diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
index 340a402b..ab804f99 100644
--- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -19,6 +19,7 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
 	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
@@ -26,6 +27,10 @@ const (
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
 	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
 	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go
index 34e5605b..c1c819bf 100644
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -250,8 +250,7 @@ func configureConcierge(credentialIssuer *configv1alpha1.CredentialIssuer, authe
 	var conciergeCABundleData []byte
 
 	// Autodiscover the --concierge-mode.
-	if flags.concierge.mode == modeUnknown {
-
+	if flags.concierge.mode == modeUnknown { //nolint:nestif
 		for _, strategy := range credentialIssuer.Status.Strategies {
 			fe := strategy.Frontend
 			if strategy.Status != configv1alpha1.SuccessStrategyStatus || fe == nil {
@@ -475,9 +474,9 @@ func copyCurrentClusterFromExistingKubeConfig(currentKubeConfig clientcmdapi.Con
 	if currentContextNameOverride != "" {
 		contextName = currentContextNameOverride
 	}
-	context := currentKubeConfig.Contexts[contextName]
-	if context == nil {
+	ctx := currentKubeConfig.Contexts[contextName]
+	if ctx == nil {
 		return nil, fmt.Errorf("no such context %q", contextName)
 	}
-	return currentKubeConfig.Clusters[context.Cluster], nil
+	return currentKubeConfig.Clusters[ctx.Cluster], nil
 }
diff --git a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
index 340a402b..ab804f99 100644
--- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -19,6 +19,7 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
 	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
@@ -26,6 +27,10 @@ const (
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
 	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
 	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
diff --git a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go
index 340a402b..ab804f99 100644
--- a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -19,6 +19,7 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
 	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
@@ -26,6 +27,10 @@ const (
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
 	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
 	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
diff --git a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go
index 340a402b..ab804f99 100644
--- a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -19,6 +19,7 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
 	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
@@ -26,6 +27,10 @@ const (
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
 	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
 	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
diff --git a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go
index 340a402b..ab804f99 100644
--- a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -19,6 +19,7 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
 	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
@@ -26,6 +27,10 @@ const (
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
 	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
 	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
diff --git a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go
index 340a402b..ab804f99 100644
--- a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -19,6 +19,7 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
 	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
@@ -26,6 +27,10 @@ const (
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
 	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
 	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go
index 2200f968..28542362 100644
--- a/internal/controller/impersonatorconfig/impersonator_config.go
+++ b/internal/controller/impersonatorconfig/impersonator_config.go
@@ -44,10 +44,6 @@ const (
 	caCrtKey               = "ca.crt"
 	caKeyKey               = "ca.key"
 	appLabelKey            = "app"
-
-	// TODO move these to the api package after resolving an upcoming merge.
-	PendingStrategyReason          = v1alpha1.StrategyReason("Pending")
-	ErrorDuringSetupStrategyReason = v1alpha1.StrategyReason("ErrorDuringSetup")
 )
 
 type impersonatorConfigController struct {
@@ -153,7 +149,7 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error
 		strategy = &v1alpha1.CredentialIssuerStrategy{
 			Type:           v1alpha1.ImpersonationProxyStrategyType,
 			Status:         v1alpha1.ErrorStrategyStatus,
-			Reason:         ErrorDuringSetupStrategyReason,
+			Reason:         v1alpha1.ErrorDuringSetupStrategyReason,
 			Message:        err.Error(),
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
 		}
@@ -740,7 +736,7 @@ func (c *impersonatorConfigController) doSyncResult(waitingForLoadBalancer bool,
 		return &v1alpha1.CredentialIssuerStrategy{
 			Type:           v1alpha1.ImpersonationProxyStrategyType,
 			Status:         v1alpha1.ErrorStrategyStatus,
-			Reason:         PendingStrategyReason,
+			Reason:         v1alpha1.PendingStrategyReason,
 			Message:        "waiting for load balancer Service to be assigned IP or hostname",
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
 		}
diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go
index a1c27a90..12eefda9 100644
--- a/internal/controller/impersonatorconfig/impersonator_config_test.go
+++ b/internal/controller/impersonatorconfig/impersonator_config_test.go
@@ -694,7 +694,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			return v1alpha1.CredentialIssuerStrategy{
 				Type:           v1alpha1.ImpersonationProxyStrategyType,
 				Status:         v1alpha1.ErrorStrategyStatus,
-				Reason:         PendingStrategyReason,
+				Reason:         v1alpha1.PendingStrategyReason,
 				Message:        "waiting for load balancer Service to be assigned IP or hostname",
 				LastUpdateTime: metav1.NewTime(frozenNow),
 			}
@@ -704,7 +704,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			return v1alpha1.CredentialIssuerStrategy{
 				Type:           v1alpha1.ImpersonationProxyStrategyType,
 				Status:         v1alpha1.ErrorStrategyStatus,
-				Reason:         ErrorDuringSetupStrategyReason,
+				Reason:         v1alpha1.ErrorDuringSetupStrategyReason,
 				Message:        msg,
 				LastUpdateTime: metav1.NewTime(frozenNow),
 			}