diff --git a/cmd/pinniped/cmd/flag_types.go b/cmd/pinniped/cmd/flag_types.go
index 7b10e3a5..2bc55e06 100644
--- a/cmd/pinniped/cmd/flag_types.go
+++ b/cmd/pinniped/cmd/flag_types.go
@@ -16,20 +16,20 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 )
 
-// conciergeMode represents the method by which we should connect to the Concierge on a cluster during login.
+// conciergeModeFlag represents the method by which we should connect to the Concierge on a cluster during login.
 // this is meant to be a valid flag.Value implementation.
-type conciergeMode int
+type conciergeModeFlag int
 
-var _ flag.Value = new(conciergeMode)
+var _ flag.Value = new(conciergeModeFlag)
 
 const (
-	modeUnknown conciergeMode = iota
+	modeUnknown conciergeModeFlag = iota
 	modeTokenCredentialRequestAPI
 	modeImpersonationProxy
 )
 
-func (c *conciergeMode) String() string {
-	switch *c {
+func (f *conciergeModeFlag) String() string {
+	switch *f {
 	case modeImpersonationProxy:
 		return "ImpersonationProxy"
 	case modeTokenCredentialRequestAPI:
@@ -41,29 +41,29 @@ func (c *conciergeMode) String() string {
 	}
 }
 
-func (c *conciergeMode) Set(s string) error {
+func (f *conciergeModeFlag) Set(s string) error {
 	if strings.EqualFold(s, "") {
-		*c = modeUnknown
+		*f = modeUnknown
 		return nil
 	}
 	if strings.EqualFold(s, "TokenCredentialRequestAPI") {
-		*c = modeTokenCredentialRequestAPI
+		*f = modeTokenCredentialRequestAPI
 		return nil
 	}
 	if strings.EqualFold(s, "ImpersonationProxy") {
-		*c = modeImpersonationProxy
+		*f = modeImpersonationProxy
 		return nil
 	}
 	return fmt.Errorf("invalid mode %q, valid modes are TokenCredentialRequestAPI and ImpersonationProxy", s)
 }
 
-func (c *conciergeMode) Type() string {
+func (f *conciergeModeFlag) Type() string {
 	return "mode"
 }
 
 // MatchesFrontend returns true iff the flag matches the type of the provided frontend.
-func (c *conciergeMode) MatchesFrontend(frontend *configv1alpha1.CredentialIssuerFrontend) bool {
-	switch *c {
+func (f *conciergeModeFlag) MatchesFrontend(frontend *configv1alpha1.CredentialIssuerFrontend) bool {
+	switch *f {
 	case modeImpersonationProxy:
 		return frontend.Type == configv1alpha1.ImpersonationProxyFrontendType
 	case modeTokenCredentialRequestAPI:
@@ -76,15 +76,15 @@ func (c *conciergeMode) MatchesFrontend(frontend *configv1alpha1.CredentialIssue
 }
 
 // caBundlePathsVar represents a list of CA bundle paths, which load from disk when the flag is populated.
-type caBundleVar []byte
+type caBundleFlag []byte
 
-var _ pflag.Value = new(caBundleVar)
+var _ pflag.Value = new(caBundleFlag)
 
-func (c *caBundleVar) String() string {
-	return string(*c)
+func (f *caBundleFlag) String() string {
+	return string(*f)
 }
 
-func (c *caBundleVar) Set(path string) error {
+func (f *caBundleFlag) Set(path string) error {
 	pem, err := ioutil.ReadFile(path)
 	if err != nil {
 		return fmt.Errorf("could not read CA bundle path: %w", err)
@@ -93,14 +93,14 @@ func (c *caBundleVar) Set(path string) error {
 	if !pool.AppendCertsFromPEM(pem) {
 		return fmt.Errorf("failed to load any CA certificates from %q", path)
 	}
-	if len(*c) == 0 {
-		*c = pem
+	if len(*f) == 0 {
+		*f = pem
 		return nil
 	}
-	*c = bytes.Join([][]byte{*c, pem}, []byte("\n"))
+	*f = bytes.Join([][]byte{*f, pem}, []byte("\n"))
 	return nil
 }
 
-func (c *caBundleVar) Type() string {
+func (f *caBundleFlag) Type() string {
 	return "path"
 }
diff --git a/cmd/pinniped/cmd/flag_types_test.go b/cmd/pinniped/cmd/flag_types_test.go
index 38295066..6d967969 100644
--- a/cmd/pinniped/cmd/flag_types_test.go
+++ b/cmd/pinniped/cmd/flag_types_test.go
@@ -20,34 +20,34 @@ import (
 )
 
 func TestConciergeModeFlag(t *testing.T) {
-	var m conciergeMode
-	require.Equal(t, "mode", m.Type())
-	require.Equal(t, modeUnknown, m)
-	require.NoError(t, m.Set(""))
-	require.Equal(t, modeUnknown, m)
-	require.EqualError(t, m.Set("foo"), `invalid mode "foo", valid modes are TokenCredentialRequestAPI and ImpersonationProxy`)
-	require.True(t, m.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
-	require.True(t, m.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
+	var f conciergeModeFlag
+	require.Equal(t, "mode", f.Type())
+	require.Equal(t, modeUnknown, f)
+	require.NoError(t, f.Set(""))
+	require.Equal(t, modeUnknown, f)
+	require.EqualError(t, f.Set("foo"), `invalid mode "foo", valid modes are TokenCredentialRequestAPI and ImpersonationProxy`)
+	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
+	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
 
-	require.NoError(t, m.Set("TokenCredentialRequestAPI"))
-	require.Equal(t, modeTokenCredentialRequestAPI, m)
-	require.Equal(t, "TokenCredentialRequestAPI", m.String())
-	require.True(t, m.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
-	require.False(t, m.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
+	require.NoError(t, f.Set("TokenCredentialRequestAPI"))
+	require.Equal(t, modeTokenCredentialRequestAPI, f)
+	require.Equal(t, "TokenCredentialRequestAPI", f.String())
+	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
+	require.False(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
 
-	require.NoError(t, m.Set("tokencredentialrequestapi"))
-	require.Equal(t, modeTokenCredentialRequestAPI, m)
-	require.Equal(t, "TokenCredentialRequestAPI", m.String())
+	require.NoError(t, f.Set("tokencredentialrequestapi"))
+	require.Equal(t, modeTokenCredentialRequestAPI, f)
+	require.Equal(t, "TokenCredentialRequestAPI", f.String())
 
-	require.NoError(t, m.Set("ImpersonationProxy"))
-	require.Equal(t, modeImpersonationProxy, m)
-	require.Equal(t, "ImpersonationProxy", m.String())
-	require.False(t, m.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
-	require.True(t, m.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
+	require.NoError(t, f.Set("ImpersonationProxy"))
+	require.Equal(t, modeImpersonationProxy, f)
+	require.Equal(t, "ImpersonationProxy", f.String())
+	require.False(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
+	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
 
-	require.NoError(t, m.Set("impersonationproxy"))
-	require.Equal(t, modeImpersonationProxy, m)
-	require.Equal(t, "ImpersonationProxy", m.String())
+	require.NoError(t, f.Set("impersonationproxy"))
+	require.Equal(t, modeImpersonationProxy, f)
+	require.Equal(t, "ImpersonationProxy", f.String())
 }
 
 func TestCABundleFlag(t *testing.T) {
@@ -60,15 +60,15 @@ func TestCABundleFlag(t *testing.T) {
 	testCAPath := filepath.Join(tmpdir, "testca.pem")
 	require.NoError(t, ioutil.WriteFile(testCAPath, testCA.Bundle(), 0600))
 
-	c := caBundleVar{}
-	require.Equal(t, "path", c.Type())
-	require.Equal(t, "", c.String())
-	require.EqualError(t, c.Set("./does/not/exist"), "could not read CA bundle path: open ./does/not/exist: no such file or directory")
-	require.EqualError(t, c.Set(emptyFilePath), fmt.Sprintf("failed to load any CA certificates from %q", emptyFilePath))
+	f := caBundleFlag{}
+	require.Equal(t, "path", f.Type())
+	require.Equal(t, "", f.String())
+	require.EqualError(t, f.Set("./does/not/exist"), "could not read CA bundle path: open ./does/not/exist: no such file or directory")
+	require.EqualError(t, f.Set(emptyFilePath), fmt.Sprintf("failed to load any CA certificates from %q", emptyFilePath))
 
-	require.NoError(t, c.Set(testCAPath))
-	require.Equal(t, 1, bytes.Count(c, []byte("BEGIN CERTIFICATE")))
+	require.NoError(t, f.Set(testCAPath))
+	require.Equal(t, 1, bytes.Count(f, []byte("BEGIN CERTIFICATE")))
 
-	require.NoError(t, c.Set(testCAPath))
-	require.Equal(t, 2, bytes.Count(c, []byte("BEGIN CERTIFICATE")))
+	require.NoError(t, f.Set(testCAPath))
+	require.Equal(t, 2, bytes.Count(f, []byte("BEGIN CERTIFICATE")))
 }
diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go
index 7ce12900..1017eb5b 100644
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -74,7 +74,7 @@ type getKubeconfigOIDCParams struct {
 	skipBrowser       bool
 	sessionCachePath  string
 	debugSessionCache bool
-	caBundle          caBundleVar
+	caBundle          caBundleFlag
 	requestAudience   string
 }
 
@@ -84,9 +84,9 @@ type getKubeconfigConciergeParams struct {
 	authenticatorName string
 	authenticatorType string
 	apiGroupSuffix    string
-	caBundle          caBundleVar
+	caBundle          caBundleFlag
 	endpoint          string
-	mode              conciergeMode
+	mode              conciergeModeFlag
 }
 
 type getKubeconfigParams struct {
@@ -383,7 +383,7 @@ func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconf
 	return nil
 }
 
-func getConciergeFrontend(credentialIssuer *configv1alpha1.CredentialIssuer, mode conciergeMode) (*configv1alpha1.CredentialIssuerFrontend, error) {
+func getConciergeFrontend(credentialIssuer *configv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*configv1alpha1.CredentialIssuerFrontend, error) {
 	for _, strategy := range credentialIssuer.Status.Strategies {
 		// Skip unhealthy strategies.
 		if strategy.Status != configv1alpha1.SuccessStrategyStatus {
diff --git a/cmd/pinniped/cmd/login_oidc.go b/cmd/pinniped/cmd/login_oidc.go
index e1db5689..7dd29943 100644
--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@@ -71,7 +71,7 @@ type oidcLoginFlags struct {
 	conciergeEndpoint          string
 	conciergeCABundle          string
 	conciergeAPIGroupSuffix    string
-	conciergeMode              conciergeMode
+	conciergeMode              conciergeModeFlag
 }
 
 func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
diff --git a/cmd/pinniped/cmd/login_static.go b/cmd/pinniped/cmd/login_static.go
index 9141c4e6..c9942551 100644
--- a/cmd/pinniped/cmd/login_static.go
+++ b/cmd/pinniped/cmd/login_static.go
@@ -47,7 +47,7 @@ type staticLoginParams struct {
 	conciergeEndpoint          string
 	conciergeCABundle          string
 	conciergeAPIGroupSuffix    string
-	conciergeMode              conciergeMode
+	conciergeMode              conciergeModeFlag
 }
 
 func staticLoginCommand(deps staticLoginDeps) *cobra.Command {