssuerConfigLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerConfigLister returns a new CredentialIssuerConfigLister.
 func NewCredentialIssuerConfigLister(indexer cache.Indexer) CredentialIssuerConfigLister {
 	return &credentialIssuerConfigLister{indexer: indexer}
 }
 // List lists all CredentialIssuerConfigs in the indexer.
 func (s *credentialIssuerConfigLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 func (s *credentialIssuerConfigLister) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister {
 	return credentialIssuerConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerConfigNamespaceLister helps list and get CredentialIssuerConfigs.
 type CredentialIssuerConfigNamespaceLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuerConfig, error)
 	CredentialIssuerConfigNamespaceListerExpansion
 }
 // credentialIssuerConfigNamespaceLister implements the CredentialIssuerConfigNamespaceLister
 // interface.
 type credentialIssuerConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 func (s credentialIssuerConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 func (s credentialIssuerConfigNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuerconfig"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), nil
 }
--- a/generated/1.18/client/concierge/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.18/client/concierge/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// CredentialIssuerConfigListerExpansion allows custom methods to be added to
+// CredentialIssuerListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigLister.
+// CredentialIssuerLister.
-type CredentialIssuerConfigListerExpansion interface{}
+type CredentialIssuerListerExpansion interface{}
-// CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
+// CredentialIssuerNamespaceListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigNamespaceLister.
+// CredentialIssuerNamespaceLister.
-type CredentialIssuerConfigNamespaceListerExpansion interface{}
+type CredentialIssuerNamespaceListerExpansion interface{}
--- a/generated/1.18/client/concierge/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/concierge/openapi/zz_generated.openapi.go
@ -17,73 +17,73 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                    schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                      schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":         schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfig":               schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuer":                   schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo": schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo":     schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigList":           schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerList":               schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus":         schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStatus":             schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStrategy":           schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                     schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":                schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
@ -325,7 +325,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(re
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -353,7 +353,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStatus"),
 						},
 					},
 				},
@ -361,11 +361,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -393,7 +393,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -424,7 +424,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuer"),
 									},
 								},
 							},
@ -435,11 +435,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuer", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -453,7 +453,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"),
 									},
 								},
 							},
@ -462,7 +462,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo"),
 						},
 					},
 				},
@ -470,11 +470,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo", "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo", "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
--- a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@ -131,14 +131,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuer"]
-==== CredentialIssuerConfig 
+==== CredentialIssuer 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfiglist[$$CredentialIssuerConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerlist[$$CredentialIssuerList$$]
 ****
 [cols="25a,75a", options="header"]
@ -146,18 +146,18 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
-==== CredentialIssuerConfigKubeConfigInfo 
+==== CredentialIssuerKubeConfigInfo 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -170,32 +170,32 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus"]
-==== CredentialIssuerConfigStatus 
+==== CredentialIssuerStatus 
 Status of a credential issuer.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfig[$$CredentialIssuerConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
+| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
-==== CredentialIssuerConfigStrategy 
+==== CredentialIssuerStrategy 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
--- a/generated/1.19/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -12,7 +12,7 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@ -20,18 +20,18 @@ func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
-func (in *CredentialIssuerConfig) DeepCopy() *CredentialIssuerConfig {
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfig)
+	out := new(CredentialIssuer)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -39,29 +39,29 @@ func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopyInto(out *CredentialIssuerConfigKubeConfigInfo) {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigKubeConfigInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopy() *CredentialIssuerConfigKubeConfigInfo {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigKubeConfigInfo)
+	out := new(CredentialIssuerKubeConfigInfo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigList) {
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]CredentialIssuerConfig, len(*in))
+		*out = make([]CredentialIssuer, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -69,18 +69,18 @@ func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigLi
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
-func (in *CredentialIssuerConfigList) DeepCopy() *CredentialIssuerConfigList {
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigList)
+	out := new(CredentialIssuerList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -88,46 +88,46 @@ func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStatus) DeepCopyInto(out *CredentialIssuerConfigStatus) {
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
 	if in.Strategies != nil {
 		in, out := &in.Strategies, &out.Strategies
-		*out = make([]CredentialIssuerConfigStrategy, len(*in))
+		*out = make([]CredentialIssuerStrategy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.KubeConfigInfo != nil {
 		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
-		*out = new(CredentialIssuerConfigKubeConfigInfo)
+		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
-func (in *CredentialIssuerConfigStatus) DeepCopy() *CredentialIssuerConfigStatus {
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStatus)
+	out := new(CredentialIssuerStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStrategy) DeepCopyInto(out *CredentialIssuerConfigStrategy) {
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
 	*out = *in
 	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStrategy.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
-func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStrategy {
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStrategy)
+	out := new(CredentialIssuerStrategy)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	CredentialIssuerConfigsGetter
+	CredentialIssuersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface {
+func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuerConfigs(c, namespace)
+	return newCredentialIssuers(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@ -0,0 +1,182 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
 	CredentialIssuers(namespace string) CredentialIssuerInterface
 }
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
 type CredentialIssuerInterface interface {
 	Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (*v1alpha1.CredentialIssuer, error)
 	Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
 	UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuer, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error)
 	CredentialIssuerExpansion
 }
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuers returns a CredentialIssuers
 func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *credentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *credentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *credentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *credentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
@ -1,182 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuerConfigsGetter has a method to return a CredentialIssuerConfigInterface.
 // A group's client should implement this interface.
 type CredentialIssuerConfigsGetter interface {
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface
 }
 // CredentialIssuerConfigInterface has methods to work with CredentialIssuerConfig resources.
 type CredentialIssuerConfigInterface interface {
 	Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerConfigList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error)
 	CredentialIssuerConfigExpansion
 }
 // credentialIssuerConfigs implements CredentialIssuerConfigInterface
 type credentialIssuerConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuerConfigs returns a CredentialIssuerConfigs
 func newCredentialIssuerConfigs(c *ConfigV1alpha1Client, namespace string) *credentialIssuerConfigs {
 	return &credentialIssuerConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *credentialIssuerConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *credentialIssuerConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *credentialIssuerConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuerConfigs) UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *credentialIssuerConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuerConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *credentialIssuerConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.CredentialIssuerConfigInterface {
+func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuerConfigs{c, namespace}
+	return &FakeCredentialIssuers{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@ -0,0 +1,129 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
 var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuer"}
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerList{ListMeta: obj.(*v1alpha1.CredentialIssuerList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
@ -1,129 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuerConfigs implements CredentialIssuerConfigInterface
 type FakeCredentialIssuerConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuerconfigsResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuerconfigs"}
 var credentialissuerconfigsKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuerConfig"}
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *FakeCredentialIssuerConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *FakeCredentialIssuerConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuerconfigsResource, credentialissuerconfigsKind, c.ns, opts), &v1alpha1.CredentialIssuerConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerConfigList{ListMeta: obj.(*v1alpha1.CredentialIssuerConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *FakeCredentialIssuerConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuerconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuerConfigs) UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuerconfigsResource, "status", c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuerConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuerConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuerconfigsResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *FakeCredentialIssuerConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuerconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type CredentialIssuerConfigExpansion interface{}
+type CredentialIssuerExpansion interface{}
--- a/generated/1.19/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.19/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@ -0,0 +1,77 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.19/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerInformer provides access to a shared informer and lister for
 // CredentialIssuers.
 type CredentialIssuerInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerLister
 }
 type credentialIssuerInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.CredentialIssuer{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuer{}, f.defaultInformer)
 }
 func (f *credentialIssuerInformer) Lister() v1alpha1.CredentialIssuerLister {
 	return v1alpha1.NewCredentialIssuerLister(f.Informer().GetIndexer())
 }
--- a/generated/1.19/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.19/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
@ -1,77 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.19/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigInformer provides access to a shared informer and lister for
 // CredentialIssuerConfigs.
 type CredentialIssuerConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerConfigLister
 }
 type credentialIssuerConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.CredentialIssuerConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuerConfig{}, f.defaultInformer)
 }
 func (f *credentialIssuerConfigInformer) Lister() v1alpha1.CredentialIssuerConfigLister {
 	return v1alpha1.NewCredentialIssuerConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.19/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.19/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+	// CredentialIssuers returns a CredentialIssuerInformer.
-	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	CredentialIssuers() CredentialIssuerInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+// CredentialIssuers returns a CredentialIssuerInformer.
-func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
+func (v *version) CredentialIssuers() CredentialIssuerInformer {
-	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &credentialIssuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.19/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.19/client/concierge/informers/externalversions/generic.go
@ -46,8 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 		// Group=config.concierge.pinniped.dev, Version=v1alpha1
-	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuers"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuers().Informer()}, nil
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
--- a/generated/1.19/client/concierge/listers/config/v1alpha1/credentialissuer.go
+++ b/generated/1.19/client/concierge/listers/config/v1alpha1/credentialissuer.go
@ -0,0 +1,86 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerLister helps list CredentialIssuers.
 // All objects returned here must be treated as read-only.
 type CredentialIssuerLister interface {
 	// List lists all CredentialIssuers in the indexer.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// CredentialIssuers returns an object that can list and get CredentialIssuers.
 	CredentialIssuers(namespace string) CredentialIssuerNamespaceLister
 	CredentialIssuerListerExpansion
 }
 // credentialIssuerLister implements the CredentialIssuerLister interface.
 type credentialIssuerLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerLister returns a new CredentialIssuerLister.
 func NewCredentialIssuerLister(indexer cache.Indexer) CredentialIssuerLister {
 	return &credentialIssuerLister{indexer: indexer}
 }
 // List lists all CredentialIssuers in the indexer.
 func (s *credentialIssuerLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // CredentialIssuers returns an object that can list and get CredentialIssuers.
 func (s *credentialIssuerLister) CredentialIssuers(namespace string) CredentialIssuerNamespaceLister {
 	return credentialIssuerNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerNamespaceLister helps list and get CredentialIssuers.
 // All objects returned here must be treated as read-only.
 type CredentialIssuerNamespaceLister interface {
 	// List lists all CredentialIssuers in the indexer for a given namespace.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 	// Objects returned here must be treated as read-only.
 	Get(name string) (*v1alpha1.CredentialIssuer, error)
 	CredentialIssuerNamespaceListerExpansion
 }
 // credentialIssuerNamespaceLister implements the CredentialIssuerNamespaceLister
 // interface.
 type credentialIssuerNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuers in the indexer for a given namespace.
 func (s credentialIssuerNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 func (s credentialIssuerNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuer"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuer), nil
 }
--- a/generated/1.19/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.19/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
@ -1,86 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigLister helps list CredentialIssuerConfigs.
 // All objects returned here must be treated as read-only.
 type CredentialIssuerConfigLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister
 	CredentialIssuerConfigListerExpansion
 }
 // credentialIssuerConfigLister implements the CredentialIssuerConfigLister interface.
 type credentialIssuerConfigLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerConfigLister returns a new CredentialIssuerConfigLister.
 func NewCredentialIssuerConfigLister(indexer cache.Indexer) CredentialIssuerConfigLister {
 	return &credentialIssuerConfigLister{indexer: indexer}
 }
 // List lists all CredentialIssuerConfigs in the indexer.
 func (s *credentialIssuerConfigLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 func (s *credentialIssuerConfigLister) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister {
 	return credentialIssuerConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerConfigNamespaceLister helps list and get CredentialIssuerConfigs.
 // All objects returned here must be treated as read-only.
 type CredentialIssuerConfigNamespaceLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 	// Objects returned here must be treated as read-only.
 	Get(name string) (*v1alpha1.CredentialIssuerConfig, error)
 	CredentialIssuerConfigNamespaceListerExpansion
 }
 // credentialIssuerConfigNamespaceLister implements the CredentialIssuerConfigNamespaceLister
 // interface.
 type credentialIssuerConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 func (s credentialIssuerConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 func (s credentialIssuerConfigNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuerconfig"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), nil
 }
--- a/generated/1.19/client/concierge/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.19/client/concierge/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// CredentialIssuerConfigListerExpansion allows custom methods to be added to
+// CredentialIssuerListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigLister.
+// CredentialIssuerLister.
-type CredentialIssuerConfigListerExpansion interface{}
+type CredentialIssuerListerExpansion interface{}
-// CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
+// CredentialIssuerNamespaceListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigNamespaceLister.
+// CredentialIssuerNamespaceLister.
-type CredentialIssuerConfigNamespaceListerExpansion interface{}
+type CredentialIssuerNamespaceListerExpansion interface{}
--- a/generated/1.19/client/concierge/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/concierge/openapi/zz_generated.openapi.go
@ -17,74 +17,74 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                    schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                      schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":         schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfig":               schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuer":                   schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo": schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo":     schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigList":           schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerList":               schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus":         schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerStatus":             schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerStrategy":           schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                     schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":                schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                     schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                   schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
@ -326,7 +326,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(re
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -354,7 +354,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerStatus"),
 						},
 					},
 				},
@ -362,11 +362,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -394,7 +394,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -425,7 +425,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuer"),
 									},
 								},
 							},
@ -436,11 +436,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuer", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -454,7 +454,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"),
 									},
 								},
 							},
@ -463,7 +463,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo"),
 						},
 					},
 				},
@ -471,11 +471,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo", "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo", "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
--- a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@ -169,7 +169,7 @@ k8s_resource(
        'pinniped-concierge-kube-system-pod-read:rolebinding',
        'pinniped-concierge:clusterrolebinding',
        'pinniped-concierge:serviceaccount',
-        'credentialissuerconfigs.config.concierge.pinniped.dev:customresourcedefinition',
+        'credentialissuers.config.concierge.pinniped.dev:customresourcedefinition',
        'webhookauthenticators.authentication.concierge.pinniped.dev:customresourcedefinition',
        'v1alpha1.login.concierge.pinniped.dev:apiservice',
    ],
--- a/internal/config/concierge/config.go
+++ b/internal/config/concierge/config.go
@ -79,13 +79,13 @@ func maybeSetKubeCertAgentDefaults(cfg *KubeCertAgentSpec) {
 func validateNames(names *NamesConfigSpec) error {
 	missingNames := []string{}
 	if names == nil {
-		missingNames = append(missingNames, "servingCertificateSecret", "credentialIssuerConfig", "apiService")
+		missingNames = append(missingNames, "servingCertificateSecret", "credentialIssuer", "apiService")
 	} else {
 		if names.ServingCertificateSecret == "" {
 			missingNames = append(missingNames, "servingCertificateSecret")
 		}
-		if names.CredentialIssuerConfig == "" {
+		if names.CredentialIssuer == "" {
-			missingNames = append(missingNames, "credentialIssuerConfig")
+			missingNames = append(missingNames, "credentialIssuer")
 		}
 		if names.APIService == "" {
 			missingNames = append(missingNames, "apiService")
--- a/internal/config/concierge/config_test.go
+++ b/internal/config/concierge/config_test.go
@ -32,7 +32,7 @@ func TestFromPath(t *testing.T) {
 					renewBeforeSeconds: 2400
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 				  apiService: pinniped-api
 				  kubeCertAgentPrefix: kube-cert-agent-prefix
 				labels:
@ -55,7 +55,7 @@ func TestFromPath(t *testing.T) {
 				},
 				NamesConfig: NamesConfigSpec{
 					ServingCertificateSecret: "pinniped-concierge-api-tls-serving-certificate",
-					CredentialIssuerConfig:   "pinniped-config",
+					CredentialIssuer:         "pinniped-config",
 					APIService:               "pinniped-api",
 				},
 				Labels: map[string]string{
@ -75,7 +75,7 @@ func TestFromPath(t *testing.T) {
 				---
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 				  apiService: pinniped-api
 			`),
 			wantConfig: &Config{
@ -90,7 +90,7 @@ func TestFromPath(t *testing.T) {
 				},
 				NamesConfig: NamesConfigSpec{
 					ServingCertificateSecret: "pinniped-concierge-api-tls-serving-certificate",
-					CredentialIssuerConfig:   "pinniped-config",
+					CredentialIssuer:         "pinniped-config",
 					APIService:               "pinniped-api",
 				},
 				Labels: map[string]string{},
@ -103,7 +103,7 @@ func TestFromPath(t *testing.T) {
 		{
 			name:      "Empty",
 			yaml:      here.Doc(``),
-			wantError: "validate names: missing required names: servingCertificateSecret, credentialIssuerConfig, apiService",
+			wantError: "validate names: missing required names: servingCertificateSecret, credentialIssuer, apiService",
 		},
 		{
 			name: "Missing apiService name",
@ -111,26 +111,26 @@ func TestFromPath(t *testing.T) {
 				---
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 			`),
 			wantError: "validate names: missing required names: apiService",
 		},
 		{
-			name: "Missing credentialIssuerConfig name",
+			name: "Missing credentialIssuer name",
 			yaml: here.Doc(`
 				---
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
 				  apiService: pinniped-api
 			`),
-			wantError: "validate names: missing required names: credentialIssuerConfig",
+			wantError: "validate names: missing required names: credentialIssuer",
 		},
 		{
 			name: "Missing servingCertificateSecret name",
 			yaml: here.Doc(`
 				---
 				names:
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 				  apiService: pinniped-api
 			`),
 			wantError: "validate names: missing required names: servingCertificateSecret",
@ -145,7 +145,7 @@ func TestFromPath(t *testing.T) {
 					renewBeforeSeconds: 3600
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 				  apiService: pinniped-api
 			`),
 			wantError: "validate api: durationSeconds cannot be smaller than renewBeforeSeconds",
@ -160,7 +160,7 @@ func TestFromPath(t *testing.T) {
 					renewBeforeSeconds: -10
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 				  apiService: pinniped-api
 			`),
 			wantError: "validate api: renewBefore must be positive",
@ -175,7 +175,7 @@ func TestFromPath(t *testing.T) {
 					renewBeforeSeconds: -10
 				names:
 				  servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
-				  credentialIssuerConfig: pinniped-config
+				  credentialIssuer: pinniped-config
 				  apiService: pinniped-api
 			`),
 			wantError: "validate api: renewBefore must be positive",
--- a/internal/config/concierge/types.go
+++ b/internal/config/concierge/types.go
@ -30,7 +30,7 @@ type APIConfigSpec struct {
 // NamesConfigSpec configures the names of some Kubernetes resources for the Concierge.
 type NamesConfigSpec struct {
 	ServingCertificateSecret string `json:"servingCertificateSecret"`
-	CredentialIssuerConfig   string `json:"credentialIssuerConfig"`
+	CredentialIssuer         string `json:"credentialIssuer"`
 	APIService               string `json:"apiService"`
 }
--- a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go
+++ b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go
@ -17,48 +17,48 @@ import (
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned"
 )
-func CreateOrUpdateCredentialIssuerConfig(
+func CreateOrUpdateCredentialIssuer(
 	ctx context.Context,
-	credentialIssuerConfigNamespace string,
+	credentialIssuerNamespace string,
-	credentialIssuerConfigResourceName string,
+	credentialIssuerResourceName string,
-	credentialIssuerConfigLabels map[string]string,
+	credentialIssuerLabels map[string]string,
 	pinnipedClient pinnipedclientset.Interface,
-	applyUpdatesToCredentialIssuerConfigFunc func(configToUpdate *configv1alpha1.CredentialIssuerConfig),
+	applyUpdatesToCredentialIssuerFunc func(configToUpdate *configv1alpha1.CredentialIssuer),
 ) error {
 	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		existingCredentialIssuerConfig, err := pinnipedClient.
+		existingCredentialIssuer, err := pinnipedClient.
 			ConfigV1alpha1().
-			CredentialIssuerConfigs(credentialIssuerConfigNamespace).
+			CredentialIssuers(credentialIssuerNamespace).
-			Get(ctx, credentialIssuerConfigResourceName, metav1.GetOptions{})
+			Get(ctx, credentialIssuerResourceName, metav1.GetOptions{})
 		notFound := k8serrors.IsNotFound(err)
 		if err != nil && !notFound {
 			return fmt.Errorf("get failed: %w", err)
 		}
-		credentialIssuerConfigsClient := pinnipedClient.ConfigV1alpha1().CredentialIssuerConfigs(credentialIssuerConfigNamespace)
+		credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers(credentialIssuerNamespace)
 		if notFound {
 			// Create it
-			credentialIssuerConfig := minimalValidCredentialIssuerConfig(
+			credentialIssuer := minimalValidCredentialIssuer(
-				credentialIssuerConfigResourceName, credentialIssuerConfigNamespace, credentialIssuerConfigLabels,
+				credentialIssuerResourceName, credentialIssuerNamespace, credentialIssuerLabels,
 			)
-			applyUpdatesToCredentialIssuerConfigFunc(credentialIssuerConfig)
+			applyUpdatesToCredentialIssuerFunc(credentialIssuer)
-			if _, err := credentialIssuerConfigsClient.Create(ctx, credentialIssuerConfig, metav1.CreateOptions{}); err != nil {
+			if _, err := credentialIssuersClient.Create(ctx, credentialIssuer, metav1.CreateOptions{}); err != nil {
 				return fmt.Errorf("create failed: %w", err)
 			}
 		} else {
 			// Already exists, so check to see if we need to update it
-			credentialIssuerConfig := existingCredentialIssuerConfig.DeepCopy()
+			credentialIssuer := existingCredentialIssuer.DeepCopy()
-			applyUpdatesToCredentialIssuerConfigFunc(credentialIssuerConfig)
+			applyUpdatesToCredentialIssuerFunc(credentialIssuer)
-			if equality.Semantic.DeepEqual(existingCredentialIssuerConfig, credentialIssuerConfig) {
+			if equality.Semantic.DeepEqual(existingCredentialIssuer, credentialIssuer) {
 				// Nothing interesting would change as a result of this update, so skip it
 				return nil
 			}
-			if _, err := credentialIssuerConfigsClient.Update(ctx, credentialIssuerConfig, metav1.UpdateOptions{}); err != nil {
+			if _, err := credentialIssuersClient.Update(ctx, credentialIssuer, metav1.UpdateOptions{}); err != nil {
 				return err
 			}
 		}
@ -66,25 +66,25 @@ func CreateOrUpdateCredentialIssuerConfig(
 	})
 	if err != nil {
-		return fmt.Errorf("could not create or update credentialissuerconfig: %w", err)
+		return fmt.Errorf("could not create or update credentialissuer: %w", err)
 	}
 	return nil
 }
-func minimalValidCredentialIssuerConfig(
+func minimalValidCredentialIssuer(
-	credentialIssuerConfigName string,
+	credentialIssuerName string,
-	credentialIssuerConfigNamespace string,
+	credentialIssuerNamespace string,
-	credentialIssuerConfigLabels map[string]string,
+	credentialIssuerLabels map[string]string,
-) *configv1alpha1.CredentialIssuerConfig {
+) *configv1alpha1.CredentialIssuer {
-	return &configv1alpha1.CredentialIssuerConfig{
+	return &configv1alpha1.CredentialIssuer{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      credentialIssuerConfigName,
+			Name:      credentialIssuerName,
-			Namespace: credentialIssuerConfigNamespace,
+			Namespace: credentialIssuerNamespace,
-			Labels:    credentialIssuerConfigLabels,
+			Labels:    credentialIssuerLabels,
 		},
-		Status: configv1alpha1.CredentialIssuerConfigStatus{
+		Status: configv1alpha1.CredentialIssuerStatus{
-			Strategies:     []configv1alpha1.CredentialIssuerConfigStrategy{},
+			Strategies:     []configv1alpha1.CredentialIssuerStrategy{},
 			KubeConfigInfo: nil,
 		},
 	}
--- a/internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go
+++ b/internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go
@ -23,63 +23,63 @@ import (
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned/fake"
 )
-func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
+func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 	spec.Run(t, "specs", func(t *testing.T, when spec.G, it spec.S) {
 		var r *require.Assertions
 		var ctx context.Context
 		var pinnipedAPIClient *pinnipedfake.Clientset
-		var credentialIssuerConfigGVR schema.GroupVersionResource
+		var credentialIssuerGVR schema.GroupVersionResource
 		const installationNamespace = "some-namespace"
-		const credentialIssuerConfigResourceName = "some-resource-name"
+		const credentialIssuerResourceName = "some-resource-name"
 		it.Before(func() {
 			r = require.New(t)
 			ctx = context.Background()
 			pinnipedAPIClient = pinnipedfake.NewSimpleClientset()
-			credentialIssuerConfigGVR = schema.GroupVersionResource{
+			credentialIssuerGVR = schema.GroupVersionResource{
 				Group:    configv1alpha1.GroupName,
 				Version:  configv1alpha1.SchemeGroupVersion.Version,
-				Resource: "credentialissuerconfigs",
+				Resource: "credentialissuers",
 			}
 		})
 		when("the config does not exist", func() {
 			it("creates a new config which includes only the updates made by the func parameter", func() {
-				err := CreateOrUpdateCredentialIssuerConfig(
+				err := CreateOrUpdateCredentialIssuer(
 					ctx,
 					installationNamespace,
-					credentialIssuerConfigResourceName,
+					credentialIssuerResourceName,
 					map[string]string{
 						"myLabelKey1": "myLabelValue1",
 						"myLabelKey2": "myLabelValue2",
 					},
 					pinnipedAPIClient,
-					func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
+					func(configToUpdate *configv1alpha1.CredentialIssuer) {
-						configToUpdate.Status.KubeConfigInfo = &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+						configToUpdate.Status.KubeConfigInfo = &configv1alpha1.CredentialIssuerKubeConfigInfo{
 							CertificateAuthorityData: "some-ca-value",
 						}
 					},
 				)
 				r.NoError(err)
-				expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, installationNamespace, credentialIssuerConfigResourceName)
+				expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
 				expectedCreateAction := coretesting.NewCreateAction(
-					credentialIssuerConfigGVR,
+					credentialIssuerGVR,
 					installationNamespace,
-					&configv1alpha1.CredentialIssuerConfig{
+					&configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerConfigResourceName,
+							Name:      credentialIssuerResourceName,
 							Namespace: installationNamespace,
 							Labels: map[string]string{
 								"myLabelKey1": "myLabelValue1",
 								"myLabelKey2": "myLabelValue2",
 							},
 						},
-						Status: configv1alpha1.CredentialIssuerConfigStatus{
+						Status: configv1alpha1.CredentialIssuerStatus{
-							Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
+							Strategies: []configv1alpha1.CredentialIssuerStrategy{},
-							KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+							KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 								Server:                   "",
 								CertificateAuthorityData: "some-ca-value",
 							},
@ -92,40 +92,40 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
 			when("there is an unexpected error while creating the existing object", func() {
 				it.Before(func() {
-					pinnipedAPIClient.PrependReactor("create", "credentialissuerconfigs", func(_ coretesting.Action) (bool, runtime.Object, error) {
+					pinnipedAPIClient.PrependReactor("create", "credentialissuers", func(_ coretesting.Action) (bool, runtime.Object, error) {
 						return true, nil, fmt.Errorf("error on create")
 					})
 				})
 				it("returns an error", func() {
-					err := CreateOrUpdateCredentialIssuerConfig(
+					err := CreateOrUpdateCredentialIssuer(
 						ctx,
 						installationNamespace,
-						credentialIssuerConfigResourceName,
+						credentialIssuerResourceName,
 						map[string]string{},
 						pinnipedAPIClient,
-						func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {},
+						func(configToUpdate *configv1alpha1.CredentialIssuer) {},
 					)
-					r.EqualError(err, "could not create or update credentialissuerconfig: create failed: error on create")
+					r.EqualError(err, "could not create or update credentialissuer: create failed: error on create")
 				})
 			})
 		})
 		when("the config already exists", func() {
-			var existingConfig *configv1alpha1.CredentialIssuerConfig
+			var existingConfig *configv1alpha1.CredentialIssuer
 			it.Before(func() {
-				existingConfig = &configv1alpha1.CredentialIssuerConfig{
+				existingConfig = &configv1alpha1.CredentialIssuer{
 					TypeMeta: metav1.TypeMeta{},
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      credentialIssuerConfigResourceName,
+						Name:      credentialIssuerResourceName,
 						Namespace: installationNamespace,
 						Labels: map[string]string{
 							"myLabelKey1": "myLabelValue1",
 						},
 					},
-					Status: configv1alpha1.CredentialIssuerConfigStatus{
+					Status: configv1alpha1.CredentialIssuerStatus{
-						Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+						Strategies: []configv1alpha1.CredentialIssuerStrategy{
 							{
 								Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 								Status:         configv1alpha1.SuccessStrategyStatus,
@ -134,7 +134,7 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
 								LastUpdateTime: metav1.Now(),
 							},
 						},
-						KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+						KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 							Server:                   "initial-server-value",
 							CertificateAuthorityData: "initial-ca-value",
 						},
@ -144,39 +144,39 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
 			})
 			it("updates the existing config to only apply the updates made by the func parameter", func() {
-				err := CreateOrUpdateCredentialIssuerConfig(
+				err := CreateOrUpdateCredentialIssuer(
 					ctx,
 					installationNamespace,
-					credentialIssuerConfigResourceName,
+					credentialIssuerResourceName,
 					map[string]string{
 						"myLabelKey1": "myLabelValue1",
 						"myLabelKey2": "myLabelValue2",
 					},
 					pinnipedAPIClient,
-					func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
+					func(configToUpdate *configv1alpha1.CredentialIssuer) {
 						configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
 					},
 				)
 				r.NoError(err)
-				expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, installationNamespace, credentialIssuerConfigResourceName)
+				expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
 				// Only the edited field should be changed.
 				expectedUpdatedConfig := existingConfig.DeepCopy()
 				expectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
-				expectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerConfigGVR, installationNamespace, expectedUpdatedConfig)
+				expectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, expectedUpdatedConfig)
 				r.Equal([]coretesting.Action{expectedGetAction, expectedUpdateAction}, pinnipedAPIClient.Actions())
 			})
 			it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() {
-				err := CreateOrUpdateCredentialIssuerConfig(
+				err := CreateOrUpdateCredentialIssuer(
 					ctx,
 					installationNamespace,
-					credentialIssuerConfigResourceName,
+					credentialIssuerResourceName,
 					map[string]string{},
 					pinnipedAPIClient,
-					func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
+					func(configToUpdate *configv1alpha1.CredentialIssuer) {
 						configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "initial-ca-value"
 						t := configToUpdate.Status.Strategies[0].LastUpdateTime
@ -187,70 +187,70 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
 				)
 				r.NoError(err)
-				expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, installationNamespace, credentialIssuerConfigResourceName)
+				expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
 				r.Equal([]coretesting.Action{expectedGetAction}, pinnipedAPIClient.Actions())
 			})
 			when("there is an unexpected error while getting the existing object", func() {
 				it.Before(func() {
-					pinnipedAPIClient.PrependReactor("get", "credentialissuerconfigs", func(_ coretesting.Action) (bool, runtime.Object, error) {
+					pinnipedAPIClient.PrependReactor("get", "credentialissuers", func(_ coretesting.Action) (bool, runtime.Object, error) {
 						return true, nil, fmt.Errorf("error on get")
 					})
 				})
 				it("returns an error", func() {
-					err := CreateOrUpdateCredentialIssuerConfig(
+					err := CreateOrUpdateCredentialIssuer(
 						ctx,
 						installationNamespace,
-						credentialIssuerConfigResourceName,
+						credentialIssuerResourceName,
 						map[string]string{},
 						pinnipedAPIClient,
-						func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {},
+						func(configToUpdate *configv1alpha1.CredentialIssuer) {},
 					)
-					r.EqualError(err, "could not create or update credentialissuerconfig: get failed: error on get")
+					r.EqualError(err, "could not create or update credentialissuer: get failed: error on get")
 				})
 			})
 			when("there is an unexpected error while updating the existing object", func() {
 				it.Before(func() {
-					pinnipedAPIClient.PrependReactor("update", "credentialissuerconfigs", func(_ coretesting.Action) (bool, runtime.Object, error) {
+					pinnipedAPIClient.PrependReactor("update", "credentialissuers", func(_ coretesting.Action) (bool, runtime.Object, error) {
 						return true, nil, fmt.Errorf("error on update")
 					})
 				})
 				it("returns an error", func() {
-					err := CreateOrUpdateCredentialIssuerConfig(
+					err := CreateOrUpdateCredentialIssuer(
 						ctx,
 						installationNamespace,
-						credentialIssuerConfigResourceName,
+						credentialIssuerResourceName,
 						map[string]string{},
 						pinnipedAPIClient,
-						func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
+						func(configToUpdate *configv1alpha1.CredentialIssuer) {
 							configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
 						},
 					)
-					r.EqualError(err, "could not create or update credentialissuerconfig: error on update")
+					r.EqualError(err, "could not create or update credentialissuer: error on update")
 				})
 			})
 			when("there is a conflict error while updating the existing object on the first try and the next try succeeds", func() {
-				var slightlyDifferentExistingConfig *configv1alpha1.CredentialIssuerConfig
+				var slightlyDifferentExistingConfig *configv1alpha1.CredentialIssuer
 				it.Before(func() {
 					hit := false
 					slightlyDifferentExistingConfig = existingConfig.DeepCopy()
 					slightlyDifferentExistingConfig.Status.KubeConfigInfo.Server = "some-other-server-value-from-conflicting-update"
-					pinnipedAPIClient.PrependReactor("update", "credentialissuerconfigs", func(_ coretesting.Action) (bool, runtime.Object, error) {
+					pinnipedAPIClient.PrependReactor("update", "credentialissuers", func(_ coretesting.Action) (bool, runtime.Object, error) {
 						// Return an error on the first call, then fall through to the default (successful) response.
 						if !hit {
 							// Before the update fails, also change the object that will be returned by the next Get(),
 							// to make sure that the production code does a fresh Get() after detecting a conflict.
-							r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerConfigGVR, slightlyDifferentExistingConfig, installationNamespace))
+							r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, installationNamespace))
 							hit = true
 							return true, nil, apierrors.NewConflict(schema.GroupResource{
 								Group:    apiregistrationv1.GroupName,
-								Resource: "credentialissuerconfigs",
+								Resource: "credentialissuers",
 							}, "alphav1.pinniped.dev", fmt.Errorf("there was a conflict"))
 						}
 						return false, nil, nil
@ -258,33 +258,33 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
 				})
 				it("retries updates on conflict", func() {
-					err := CreateOrUpdateCredentialIssuerConfig(
+					err := CreateOrUpdateCredentialIssuer(
 						ctx,
 						installationNamespace,
-						credentialIssuerConfigResourceName,
+						credentialIssuerResourceName,
 						map[string]string{
 							"myLabelKey1": "myLabelValue1",
 							"myLabelKey2": "myLabelValue2",
 						},
 						pinnipedAPIClient,
-						func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
+						func(configToUpdate *configv1alpha1.CredentialIssuer) {
 							configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
 						},
 					)
 					r.NoError(err)
-					expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, installationNamespace, credentialIssuerConfigResourceName)
+					expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
 					// The first attempted update only includes its own edits.
 					firstExpectedUpdatedConfig := existingConfig.DeepCopy()
 					firstExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
-					firstExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerConfigGVR, installationNamespace, firstExpectedUpdatedConfig)
+					firstExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, firstExpectedUpdatedConfig)
 					// Both the edits made by this update and the edits made by the conflicting update should be included.
 					secondExpectedUpdatedConfig := existingConfig.DeepCopy()
 					secondExpectedUpdatedConfig.Status.KubeConfigInfo.Server = "some-other-server-value-from-conflicting-update"
 					secondExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
-					secondExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerConfigGVR, installationNamespace, secondExpectedUpdatedConfig)
+					secondExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, secondExpectedUpdatedConfig)
 					expectedActions := []coretesting.Action{
 						expectedGetAction,
--- a/internal/controller/issuerconfig/doc.go
+++ b/internal/controller/issuerconfig/doc.go
@ -1,5 +1,5 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-// Package issuerconfig contains controller(s) for reconciling CredentialIssuerConfig's.
+// Package issuerconfig contains controller(s) for reconciling CredentialIssuer's.
 package issuerconfig
--- a/internal/controller/issuerconfig/kube_config_info_publisher.go
+++ b/internal/controller/issuerconfig/kube_config_info_publisher.go
@ -25,21 +25,21 @@ const (
 )
 type kubeConigInfoPublisherController struct {
-	credentialIssuerConfigNamespaceName string
+	credentialIssuerNamespaceName string
-	credentialIssuerConfigResourceName  string
+	credentialIssuerResourceName  string
-	credentialIssuerConfigLabels        map[string]string
+	credentialIssuerLabels        map[string]string
-	serverOverride                      *string
+	serverOverride                *string
-	pinnipedClient                      pinnipedclientset.Interface
+	pinnipedClient                pinnipedclientset.Interface
-	configMapInformer                   corev1informers.ConfigMapInformer
+	configMapInformer             corev1informers.ConfigMapInformer
 }
 // NewKubeConfigInfoPublisherController returns a controller that syncs the
-// configv1alpha1.CredentialIssuerConfig.Status.KubeConfigInfo field with the cluster-info ConfigMap
+// configv1alpha1.CredentialIssuer.Status.KubeConfigInfo field with the cluster-info ConfigMap
 // in the kube-public namespace.
 func NewKubeConfigInfoPublisherController(
-	credentialIssuerConfigNamespaceName string,
+	credentialIssuerNamespaceName string,
-	credentialIssuerConfigResourceName string,
+	credentialIssuerResourceName string,
-	credentialIssuerConfigLabels map[string]string,
+	credentialIssuerLabels map[string]string,
 	serverOverride *string,
 	pinnipedClient pinnipedclientset.Interface,
 	configMapInformer corev1informers.ConfigMapInformer,
@ -49,12 +49,12 @@ func NewKubeConfigInfoPublisherController(
 		controllerlib.Config{
 			Name: "publisher-controller",
 			Syncer: &kubeConigInfoPublisherController{
-				credentialIssuerConfigResourceName:  credentialIssuerConfigResourceName,
+				credentialIssuerResourceName:  credentialIssuerResourceName,
-				credentialIssuerConfigNamespaceName: credentialIssuerConfigNamespaceName,
+				credentialIssuerNamespaceName: credentialIssuerNamespaceName,
-				credentialIssuerConfigLabels:        credentialIssuerConfigLabels,
+				credentialIssuerLabels:        credentialIssuerLabels,
-				serverOverride:                      serverOverride,
+				serverOverride:                serverOverride,
-				pinnipedClient:                      pinnipedClient,
+				pinnipedClient:                pinnipedClient,
-				configMapInformer:                   configMapInformer,
+				configMapInformer:             configMapInformer,
 			},
 		},
 		withInformer(
@ -106,18 +106,18 @@ func (c *kubeConigInfoPublisherController) Sync(ctx controllerlib.Context) error
 		server = *c.serverOverride
 	}
-	updateServerAndCAFunc := func(c *configv1alpha1.CredentialIssuerConfig) {
+	updateServerAndCAFunc := func(c *configv1alpha1.CredentialIssuer) {
-		c.Status.KubeConfigInfo = &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+		c.Status.KubeConfigInfo = &configv1alpha1.CredentialIssuerKubeConfigInfo{
 			Server:                   server,
 			CertificateAuthorityData: certificateAuthorityData,
 		}
 	}
-	return CreateOrUpdateCredentialIssuerConfig(
+	return CreateOrUpdateCredentialIssuer(
 		ctx.Context,
-		c.credentialIssuerConfigNamespaceName,
+		c.credentialIssuerNamespaceName,
-		c.credentialIssuerConfigResourceName,
+		c.credentialIssuerResourceName,
-		c.credentialIssuerConfigLabels,
+		c.credentialIssuerLabels,
 		c.pinnipedClient,
 		updateServerAndCAFunc,
 	)
--- a/internal/controller/issuerconfig/kube_config_info_publisher_test.go
+++ b/internal/controller/issuerconfig/kube_config_info_publisher_test.go
@ -29,7 +29,7 @@ import (
 func TestInformerFilters(t *testing.T) {
 	spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) {
-		const credentialIssuerConfigResourceName = "some-resource-name"
+		const credentialIssuerResourceName = "some-resource-name"
 		const installedInNamespace = "some-namespace"
 		var r *require.Assertions
@ -42,7 +42,7 @@ func TestInformerFilters(t *testing.T) {
 			configMapInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().ConfigMaps()
 			_ = NewKubeConfigInfoPublisherController(
 				installedInNamespace,
-				credentialIssuerConfigResourceName,
+				credentialIssuerResourceName,
 				map[string]string{},
 				nil,
 				nil,
@ -104,7 +104,7 @@ func TestInformerFilters(t *testing.T) {
 func TestSync(t *testing.T) {
 	spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
-		const credentialIssuerConfigResourceName = "some-resource-name"
+		const credentialIssuerResourceName = "some-resource-name"
 		const installedInNamespace = "some-namespace"
 		var r *require.Assertions
@ -118,30 +118,30 @@ func TestSync(t *testing.T) {
 		var timeoutContextCancel context.CancelFunc
 		var syncContext *controllerlib.Context
-		var expectedCredentialIssuerConfig = func(expectedNamespace, expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuerConfig) {
+		var expectedCredentialIssuer = func(expectedNamespace, expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) {
-			expectedCredentialIssuerConfigGVR := schema.GroupVersionResource{
+			expectedCredentialIssuerGVR := schema.GroupVersionResource{
 				Group:    configv1alpha1.GroupName,
 				Version:  "v1alpha1",
-				Resource: "credentialissuerconfigs",
+				Resource: "credentialissuers",
 			}
-			expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+			expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      credentialIssuerConfigResourceName,
+					Name:      credentialIssuerResourceName,
 					Namespace: expectedNamespace,
 					Labels: map[string]string{
 						"myLabelKey1": "myLabelValue1",
 						"myLabelKey2": "myLabelValue2",
 					},
 				},
-				Status: configv1alpha1.CredentialIssuerConfigStatus{
+				Status: configv1alpha1.CredentialIssuerStatus{
-					Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
+					Strategies: []configv1alpha1.CredentialIssuerStrategy{},
-					KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+					KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 						Server:                   expectedServerURL,
 						CertificateAuthorityData: expectedCAData,
 					},
 				},
 			}
-			return expectedCredentialIssuerConfigGVR, expectedCredentialIssuerConfig
+			return expectedCredentialIssuerGVR, expectedCredentialIssuer
 		}
 		// Defer starting the informers until the last possible moment so that the
@ -150,7 +150,7 @@ func TestSync(t *testing.T) {
 			// Set this at the last second to allow for injection of server override.
 			subject = NewKubeConfigInfoPublisherController(
 				installedInNamespace,
-				credentialIssuerConfigResourceName,
+				credentialIssuerResourceName,
 				map[string]string{
 					"myLabelKey1": "myLabelValue1",
 					"myLabelKey2": "myLabelValue2",
@ -216,13 +216,13 @@ func TestSync(t *testing.T) {
 					r.NoError(err)
 				})
-				when("the CredentialIssuerConfig does not already exist", func() {
+				when("the CredentialIssuer does not already exist", func() {
-					it("creates a CredentialIssuerConfig", func() {
+					it("creates a CredentialIssuer", func() {
 						startInformersAndController()
 						err := controllerlib.TestSync(t, subject, *syncContext)
 						r.NoError(err)
-						expectedCredentialIssuerConfigGVR, expectedCredentialIssuerConfig := expectedCredentialIssuerConfig(
+						expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
 							installedInNamespace,
 							kubeServerURL,
 							caData,
@ -230,22 +230,22 @@ func TestSync(t *testing.T) {
 						r.Equal(
 							[]coretesting.Action{
-								coretesting.NewGetAction(expectedCredentialIssuerConfigGVR, installedInNamespace, expectedCredentialIssuerConfig.Name),
+								coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name),
 								coretesting.NewCreateAction(
-									expectedCredentialIssuerConfigGVR,
+									expectedCredentialIssuerGVR,
 									installedInNamespace,
-									expectedCredentialIssuerConfig,
+									expectedCredentialIssuer,
 								),
 							},
 							pinnipedAPIClient.Actions(),
 						)
 					})
-					when("creating the CredentialIssuerConfig fails", func() {
+					when("creating the CredentialIssuer fails", func() {
 						it.Before(func() {
 							pinnipedAPIClient.PrependReactor(
 								"create",
-								"credentialissuerconfigs",
+								"credentialissuers",
 								func(_ coretesting.Action) (bool, runtime.Object, error) {
 									return true, nil, errors.New("create failed")
 								},
@ -255,7 +255,7 @@ func TestSync(t *testing.T) {
 						it("returns the create error", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
-							r.EqualError(err, "could not create or update credentialissuerconfig: create failed: create failed")
+							r.EqualError(err, "could not create or update credentialissuer: create failed: create failed")
 						})
 					})
@ -268,20 +268,20 @@ func TestSync(t *testing.T) {
 							err := controllerlib.TestSync(t, subject, *syncContext)
 							r.NoError(err)
-							expectedCredentialIssuerConfigGVR, expectedCredentialIssuerConfig := expectedCredentialIssuerConfig(
+							expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
 								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
-							expectedCredentialIssuerConfig.Status.KubeConfigInfo.Server = "https://some-server-override"
+							expectedCredentialIssuer.Status.KubeConfigInfo.Server = "https://some-server-override"
 							r.Equal(
 								[]coretesting.Action{
-									coretesting.NewGetAction(expectedCredentialIssuerConfigGVR, installedInNamespace, expectedCredentialIssuerConfig.Name),
+									coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name),
 									coretesting.NewCreateAction(
-										expectedCredentialIssuerConfigGVR,
+										expectedCredentialIssuerGVR,
 										installedInNamespace,
-										expectedCredentialIssuerConfig,
+										expectedCredentialIssuer,
 									),
 								},
 								pinnipedAPIClient.Actions(),
@ -290,72 +290,72 @@ func TestSync(t *testing.T) {
 					})
 				})
-				when("the CredentialIssuerConfig already exists", func() {
+				when("the CredentialIssuer already exists", func() {
-					when("the CredentialIssuerConfig is already up to date according to the data in the ConfigMap", func() {
+					when("the CredentialIssuer is already up to date according to the data in the ConfigMap", func() {
-						var credentialIssuerConfigGVR schema.GroupVersionResource
+						var credentialIssuerGVR schema.GroupVersionResource
-						var credentialIssuerConfig *configv1alpha1.CredentialIssuerConfig
+						var credentialIssuer *configv1alpha1.CredentialIssuer
 						it.Before(func() {
-							credentialIssuerConfigGVR, credentialIssuerConfig = expectedCredentialIssuerConfig(
+							credentialIssuerGVR, credentialIssuer = expectedCredentialIssuer(
 								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
-							err := pinnipedAPIClient.Tracker().Add(credentialIssuerConfig)
+							err := pinnipedAPIClient.Tracker().Add(credentialIssuer)
 							r.NoError(err)
 						})
-						it("does not update the CredentialIssuerConfig to avoid unnecessary etcd writes/api calls", func() {
+						it("does not update the CredentialIssuer to avoid unnecessary etcd writes/api calls", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
 							r.NoError(err)
 							r.Equal(
 								[]coretesting.Action{
-									coretesting.NewGetAction(credentialIssuerConfigGVR, installedInNamespace, credentialIssuerConfig.Name),
+									coretesting.NewGetAction(credentialIssuerGVR, installedInNamespace, credentialIssuer.Name),
 								},
 								pinnipedAPIClient.Actions(),
 							)
 						})
 					})
-					when("the CredentialIssuerConfig is stale compared to the data in the ConfigMap", func() {
+					when("the CredentialIssuer is stale compared to the data in the ConfigMap", func() {
 						it.Before(func() {
-							_, expectedCredentialIssuerConfig := expectedCredentialIssuerConfig(
+							_, expectedCredentialIssuer := expectedCredentialIssuer(
 								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
-							expectedCredentialIssuerConfig.Status.KubeConfigInfo.Server = "https://some-other-server"
+							expectedCredentialIssuer.Status.KubeConfigInfo.Server = "https://some-other-server"
-							r.NoError(pinnipedAPIClient.Tracker().Add(expectedCredentialIssuerConfig))
+							r.NoError(pinnipedAPIClient.Tracker().Add(expectedCredentialIssuer))
 						})
-						it("updates the existing CredentialIssuerConfig", func() {
+						it("updates the existing CredentialIssuer", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
 							r.NoError(err)
-							expectedCredentialIssuerConfigGVR, expectedCredentialIssuerConfig := expectedCredentialIssuerConfig(
+							expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
 								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
 							expectedActions := []coretesting.Action{
-								coretesting.NewGetAction(expectedCredentialIssuerConfigGVR, installedInNamespace, expectedCredentialIssuerConfig.Name),
+								coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name),
 								coretesting.NewUpdateAction(
-									expectedCredentialIssuerConfigGVR,
+									expectedCredentialIssuerGVR,
 									installedInNamespace,
-									expectedCredentialIssuerConfig,
+									expectedCredentialIssuer,
 								),
 							}
 							r.Equal(expectedActions, pinnipedAPIClient.Actions())
 						})
-						when("updating the CredentialIssuerConfig fails", func() {
+						when("updating the CredentialIssuer fails", func() {
 							it.Before(func() {
 								pinnipedAPIClient.PrependReactor(
 									"update",
-									"credentialissuerconfigs",
+									"credentialissuers",
 									func(_ coretesting.Action) (bool, runtime.Object, error) {
 										return true, nil, errors.New("update failed")
 									},
@ -365,7 +365,7 @@ func TestSync(t *testing.T) {
 							it("returns the update error", func() {
 								startInformersAndController()
 								err := controllerlib.TestSync(t, subject, *syncContext)
-								r.EqualError(err, "could not create or update credentialissuerconfig: update failed")
+								r.EqualError(err, "could not create or update credentialissuer: update failed")
 							})
 						})
 					})
--- a/internal/controller/kubecertagent/annotater.go
+++ b/internal/controller/kubecertagent/annotater.go
@ -29,13 +29,13 @@ const (
 )
 type annotaterController struct {
-	agentPodConfig                       *AgentPodConfig
+	agentPodConfig                 *AgentPodConfig
-	credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig
+	credentialIssuerLocationConfig *CredentialIssuerLocationConfig
-	clock                                clock.Clock
+	clock                          clock.Clock
-	k8sClient                            kubernetes.Interface
+	k8sClient                      kubernetes.Interface
-	pinnipedAPIClient                    pinnipedclientset.Interface
+	pinnipedAPIClient              pinnipedclientset.Interface
-	kubeSystemPodInformer                corev1informers.PodInformer
+	kubeSystemPodInformer          corev1informers.PodInformer
-	agentPodInformer                     corev1informers.PodInformer
+	agentPodInformer               corev1informers.PodInformer
 }
 // NewAnnotaterController returns a controller that updates agent pods with the path to the kube
@ -44,11 +44,11 @@ type annotaterController struct {
 // This controller will add annotations to agent pods with the best-guess paths to the kube API's
 // certificate and key.
 //
-// It also is tasked with updating the CredentialIssuerConfig, located via the provided
+// It also is tasked with updating the CredentialIssuer, located via the provided
-// credentialIssuerConfigLocationConfig, with any errors that it encounters.
+// credentialIssuerLocationConfig, with any errors that it encounters.
 func NewAnnotaterController(
 	agentPodConfig *AgentPodConfig,
-	credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig,
+	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
 	clock clock.Clock,
 	k8sClient kubernetes.Interface,
 	pinnipedAPIClient pinnipedclientset.Interface,
@ -60,13 +60,13 @@ func NewAnnotaterController(
 		controllerlib.Config{
 			Name: "kube-cert-agent-annotater-controller",
 			Syncer: &annotaterController{
-				agentPodConfig:                       agentPodConfig,
+				agentPodConfig:                 agentPodConfig,
-				credentialIssuerConfigLocationConfig: credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig: credentialIssuerLocationConfig,
-				clock:                                clock,
+				clock:                          clock,
-				k8sClient:                            k8sClient,
+				k8sClient:                      k8sClient,
-				pinnipedAPIClient:                    pinnipedAPIClient,
+				pinnipedAPIClient:              pinnipedAPIClient,
-				kubeSystemPodInformer:                kubeSystemPodInformer,
+				kubeSystemPodInformer:          kubeSystemPodInformer,
-				agentPodInformer:                     agentPodInformer,
+				agentPodInformer:               agentPodInformer,
 			},
 		},
 		withInformer(
@ -120,11 +120,11 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
 			keyPath,
 		); err != nil {
 			err = fmt.Errorf("cannot update agent pod: %w", err)
-			strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
+			strategyResultUpdateErr := createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
 			if strategyResultUpdateErr != nil {
-				// If the CIC update fails, then we probably want to try again. This controller will get
+				// If the CI update fails, then we probably want to try again. This controller will get
-				// called again because of the pod create failure, so just try the CIC update again then.
+				// called again because of the pod create failure, so just try the CI update again then.
-				klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig")
+				klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuer")
 			}
 			return err
--- a/internal/controller/kubecertagent/annotater_test.go
+++ b/internal/controller/kubecertagent/annotater_test.go
@ -34,14 +34,14 @@ func TestAnnotaterControllerFilter(t *testing.T) {
 		"AnnotaterControllerFilter",
 		func(
 			agentPodConfig *AgentPodConfig,
-			_ *CredentialIssuerConfigLocationConfig,
+			_ *CredentialIssuerLocationConfig,
 			kubeSystemPodInformer corev1informers.PodInformer,
 			agentPodInformer corev1informers.PodInformer,
 			observableWithInformerOption *testutil.ObservableWithInformerOption,
 		) {
 			_ = NewAnnotaterController(
 				agentPodConfig,
-				nil, // credentialIssuerConfigLocationConfig, shouldn't matter
+				nil, // credentialIssuerLocationConfig, shouldn't matter
 				nil, // clock, shouldn't matter
 				nil, // k8sClient, shouldn't matter
 				nil, // pinnipedClient, shouldn't matter
@ -59,8 +59,8 @@ func TestAnnotaterControllerSync(t *testing.T) {
 		const agentPodNamespace = "agent-pod-namespace"
 		const defaultKubeControllerManagerClusterSigningCertFileFlagValue = "/etc/kubernetes/ca/ca.pem"
 		const defaultKubeControllerManagerClusterSigningKeyFileFlagValue = "/etc/kubernetes/ca/ca.key"
-		const credentialIssuerConfigNamespaceName = "cic-namespace-name"
+		const credentialIssuerNamespaceName = "ci-namespace-name"
-		const credentialIssuerConfigResourceName = "cic-resource-name"
+		const credentialIssuerResourceName = "ci-resource-name"
 		const (
 			certPath           = "some-cert-path"
@ -84,7 +84,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
 		var syncContext *controllerlib.Context
 		var controllerManagerPod, agentPod *corev1.Pod
 		var podsGVR schema.GroupVersionResource
-		var credentialIssuerConfigGVR schema.GroupVersionResource
+		var credentialIssuerGVR schema.GroupVersionResource
 		var frozenNow time.Time
 		// Defer starting the informers until the last possible moment so that the
@ -101,9 +101,9 @@ func TestAnnotaterControllerSync(t *testing.T) {
 						"myLabelKey2": "myLabelValue2",
 					},
 				},
-				&CredentialIssuerConfigLocationConfig{
+				&CredentialIssuerLocationConfig{
-					Namespace: credentialIssuerConfigNamespaceName,
+					Namespace: credentialIssuerNamespaceName,
-					Name:      credentialIssuerConfigResourceName,
+					Name:      credentialIssuerResourceName,
 				},
 				clock.NewFakeClock(frozenNow),
 				kubeAPIClient,
@ -154,10 +154,10 @@ func TestAnnotaterControllerSync(t *testing.T) {
 				Resource: "pods",
 			}
-			credentialIssuerConfigGVR = schema.GroupVersionResource{
+			credentialIssuerGVR = schema.GroupVersionResource{
 				Group:    configv1alpha1.GroupName,
 				Version:  configv1alpha1.SchemeGroupVersion.Version,
-				Resource: "credentialissuerconfigs",
+				Resource: "credentialissuers",
 			}
 			frozenNow = time.Date(2020, time.September, 23, 7, 42, 0, 0, time.Local)
@ -229,33 +229,33 @@ func TestAnnotaterControllerSync(t *testing.T) {
 						r.EqualError(err, "cannot update agent pod: some update error")
 					})
-					when("there is already a CredentialIssuerConfig", func() {
+					when("there is already a CredentialIssuer", func() {
-						var initialCredentialIssuerConfig *configv1alpha1.CredentialIssuerConfig
+						var initialCredentialIssuer *configv1alpha1.CredentialIssuer
 						it.Before(func() {
-							initialCredentialIssuerConfig = &configv1alpha1.CredentialIssuerConfig{
+							initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerConfigResourceName,
+									Name:      credentialIssuerResourceName,
-									Namespace: credentialIssuerConfigNamespaceName,
+									Namespace: credentialIssuerNamespaceName,
 								},
-								Status: configv1alpha1.CredentialIssuerConfigStatus{
+								Status: configv1alpha1.CredentialIssuerStatus{
-									Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
+									Strategies: []configv1alpha1.CredentialIssuerStrategy{},
-									KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+									KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 										Server:                   "some-server",
 										CertificateAuthorityData: "some-ca-value",
 									},
 								},
 							}
-							r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuerConfig))
+							r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuer))
 						})
-						it("updates the CredentialIssuerConfig status with the error", func() {
+						it("updates the CredentialIssuer status with the error", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
-							expectedCredentialIssuerConfig := initialCredentialIssuerConfig.DeepCopy()
+							expectedCredentialIssuer := initialCredentialIssuer.DeepCopy()
-							expectedCredentialIssuerConfig.Status.Strategies = []configv1alpha1.CredentialIssuerConfigStrategy{
+							expectedCredentialIssuer.Status.Strategies = []configv1alpha1.CredentialIssuerStrategy{
 								{
 									Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 									Status:         configv1alpha1.ErrorStrategyStatus,
@ -265,14 +265,14 @@ func TestAnnotaterControllerSync(t *testing.T) {
 								},
 							}
 							expectedGetAction := coretesting.NewGetAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								credentialIssuerConfigResourceName,
+								credentialIssuerResourceName,
 							)
 							expectedUpdateAction := coretesting.NewUpdateAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								expectedCredentialIssuerConfig,
+								expectedCredentialIssuer,
 							)
 							r.EqualError(err, "cannot update agent pod: some update error")
@ -285,11 +285,11 @@ func TestAnnotaterControllerSync(t *testing.T) {
 							)
 						})
-						when("updating the CredentialIssuerConfig fails", func() {
+						when("updating the CredentialIssuer fails", func() {
 							it.Before(func() {
 								pinnipedAPIClient.PrependReactor(
 									"update",
-									"credentialissuerconfigs",
+									"credentialissuers",
 									func(_ coretesting.Action) (bool, runtime.Object, error) {
 										return true, nil, errors.New("some update error")
 									},
@ -304,19 +304,19 @@ func TestAnnotaterControllerSync(t *testing.T) {
 						})
 					})
-					when("there is not already a CredentialIssuerConfig", func() {
+					when("there is not already a CredentialIssuer", func() {
-						it("creates the CredentialIssuerConfig status with the error", func() {
+						it("creates the CredentialIssuer status with the error", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
-							expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+							expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerConfigResourceName,
+									Name:      credentialIssuerResourceName,
-									Namespace: credentialIssuerConfigNamespaceName,
+									Namespace: credentialIssuerNamespaceName,
 								},
-								Status: configv1alpha1.CredentialIssuerConfigStatus{
+								Status: configv1alpha1.CredentialIssuerStatus{
-									Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+									Strategies: []configv1alpha1.CredentialIssuerStrategy{
 										{
 											Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 											Status:         configv1alpha1.ErrorStrategyStatus,
@ -328,14 +328,14 @@ func TestAnnotaterControllerSync(t *testing.T) {
 								},
 							}
 							expectedGetAction := coretesting.NewGetAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								credentialIssuerConfigResourceName,
+								credentialIssuerResourceName,
 							)
 							expectedCreateAction := coretesting.NewCreateAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								expectedCredentialIssuerConfig,
+								expectedCredentialIssuer,
 							)
 							r.EqualError(err, "cannot update agent pod: some update error")
--- a/internal/controller/kubecertagent/creater.go
+++ b/internal/controller/kubecertagent/creater.go
@ -21,25 +21,25 @@ import (
 )
 type createrController struct {
-	agentPodConfig                       *AgentPodConfig
+	agentPodConfig                 *AgentPodConfig
-	credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig
+	credentialIssuerLocationConfig *CredentialIssuerLocationConfig
-	credentialIssuerConfigLabels         map[string]string
+	credentialIssuerLabels         map[string]string
-	clock                                clock.Clock
+	clock                          clock.Clock
-	k8sClient                            kubernetes.Interface
+	k8sClient                      kubernetes.Interface
-	pinnipedAPIClient                    pinnipedclientset.Interface
+	pinnipedAPIClient              pinnipedclientset.Interface
-	kubeSystemPodInformer                corev1informers.PodInformer
+	kubeSystemPodInformer          corev1informers.PodInformer
-	agentPodInformer                     corev1informers.PodInformer
+	agentPodInformer               corev1informers.PodInformer
 }
 // NewCreaterController returns a controller that creates new kube-cert-agent pods for every known
 // kube-controller-manager pod.
 //
-// It also is tasked with updating the CredentialIssuerConfig, located via the provided
+// It also is tasked with updating the CredentialIssuer, located via the provided
-// credentialIssuerConfigLocationConfig, with any errors that it encounters.
+// credentialIssuerLocationConfig, with any errors that it encounters.
 func NewCreaterController(
 	agentPodConfig *AgentPodConfig,
-	credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig,
+	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
-	credentialIssuerConfigLabels map[string]string,
+	credentialIssuerLabels map[string]string,
 	clock clock.Clock,
 	k8sClient kubernetes.Interface,
 	pinnipedAPIClient pinnipedclientset.Interface,
@ -53,14 +53,14 @@ func NewCreaterController(
 			//nolint: misspell
 			Name: "kube-cert-agent-creater-controller",
 			Syncer: &createrController{
-				agentPodConfig:                       agentPodConfig,
+				agentPodConfig:                 agentPodConfig,
-				credentialIssuerConfigLocationConfig: credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig: credentialIssuerLocationConfig,
-				credentialIssuerConfigLabels:         credentialIssuerConfigLabels,
+				credentialIssuerLabels:         credentialIssuerLabels,
-				clock:                                clock,
+				clock:                          clock,
-				k8sClient:                            k8sClient,
+				k8sClient:                      k8sClient,
-				pinnipedAPIClient:                    pinnipedAPIClient,
+				pinnipedAPIClient:              pinnipedAPIClient,
-				kubeSystemPodInformer:                kubeSystemPodInformer,
+				kubeSystemPodInformer:          kubeSystemPodInformer,
-				agentPodInformer:                     agentPodInformer,
+				agentPodInformer:               agentPodInformer,
 			},
 		},
 		withInformer(
@ -73,7 +73,7 @@ func NewCreaterController(
 			pinnipedcontroller.SimpleFilter(isAgentPod),
 			controllerlib.InformerOption{},
 		),
-		// Be sure to run once even to make sure the CIC is updated if there are no controller manager
+		// Be sure to run once even to make sure the CI is updated if there are no controller manager
 		// pods. We should be able to pass an empty key since we don't use the key in the sync (we sync
 		// the world).
 		withInitialEvent(controllerlib.Key{}),
@ -94,11 +94,11 @@ func (c *createrController) Sync(ctx controllerlib.Context) error {
 	if len(controllerManagerPods) == 0 {
 		// If there are no controller manager pods, we alert the user that we can't find the keypair via
-		// the CredentialIssuerConfig.
+		// the CredentialIssuer.
-		return createOrUpdateCredentialIssuerConfig(
+		return createOrUpdateCredentialIssuer(
 			ctx.Context,
-			*c.credentialIssuerConfigLocationConfig,
+			*c.credentialIssuerLocationConfig,
-			c.credentialIssuerConfigLabels,
+			c.credentialIssuerLabels,
 			c.clock,
 			c.pinnipedAPIClient,
 			constable.Error("did not find kube-controller-manager pod(s)"),
@ -130,18 +130,18 @@ func (c *createrController) Sync(ctx controllerlib.Context) error {
 				Create(ctx.Context, agentPod, metav1.CreateOptions{})
 			if err != nil {
 				err = fmt.Errorf("cannot create agent pod: %w", err)
-				strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(
+				strategyResultUpdateErr := createOrUpdateCredentialIssuer(
 					ctx.Context,
-					*c.credentialIssuerConfigLocationConfig,
+					*c.credentialIssuerLocationConfig,
-					c.credentialIssuerConfigLabels,
+					c.credentialIssuerLabels,
 					c.clock,
 					c.pinnipedAPIClient,
 					err,
 				)
 				if strategyResultUpdateErr != nil {
-					// If the CIC update fails, then we probably want to try again. This controller will get
+					// If the CI update fails, then we probably want to try again. This controller will get
-					// called again because of the pod create failure, so just try the CIC update again then.
+					// called again because of the pod create failure, so just try the CI update again then.
-					klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig")
+					klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuer")
 				}
 				return err
--- a/internal/controller/kubecertagent/creater_test.go
+++ b/internal/controller/kubecertagent/creater_test.go
@ -34,14 +34,14 @@ func TestCreaterControllerFilter(t *testing.T) {
 		"CreaterControllerFilter",
 		func(
 			agentPodConfig *AgentPodConfig,
-			credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig,
+			credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
 			kubeSystemPodInformer corev1informers.PodInformer,
 			agentPodInformer corev1informers.PodInformer,
 			observableWithInformerOption *testutil.ObservableWithInformerOption,
 		) {
 			_ = NewCreaterController(
 				agentPodConfig,
-				credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig,
 				map[string]string{},
 				nil, // clock, shouldn't matter
 				nil, // k8sClient, shouldn't matter
@ -66,7 +66,7 @@ func TestCreaterControllerInitialEvent(t *testing.T) {
 	_ = NewCreaterController(
 		nil, // agentPodConfig, shouldn't matter
-		nil, // credentialIssuerConfigLocationConfig, shouldn't matter
+		nil, // credentialIssuerLocationConfig, shouldn't matter
 		map[string]string{},
 		nil, // clock, shouldn't matter
 		nil, // k8sClient, shouldn't matter
@ -83,8 +83,8 @@ func TestCreaterControllerSync(t *testing.T) {
 	spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
 		const kubeSystemNamespace = "kube-system"
 		const agentPodNamespace = "agent-pod-namespace"
-		const credentialIssuerConfigNamespaceName = "cic-namespace-name"
+		const credentialIssuerNamespaceName = "ci-namespace-name"
-		const credentialIssuerConfigResourceName = "cic-resource-name"
+		const credentialIssuerResourceName = "ci-resource-name"
 		var r *require.Assertions
@ -100,7 +100,7 @@ func TestCreaterControllerSync(t *testing.T) {
 		var syncContext *controllerlib.Context
 		var controllerManagerPod, agentPod *corev1.Pod
 		var podsGVR schema.GroupVersionResource
-		var credentialIssuerConfigGVR schema.GroupVersionResource
+		var credentialIssuerGVR schema.GroupVersionResource
 		var frozenNow time.Time
 		// Defer starting the informers until the last possible moment so that the
@ -118,9 +118,9 @@ func TestCreaterControllerSync(t *testing.T) {
 						"myLabelKey2": "myLabelValue2",
 					},
 				},
-				&CredentialIssuerConfigLocationConfig{
+				&CredentialIssuerLocationConfig{
-					Namespace: credentialIssuerConfigNamespaceName,
+					Namespace: credentialIssuerNamespaceName,
-					Name:      credentialIssuerConfigResourceName,
+					Name:      credentialIssuerResourceName,
 				},
 				map[string]string{
 					"myLabelKey1": "myLabelValue1",
@ -176,10 +176,10 @@ func TestCreaterControllerSync(t *testing.T) {
 				Resource: "pods",
 			}
-			credentialIssuerConfigGVR = schema.GroupVersionResource{
+			credentialIssuerGVR = schema.GroupVersionResource{
 				Group:    configv1alpha1.GroupName,
 				Version:  configv1alpha1.SchemeGroupVersion.Version,
-				Resource: "credentialissuerconfigs",
+				Resource: "credentialissuers",
 			}
 			frozenNow = time.Date(2020, time.September, 23, 7, 42, 0, 0, time.Local)
@ -300,33 +300,33 @@ func TestCreaterControllerSync(t *testing.T) {
 						)
 					})
-					when("there is already a CredentialIssuerConfig", func() {
+					when("there is already a CredentialIssuer", func() {
-						var initialCredentialIssuerConfig *configv1alpha1.CredentialIssuerConfig
+						var initialCredentialIssuer *configv1alpha1.CredentialIssuer
 						it.Before(func() {
-							initialCredentialIssuerConfig = &configv1alpha1.CredentialIssuerConfig{
+							initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerConfigResourceName,
+									Name:      credentialIssuerResourceName,
-									Namespace: credentialIssuerConfigNamespaceName,
+									Namespace: credentialIssuerNamespaceName,
 								},
-								Status: configv1alpha1.CredentialIssuerConfigStatus{
+								Status: configv1alpha1.CredentialIssuerStatus{
-									Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
+									Strategies: []configv1alpha1.CredentialIssuerStrategy{},
-									KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+									KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 										Server:                   "some-server",
 										CertificateAuthorityData: "some-ca-value",
 									},
 								},
 							}
-							r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuerConfig))
+							r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuer))
 						})
-						it("updates the CredentialIssuerConfig status saying that controller manager pods couldn't be found", func() {
+						it("updates the CredentialIssuer status saying that controller manager pods couldn't be found", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
-							expectedCredentialIssuerConfig := initialCredentialIssuerConfig.DeepCopy()
+							expectedCredentialIssuer := initialCredentialIssuer.DeepCopy()
-							expectedCredentialIssuerConfig.Status.Strategies = []configv1alpha1.CredentialIssuerConfigStrategy{
+							expectedCredentialIssuer.Status.Strategies = []configv1alpha1.CredentialIssuerStrategy{
 								{
 									Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 									Status:         configv1alpha1.ErrorStrategyStatus,
@ -336,14 +336,14 @@ func TestCreaterControllerSync(t *testing.T) {
 								},
 							}
 							expectedGetAction := coretesting.NewGetAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								credentialIssuerConfigResourceName,
+								credentialIssuerResourceName,
 							)
 							expectedUpdateAction := coretesting.NewUpdateAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								expectedCredentialIssuerConfig,
+								expectedCredentialIssuer,
 							)
 							r.EqualError(err, "cannot create agent pod: some create error")
@ -356,11 +356,11 @@ func TestCreaterControllerSync(t *testing.T) {
 							)
 						})
-						when("the CredentialIssuerConfig operation fails", func() {
+						when("the CredentialIssuer operation fails", func() {
 							it.Before(func() {
 								pinnipedAPIClient.PrependReactor(
 									"update",
-									"credentialissuerconfigs",
+									"credentialissuers",
 									func(_ coretesting.Action) (bool, runtime.Object, error) {
 										return true, nil, errors.New("some update error")
 									},
@ -375,23 +375,23 @@ func TestCreaterControllerSync(t *testing.T) {
 						})
 					})
-					when("there is not already a CredentialIssuerConfig", func() {
+					when("there is not already a CredentialIssuer", func() {
-						it("returns an error and updates the CredentialIssuerConfig status", func() {
+						it("returns an error and updates the CredentialIssuer status", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
-							expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+							expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerConfigResourceName,
+									Name:      credentialIssuerResourceName,
-									Namespace: credentialIssuerConfigNamespaceName,
+									Namespace: credentialIssuerNamespaceName,
 									Labels: map[string]string{
 										"myLabelKey1": "myLabelValue1",
 										"myLabelKey2": "myLabelValue2",
 									},
 								},
-								Status: configv1alpha1.CredentialIssuerConfigStatus{
+								Status: configv1alpha1.CredentialIssuerStatus{
-									Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+									Strategies: []configv1alpha1.CredentialIssuerStrategy{
 										{
 											Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 											Status:         configv1alpha1.ErrorStrategyStatus,
@ -403,14 +403,14 @@ func TestCreaterControllerSync(t *testing.T) {
 								},
 							}
 							expectedGetAction := coretesting.NewGetAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								credentialIssuerConfigResourceName,
+								credentialIssuerResourceName,
 							)
 							expectedCreateAction := coretesting.NewCreateAction(
-								credentialIssuerConfigGVR,
+								credentialIssuerGVR,
-								credentialIssuerConfigNamespaceName,
+								credentialIssuerNamespaceName,
-								expectedCredentialIssuerConfig,
+								expectedCredentialIssuer,
 							)
 							r.EqualError(err, "cannot create agent pod: some create error")
@ -428,33 +428,33 @@ func TestCreaterControllerSync(t *testing.T) {
 		})
 		when("there is no controller manager pod", func() {
-			when("there is already a CredentialIssuerConfig", func() {
+			when("there is already a CredentialIssuer", func() {
-				var initialCredentialIssuerConfig *configv1alpha1.CredentialIssuerConfig
+				var initialCredentialIssuer *configv1alpha1.CredentialIssuer
 				it.Before(func() {
-					initialCredentialIssuerConfig = &configv1alpha1.CredentialIssuerConfig{
+					initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerConfigResourceName,
+							Name:      credentialIssuerResourceName,
-							Namespace: credentialIssuerConfigNamespaceName,
+							Namespace: credentialIssuerNamespaceName,
 						},
-						Status: configv1alpha1.CredentialIssuerConfigStatus{
+						Status: configv1alpha1.CredentialIssuerStatus{
-							Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
+							Strategies: []configv1alpha1.CredentialIssuerStrategy{},
-							KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+							KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 								Server:                   "some-server",
 								CertificateAuthorityData: "some-ca-value",
 							},
 						},
 					}
-					r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuerConfig))
+					r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuer))
 				})
-				it("updates the CredentialIssuerConfig status saying that controller manager pods couldn't be found", func() {
+				it("updates the CredentialIssuer status saying that controller manager pods couldn't be found", func() {
 					startInformersAndController()
 					r.NoError(controllerlib.TestSync(t, subject, *syncContext))
-					expectedCredentialIssuerConfig := initialCredentialIssuerConfig.DeepCopy()
+					expectedCredentialIssuer := initialCredentialIssuer.DeepCopy()
-					expectedCredentialIssuerConfig.Status.Strategies = []configv1alpha1.CredentialIssuerConfigStrategy{
+					expectedCredentialIssuer.Status.Strategies = []configv1alpha1.CredentialIssuerStrategy{
 						{
 							Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 							Status:         configv1alpha1.ErrorStrategyStatus,
@ -464,14 +464,14 @@ func TestCreaterControllerSync(t *testing.T) {
 						},
 					}
 					expectedGetAction := coretesting.NewGetAction(
-						credentialIssuerConfigGVR,
+						credentialIssuerGVR,
-						credentialIssuerConfigNamespaceName,
+						credentialIssuerNamespaceName,
-						credentialIssuerConfigResourceName,
+						credentialIssuerResourceName,
 					)
 					expectedUpdateAction := coretesting.NewUpdateAction(
-						credentialIssuerConfigGVR,
+						credentialIssuerGVR,
-						credentialIssuerConfigNamespaceName,
+						credentialIssuerNamespaceName,
-						expectedCredentialIssuerConfig,
+						expectedCredentialIssuer,
 					)
 					r.Equal(
@ -483,11 +483,11 @@ func TestCreaterControllerSync(t *testing.T) {
 					)
 				})
-				when("when updating the CredentialIssuerConfig fails", func() {
+				when("when updating the CredentialIssuer fails", func() {
 					it.Before(func() {
 						pinnipedAPIClient.PrependReactor(
 							"update",
-							"credentialissuerconfigs",
+							"credentialissuers",
 							func(_ coretesting.Action) (bool, runtime.Object, error) {
 								return true, nil, errors.New("some update error")
 							},
@ -497,15 +497,15 @@ func TestCreaterControllerSync(t *testing.T) {
 					it("returns an error", func() {
 						startInformersAndController()
 						err := controllerlib.TestSync(t, subject, *syncContext)
-						r.EqualError(err, "could not create or update credentialissuerconfig: some update error")
+						r.EqualError(err, "could not create or update credentialissuer: some update error")
 					})
 				})
-				when("when getting the CredentialIssuerConfig fails", func() {
+				when("when getting the CredentialIssuer fails", func() {
 					it.Before(func() {
 						pinnipedAPIClient.PrependReactor(
 							"get",
-							"credentialissuerconfigs",
+							"credentialissuers",
 							func(_ coretesting.Action) (bool, runtime.Object, error) {
 								return true, nil, errors.New("some get error")
 							},
@ -515,28 +515,28 @@ func TestCreaterControllerSync(t *testing.T) {
 					it("returns an error", func() {
 						startInformersAndController()
 						err := controllerlib.TestSync(t, subject, *syncContext)
-						r.EqualError(err, "could not create or update credentialissuerconfig: get failed: some get error")
+						r.EqualError(err, "could not create or update credentialissuer: get failed: some get error")
 					})
 				})
 			})
-			when("there is not already a CredentialIssuerConfig", func() {
+			when("there is not already a CredentialIssuer", func() {
-				it("creates the CredentialIssuerConfig status saying that controller manager pods couldn't be found", func() {
+				it("creates the CredentialIssuer status saying that controller manager pods couldn't be found", func() {
 					startInformersAndController()
 					err := controllerlib.TestSync(t, subject, *syncContext)
-					expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+					expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerConfigResourceName,
+							Name:      credentialIssuerResourceName,
-							Namespace: credentialIssuerConfigNamespaceName,
+							Namespace: credentialIssuerNamespaceName,
 							Labels: map[string]string{
 								"myLabelKey1": "myLabelValue1",
 								"myLabelKey2": "myLabelValue2",
 							},
 						},
-						Status: configv1alpha1.CredentialIssuerConfigStatus{
+						Status: configv1alpha1.CredentialIssuerStatus{
-							Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+							Strategies: []configv1alpha1.CredentialIssuerStrategy{
 								{
 									Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 									Status:         configv1alpha1.ErrorStrategyStatus,
@ -548,14 +548,14 @@ func TestCreaterControllerSync(t *testing.T) {
 						},
 					}
 					expectedGetAction := coretesting.NewGetAction(
-						credentialIssuerConfigGVR,
+						credentialIssuerGVR,
-						credentialIssuerConfigNamespaceName,
+						credentialIssuerNamespaceName,
-						credentialIssuerConfigResourceName,
+						credentialIssuerResourceName,
 					)
 					expectedCreateAction := coretesting.NewCreateAction(
-						credentialIssuerConfigGVR,
+						credentialIssuerGVR,
-						credentialIssuerConfigNamespaceName,
+						credentialIssuerNamespaceName,
-						expectedCredentialIssuerConfig,
+						expectedCredentialIssuer,
 					)
 					r.NoError(err)
@ -568,11 +568,11 @@ func TestCreaterControllerSync(t *testing.T) {
 					)
 				})
-				when("when creating the CredentialIssuerConfig fails", func() {
+				when("when creating the CredentialIssuer fails", func() {
 					it.Before(func() {
 						pinnipedAPIClient.PrependReactor(
 							"create",
-							"credentialissuerconfigs",
+							"credentialissuers",
 							func(_ coretesting.Action) (bool, runtime.Object, error) {
 								return true, nil, errors.New("some create error")
 							},
@ -582,15 +582,15 @@ func TestCreaterControllerSync(t *testing.T) {
 					it("returns an error", func() {
 						startInformersAndController()
 						err := controllerlib.TestSync(t, subject, *syncContext)
-						r.EqualError(err, "could not create or update credentialissuerconfig: create failed: some create error")
+						r.EqualError(err, "could not create or update credentialissuer: create failed: some create error")
 					})
 				})
-				when("when getting the CredentialIssuerConfig fails", func() {
+				when("when getting the CredentialIssuer fails", func() {
 					it.Before(func() {
 						pinnipedAPIClient.PrependReactor(
 							"get",
-							"credentialissuerconfigs",
+							"credentialissuers",
 							func(_ coretesting.Action) (bool, runtime.Object, error) {
 								return true, nil, errors.New("some get error")
 							},
@ -600,7 +600,7 @@ func TestCreaterControllerSync(t *testing.T) {
 					it("returns an error", func() {
 						startInformersAndController()
 						err := controllerlib.TestSync(t, subject, *syncContext)
-						r.EqualError(err, "could not create or update credentialissuerconfig: get failed: some get error")
+						r.EqualError(err, "could not create or update credentialissuer: get failed: some get error")
 					})
 				})
 			})
--- a/internal/controller/kubecertagent/deleter_test.go
+++ b/internal/controller/kubecertagent/deleter_test.go
@ -28,7 +28,7 @@ func TestDeleterControllerFilter(t *testing.T) {
 		"DeleterControllerFilter",
 		func(
 			agentPodConfig *AgentPodConfig,
-			_ *CredentialIssuerConfigLocationConfig,
+			_ *CredentialIssuerLocationConfig,
 			kubeSystemPodInformer corev1informers.PodInformer,
 			agentPodInformer corev1informers.PodInformer,
 			observableWithInformerOption *testutil.ObservableWithInformerOption,
--- a/internal/controller/kubecertagent/execer.go
+++ b/internal/controller/kubecertagent/execer.go
@ -19,22 +19,22 @@ import (
 )
 type execerController struct {
-	credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig
+	credentialIssuerLocationConfig *CredentialIssuerLocationConfig
-	dynamicCertProvider                  dynamiccert.Provider
+	dynamicCertProvider            dynamiccert.Provider
-	podCommandExecutor                   PodCommandExecutor
+	podCommandExecutor             PodCommandExecutor
-	clock                                clock.Clock
+	clock                          clock.Clock
-	pinnipedAPIClient                    pinnipedclientset.Interface
+	pinnipedAPIClient              pinnipedclientset.Interface
-	agentPodInformer                     corev1informers.PodInformer
+	agentPodInformer               corev1informers.PodInformer
 }
 // NewExecerController returns a controllerlib.Controller that listens for agent pods with proper
 // cert/key path annotations and execs into them to get the cert/key material. It sets the retrieved
 // key material in a provided dynamicCertProvider.
 //
-// It also is tasked with updating the CredentialIssuerConfig, located via the provided
+// It also is tasked with updating the CredentialIssuer, located via the provided
-// credentialIssuerConfigLocationConfig, with any errors that it encounters.
+// credentialIssuerLocationConfig, with any errors that it encounters.
 func NewExecerController(
-	credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig,
+	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
 	dynamicCertProvider dynamiccert.Provider,
 	podCommandExecutor PodCommandExecutor,
 	pinnipedAPIClient pinnipedclientset.Interface,
@ -46,12 +46,12 @@ func NewExecerController(
 		controllerlib.Config{
 			Name: "kube-cert-agent-execer-controller",
 			Syncer: &execerController{
-				credentialIssuerConfigLocationConfig: credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig: credentialIssuerLocationConfig,
-				dynamicCertProvider:                  dynamicCertProvider,
+				dynamicCertProvider:            dynamicCertProvider,
-				podCommandExecutor:                   podCommandExecutor,
+				podCommandExecutor:             podCommandExecutor,
-				pinnipedAPIClient:                    pinnipedAPIClient,
+				pinnipedAPIClient:              pinnipedAPIClient,
-				clock:                                clock,
+				clock:                          clock,
-				agentPodInformer:                     agentPodInformer,
+				agentPodInformer:               agentPodInformer,
 			},
 		},
 		withInformer(
@ -87,21 +87,21 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {
 	certPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", certPath)
 	if err != nil {
-		strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
+		strategyResultUpdateErr := createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
-		klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig with strategy success")
+		klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuer with strategy success")
 		return err
 	}
 	keyPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", keyPath)
 	if err != nil {
-		strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
+		strategyResultUpdateErr := createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
-		klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig with strategy success")
+		klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuer with strategy success")
 		return err
 	}
 	c.dynamicCertProvider.Set([]byte(certPEM), []byte(keyPEM))
-	err = createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, nil)
+	err = createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, nil)
 	if err != nil {
 		return err
 	}
--- a/internal/controller/kubecertagent/execer_test.go
+++ b/internal/controller/kubecertagent/execer_test.go
@ -43,7 +43,7 @@ func TestExecerControllerOptions(t *testing.T) {
 			observableWithInformerOption = testutil.NewObservableWithInformerOption()
 			agentPodsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods()
 			_ = NewExecerController(
-				&CredentialIssuerConfigLocationConfig{
+				&CredentialIssuerLocationConfig{
 					Namespace: "ignored by this test",
 					Name:      "ignored by this test",
 				},
@ -136,8 +136,8 @@ func TestManagerControllerSync(t *testing.T) {
 		const fakeKeyPath = "/some/key/path"
 		const defaultDynamicCertProviderCert = "initial-cert"
 		const defaultDynamicCertProviderKey = "initial-key"
-		const credentialIssuerConfigNamespaceName = "cic-namespace-name"
+		const credentialIssuerNamespaceName = "ci-namespace-name"
-		const credentialIssuerConfigResourceName = "cic-resource-name"
+		const credentialIssuerResourceName = "ci-resource-name"
 		var r *require.Assertions
@ -151,7 +151,7 @@ func TestManagerControllerSync(t *testing.T) {
 		var fakeExecutor *fakePodExecutor
 		var dynamicCertProvider dynamiccert.Provider
 		var fakeCertPEM, fakeKeyPEM string
-		var credentialIssuerConfigGVR schema.GroupVersionResource
+		var credentialIssuerGVR schema.GroupVersionResource
 		var frozenNow time.Time
 		// Defer starting the informers until the last possible moment so that the
@ -159,9 +159,9 @@ func TestManagerControllerSync(t *testing.T) {
 		var startInformersAndController = func() {
 			// Set this at the last second to allow for injection of server override.
 			subject = NewExecerController(
-				&CredentialIssuerConfigLocationConfig{
+				&CredentialIssuerLocationConfig{
-					Namespace: credentialIssuerConfigNamespaceName,
+					Namespace: credentialIssuerNamespaceName,
-					Name:      credentialIssuerConfigResourceName,
+					Name:      credentialIssuerResourceName,
 				},
 				dynamicCertProvider,
 				fakeExecutor,
@ -237,10 +237,10 @@ func TestManagerControllerSync(t *testing.T) {
 			fakeCertPEM = loadFile("./testdata/test.crt")
 			fakeKeyPEM = loadFile("./testdata/test.key")
-			credentialIssuerConfigGVR = schema.GroupVersionResource{
+			credentialIssuerGVR = schema.GroupVersionResource{
 				Group:    configv1alpha1.GroupName,
 				Version:  configv1alpha1.SchemeGroupVersion.Version,
-				Resource: "credentialissuerconfigs",
+				Resource: "credentialissuers",
 			}
 		})
@ -326,33 +326,33 @@ func TestManagerControllerSync(t *testing.T) {
 					r.Equal(fakeKeyPEM, string(actualKeyPEM))
 				})
-				when("there is already a CredentialIssuerConfig", func() {
+				when("there is already a CredentialIssuer", func() {
-					var initialCredentialIssuerConfig *configv1alpha1.CredentialIssuerConfig
+					var initialCredentialIssuer *configv1alpha1.CredentialIssuer
 					it.Before(func() {
-						initialCredentialIssuerConfig = &configv1alpha1.CredentialIssuerConfig{
+						initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 							TypeMeta: metav1.TypeMeta{},
 							ObjectMeta: metav1.ObjectMeta{
-								Name:      credentialIssuerConfigResourceName,
+								Name:      credentialIssuerResourceName,
-								Namespace: credentialIssuerConfigNamespaceName,
+								Namespace: credentialIssuerNamespaceName,
 							},
-							Status: configv1alpha1.CredentialIssuerConfigStatus{
+							Status: configv1alpha1.CredentialIssuerStatus{
-								Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
+								Strategies: []configv1alpha1.CredentialIssuerStrategy{},
-								KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+								KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 									Server:                   "some-server",
 									CertificateAuthorityData: "some-ca-value",
 								},
 							},
 						}
-						r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuerConfig))
+						r.NoError(pinnipedAPIClient.Tracker().Add(initialCredentialIssuer))
 					})
-					it("also updates the the existing CredentialIssuerConfig status field", func() {
+					it("also updates the the existing CredentialIssuer status field", func() {
 						startInformersAndController()
 						r.NoError(controllerlib.TestSync(t, subject, *syncContext))
-						expectedCredentialIssuerConfig := initialCredentialIssuerConfig.DeepCopy()
+						expectedCredentialIssuer := initialCredentialIssuer.DeepCopy()
-						expectedCredentialIssuerConfig.Status.Strategies = []configv1alpha1.CredentialIssuerConfigStrategy{
+						expectedCredentialIssuer.Status.Strategies = []configv1alpha1.CredentialIssuerStrategy{
 							{
 								Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 								Status:         configv1alpha1.SuccessStrategyStatus,
@ -361,16 +361,16 @@ func TestManagerControllerSync(t *testing.T) {
 								LastUpdateTime: metav1.NewTime(frozenNow),
 							},
 						}
-						expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, credentialIssuerConfigResourceName)
+						expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
-						expectedCreateAction := coretesting.NewUpdateAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, expectedCredentialIssuerConfig)
+						expectedCreateAction := coretesting.NewUpdateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
 						r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 					})
-					when("updating the CredentialIssuerConfig fails", func() {
+					when("updating the CredentialIssuer fails", func() {
 						it.Before(func() {
 							pinnipedAPIClient.PrependReactor(
 								"update",
-								"credentialissuerconfigs",
+								"credentialissuers",
 								func(_ coretesting.Action) (bool, runtime.Object, error) {
 									return true, nil, errors.New("some update error")
 								},
@ -380,27 +380,27 @@ func TestManagerControllerSync(t *testing.T) {
 						it("returns an error", func() {
 							startInformersAndController()
 							err := controllerlib.TestSync(t, subject, *syncContext)
-							r.EqualError(err, "could not create or update credentialissuerconfig: some update error")
+							r.EqualError(err, "could not create or update credentialissuer: some update error")
 						})
 					})
 				})
-				when("there is not already a CredentialIssuerConfig", func() {
+				when("there is not already a CredentialIssuer", func() {
 					it.Before(func() {
 						startInformersAndController()
 					})
-					it("also creates the the CredentialIssuerConfig with the appropriate status field", func() {
+					it("also creates the the CredentialIssuer with the appropriate status field", func() {
 						r.NoError(controllerlib.TestSync(t, subject, *syncContext))
-						expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+						expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 							TypeMeta: metav1.TypeMeta{},
 							ObjectMeta: metav1.ObjectMeta{
-								Name:      credentialIssuerConfigResourceName,
+								Name:      credentialIssuerResourceName,
-								Namespace: credentialIssuerConfigNamespaceName,
+								Namespace: credentialIssuerNamespaceName,
 							},
-							Status: configv1alpha1.CredentialIssuerConfigStatus{
+							Status: configv1alpha1.CredentialIssuerStatus{
-								Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+								Strategies: []configv1alpha1.CredentialIssuerStrategy{
 									{
 										Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 										Status:         configv1alpha1.SuccessStrategyStatus,
@ -411,8 +411,8 @@ func TestManagerControllerSync(t *testing.T) {
 								},
 							},
 						}
-						expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, credentialIssuerConfigResourceName)
+						expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
-						expectedCreateAction := coretesting.NewCreateAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, expectedCredentialIssuerConfig)
+						expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
 						r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 					})
 				})
@ -433,17 +433,17 @@ func TestManagerControllerSync(t *testing.T) {
 					requireDynamicCertProviderHasDefaultValues()
 				})
-				it("creates or updates the the CredentialIssuerConfig status field with an error", func() {
+				it("creates or updates the the CredentialIssuer status field with an error", func() {
 					r.EqualError(controllerlib.TestSync(t, subject, *syncContext), podExecErrorMessage)
-					expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+					expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerConfigResourceName,
+							Name:      credentialIssuerResourceName,
-							Namespace: credentialIssuerConfigNamespaceName,
+							Namespace: credentialIssuerNamespaceName,
 						},
-						Status: configv1alpha1.CredentialIssuerConfigStatus{
+						Status: configv1alpha1.CredentialIssuerStatus{
-							Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+							Strategies: []configv1alpha1.CredentialIssuerStrategy{
 								{
 									Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 									Status:         configv1alpha1.ErrorStrategyStatus,
@ -454,8 +454,8 @@ func TestManagerControllerSync(t *testing.T) {
 							},
 						},
 					}
-					expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, credentialIssuerConfigResourceName)
+					expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
-					expectedCreateAction := coretesting.NewCreateAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, expectedCredentialIssuerConfig)
+					expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
 					r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 				})
 			})
@ -475,17 +475,17 @@ func TestManagerControllerSync(t *testing.T) {
 					requireDynamicCertProviderHasDefaultValues()
 				})
-				it("creates or updates the the CredentialIssuerConfig status field with an error", func() {
+				it("creates or updates the the CredentialIssuer status field with an error", func() {
 					r.EqualError(controllerlib.TestSync(t, subject, *syncContext), podExecErrorMessage)
-					expectedCredentialIssuerConfig := &configv1alpha1.CredentialIssuerConfig{
+					expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerConfigResourceName,
+							Name:      credentialIssuerResourceName,
-							Namespace: credentialIssuerConfigNamespaceName,
+							Namespace: credentialIssuerNamespaceName,
 						},
-						Status: configv1alpha1.CredentialIssuerConfigStatus{
+						Status: configv1alpha1.CredentialIssuerStatus{
-							Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
+							Strategies: []configv1alpha1.CredentialIssuerStrategy{
 								{
 									Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 									Status:         configv1alpha1.ErrorStrategyStatus,
@ -496,8 +496,8 @@ func TestManagerControllerSync(t *testing.T) {
 							},
 						},
 					}
-					expectedGetAction := coretesting.NewGetAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, credentialIssuerConfigResourceName)
+					expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
-					expectedCreateAction := coretesting.NewCreateAction(credentialIssuerConfigGVR, credentialIssuerConfigNamespaceName, expectedCredentialIssuerConfig)
+					expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
 					r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 				})
 			})
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@ -73,11 +73,11 @@ type AgentPodConfig struct {
 	AdditionalLabels map[string]string
 }
-type CredentialIssuerConfigLocationConfig struct {
+type CredentialIssuerLocationConfig struct {
-	// The namespace in which the CredentialIssuerConfig should be created/updated.
+	// The namespace in which the CredentialIssuer should be created/updated.
 	Namespace string
-	// The resource name for the CredentialIssuerConfig to be created/updated.
+	// The resource name for the CredentialIssuer to be created/updated.
 	Name string
 }
@ -283,35 +283,35 @@ func findControllerManagerPodForSpecificAgentPod(
 	return maybeControllerManagerPod, nil
 }
-func createOrUpdateCredentialIssuerConfig(ctx context.Context,
+func createOrUpdateCredentialIssuer(ctx context.Context,
-	cicConfig CredentialIssuerConfigLocationConfig,
+	ciConfig CredentialIssuerLocationConfig,
-	credentialIssuerConfigLabels map[string]string,
+	credentialIssuerLabels map[string]string,
 	clock clock.Clock,
 	pinnipedAPIClient pinnipedclientset.Interface,
 	err error,
 ) error {
-	return issuerconfig.CreateOrUpdateCredentialIssuerConfig(
+	return issuerconfig.CreateOrUpdateCredentialIssuer(
 		ctx,
-		cicConfig.Namespace,
+		ciConfig.Namespace,
-		cicConfig.Name,
+		ciConfig.Name,
-		credentialIssuerConfigLabels,
+		credentialIssuerLabels,
 		pinnipedAPIClient,
-		func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
+		func(configToUpdate *configv1alpha1.CredentialIssuer) {
-			var strategyResult configv1alpha1.CredentialIssuerConfigStrategy
+			var strategyResult configv1alpha1.CredentialIssuerStrategy
 			if err == nil {
 				strategyResult = strategySuccess(clock)
 			} else {
 				strategyResult = strategyError(clock, err)
 			}
-			configToUpdate.Status.Strategies = []configv1alpha1.CredentialIssuerConfigStrategy{
+			configToUpdate.Status.Strategies = []configv1alpha1.CredentialIssuerStrategy{
 				strategyResult,
 			}
 		},
 	)
 }
-func strategySuccess(clock clock.Clock) configv1alpha1.CredentialIssuerConfigStrategy {
+func strategySuccess(clock clock.Clock) configv1alpha1.CredentialIssuerStrategy {
-	return configv1alpha1.CredentialIssuerConfigStrategy{
+	return configv1alpha1.CredentialIssuerStrategy{
 		Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 		Status:         configv1alpha1.SuccessStrategyStatus,
 		Reason:         configv1alpha1.FetchedKeyStrategyReason,
@ -320,8 +320,8 @@ func strategySuccess(clock clock.Clock) configv1alpha1.CredentialIssuerConfigStr
 	}
 }
-func strategyError(clock clock.Clock, err error) configv1alpha1.CredentialIssuerConfigStrategy {
+func strategyError(clock clock.Clock, err error) configv1alpha1.CredentialIssuerStrategy {
-	return configv1alpha1.CredentialIssuerConfigStrategy{
+	return configv1alpha1.CredentialIssuerStrategy{
 		Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
 		Status:         configv1alpha1.ErrorStrategyStatus,
 		Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
--- a/internal/controller/kubecertagent/kubecertagent_test.go
+++ b/internal/controller/kubecertagent/kubecertagent_test.go
@ -131,7 +131,7 @@ func defineSharedKubecertagentFilterSpecs(
 	name string,
 	newFunc func(
 		agentPodConfig *AgentPodConfig,
-		credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig,
+		credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
 		kubeSystemPodInformer corev1informers.PodInformer,
 		agentPodInformer corev1informers.PodInformer,
 		observableWithInformerOption *testutil.ObservableWithInformerOption,
@ -149,7 +149,7 @@ func defineSharedKubecertagentFilterSpecs(
 			kubeSystemPodInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods()
 			agentPodInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods()
 			observableWithInformerOption := testutil.NewObservableWithInformerOption()
-			newFunc(&AgentPodConfig{}, &CredentialIssuerConfigLocationConfig{}, kubeSystemPodInformer, agentPodInformer, observableWithInformerOption)
+			newFunc(&AgentPodConfig{}, &CredentialIssuerLocationConfig{}, kubeSystemPodInformer, agentPodInformer, observableWithInformerOption)
 			kubeSystemPodInformerFilter = observableWithInformerOption.GetFilterForInformer(kubeSystemPodInformer)
 			agentPodInformerFilter = observableWithInformerOption.GetFilterForInformer(agentPodInformer)
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@ -101,9 +101,9 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets,
 		AdditionalLabels:          c.Labels,
 	}
-	credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{
+	credentialIssuerLocationConfig := &kubecertagent.CredentialIssuerLocationConfig{
 		Namespace: c.ServerInstallationNamespace,
-		Name:      c.NamesConfig.CredentialIssuerConfig,
+		Name:      c.NamesConfig.CredentialIssuer,
 	}
 	// Create controller manager.
@ -111,11 +111,11 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		NewManager().
 		// KubeConfig info publishing controller is responsible for writing the KubeConfig information to the
-		// CredentialIssuerConfig resource and keeping that information up to date.
+		// CredentialIssuer resource and keeping that information up to date.
 		WithController(
 			issuerconfig.NewKubeConfigInfoPublisherController(
 				c.ServerInstallationNamespace,
-				c.NamesConfig.CredentialIssuerConfig,
+				c.NamesConfig.CredentialIssuer,
 				c.Labels,
 				c.DiscoveryURLOverride,
 				pinnipedClient,
@ -179,7 +179,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			kubecertagent.NewCreaterController(
 				agentPodConfig,
-				credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig,
 				c.Labels,
 				clock.RealClock{},
 				k8sClient,
@ -194,7 +194,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			kubecertagent.NewAnnotaterController(
 				agentPodConfig,
-				credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig,
 				clock.RealClock{},
 				k8sClient,
 				pinnipedClient,
@ -206,7 +206,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		).
 		WithController(
 			kubecertagent.NewExecerController(
-				credentialIssuerConfigLocationConfig,
+				credentialIssuerLocationConfig,
 				c.DynamicSigningCertProvider,
 				kubecertagent.NewPodCommandExecutor(kubeConfig, k8sClient),
 				pinnipedClient,
--- a/test/integration/concierge_credentialissuerconfig_test.go
+++ b/test/integration/concierge_credentialissuerconfig_test.go
@ -16,7 +16,7 @@ import (
 	"go.pinniped.dev/test/library"
 )
-func TestCredentialIssuerConfig(t *testing.T) {
+func TestCredentialIssuer(t *testing.T) {
 	env := library.IntegrationEnv(t)
 	config := library.NewClientConfig(t)
 	client := library.NewConciergeClientset(t)
@ -24,10 +24,10 @@ func TestCredentialIssuerConfig(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	t.Run("test successful CredentialIssuerConfig", func(t *testing.T) {
+	t.Run("test successful CredentialIssuer", func(t *testing.T) {
 		actualConfigList, err := client.
 			ConfigV1alpha1().
-			CredentialIssuerConfigs(env.ConciergeNamespace).
+			CredentialIssuers(env.ConciergeNamespace).
 			List(ctx, metav1.ListOptions{})
 		require.NoError(t, err)
@ -37,7 +37,7 @@ func TestCredentialIssuerConfig(t *testing.T) {
 		actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo
 		for k, v := range env.ConciergeCustomLabels {
-			require.Equalf(t, v, actualConfig.Labels[k], "expected cic to have label `%s: %s`", k, v)
+			require.Equalf(t, v, actualConfig.Labels[k], "expected ci to have label `%s: %s`", k, v)
 		}
 		require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"])
@ -54,7 +54,7 @@ func TestCredentialIssuerConfig(t *testing.T) {
 			// Verify the published kube config info.
 			require.Equal(
 				t,
-				&configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+				&configv1alpha1.CredentialIssuerKubeConfigInfo{
 					Server:                   config.Host,
 					CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData),
 				},
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@ -98,12 +98,11 @@ func TestGetAPIResourceList(t *testing.T) {
 			resourceByVersion: map[string][]metav1.APIResource{
 				"config.concierge.pinniped.dev/v1alpha1": {
 					{
-						Name:         "credentialissuerconfigs",
+						Name:         "credentialissuers",
-						SingularName: "credentialissuerconfig",
+						SingularName: "credentialissuer",
 						Namespaced:   true,
-						Kind:         "CredentialIssuerConfig",
+						Kind:         "CredentialIssuer",
 						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
 						ShortNames:   []string{"cic"},
 					},
 				},
 			},
`@ -5,4 +5,4 @@`

	`package v1alpha1`	`package v1alpha1`

	`type CredentialIssuerConfigExpansion interface{}`	`type CredentialIssuerExpansion interface{}`