Merge pull request #182 from mattmoyer/more-renames

Rename more APIs before we cut a release with longer-term API compatibility
2020-11-02 18:34:26 -06:00 · 2020-11-02 18:34:26 -06:00 · c451604816
commit c451604816
parent 05cf56a0fa 2bf5c8b48b
163 changed files with 5299 additions and 5096 deletions
--- a/apis/concierge/config/v1alpha1/register.go.tmpl
+++ b/apis/concierge/config/v1alpha1/register.go.tmpl
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go.tmpl
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/apis/supervisor/config/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/register.go.tmpl
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&OIDCProviderConfig{},
+		&OIDCProvider{},
-		&OIDCProviderConfigList{},
+		&OIDCProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcproviderconfig.go
+++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcproviderconfig.go
@ -9,17 +9,40 @@ import (
 )
 // +kubebuilder:validation:Enum=Success;Duplicate;Invalid
-type OIDCProviderStatus string
+type OIDCProviderStatusCondition string
 const (
-	SuccessOIDCProviderStatus                         = OIDCProviderStatus("Success")
+	SuccessOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Success")
-	DuplicateOIDCProviderStatus                       = OIDCProviderStatus("Duplicate")
+	DuplicateOIDCProviderStatusCondition                       = OIDCProviderStatusCondition("Duplicate")
-	SameIssuerHostMustUseSameSecretOIDCProviderStatus = OIDCProviderStatus("SameIssuerHostMustUseSameSecret")
+	SameIssuerHostMustUseSameSecretOIDCProviderStatusCondition = OIDCProviderStatusCondition("SameIssuerHostMustUseSameSecret")
-	InvalidOIDCProviderStatus                         = OIDCProviderStatus("Invalid")
+	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )
-// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
-type OIDCProviderConfigSpec struct {
+type OIDCProviderTLSSpec struct {
 	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
 	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
 	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
 	// for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
 	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
 	// SecretName value even if they have different port numbers.
 	//
 	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
 	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
 	// use the default TLS certificate, which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 	//
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
 }
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
 	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
 	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
@ -31,35 +54,17 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
 	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
 	// contain the certificate and private key to use for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SNICertificateSecretName is required if you would like to use different TLS certificates for
 	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
 	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
 	//
 	// SNICertificateSecretName is not required when you would like to use only the
 	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
 	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
 	// which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
 	// for IP addresses.
 	//
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }
-// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
-type OIDCProviderConfigStatus struct {
+type OIDCProviderStatus struct {
 	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
 	// represent success or failure.
 	// +optional
-	Status OIDCProviderStatus `json:"status,omitempty"`
+	Status OIDCProviderStatusCondition `json:"status,omitempty"`
 	// Message provides human-readable details about the Status.
 	// +optional
@ -78,27 +83,25 @@ type OIDCProviderConfigStatus struct {
 	JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"`
 }
-// OIDCProviderConfig describes the configuration of an OIDC provider.
+// OIDCProvider describes the configuration of an OIDC provider.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:shortName=opc
+type OIDCProvider struct {
 type OIDCProviderConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Spec of the OIDC provider.
-	Spec OIDCProviderConfigSpec `json:"spec"`
+	Spec OIDCProviderSpec `json:"spec"`
 	// Status of the OIDC provider.
-	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+	Status OIDCProviderStatus `json:"status,omitempty"`
 }
-// List of OIDCProviderConfig objects.
+// List of OIDCProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
+type OIDCProviderList struct {
 type OIDCProviderConfigList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []OIDCProviderConfig `json:"items"`
+	Items []OIDCProvider `json:"items"`
 }
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@ -81,11 +81,11 @@ func startControllers(
 	controllerManager := controllerlib.
 		NewManager().
 		WithController(
-			supervisorconfig.NewOIDCProviderConfigWatcherController(
+			supervisorconfig.NewOIDCProviderWatcherController(
 				issuerManager,
 				clock.RealClock{},
 				pinnipedClient,
-				pinnipedInformers.Config().V1alpha1().OIDCProviderConfigs(),
+				pinnipedInformers.Config().V1alpha1().OIDCProviders(),
 				controllerlib.WithInformer,
 			),
 			singletonWorker,
@ -96,7 +96,7 @@ func startControllers(
 				kubeClient,
 				pinnipedClient,
 				kubeInformers.Core().V1().Secrets(),
-				pinnipedInformers.Config().V1alpha1().OIDCProviderConfigs(),
+				pinnipedInformers.Config().V1alpha1().OIDCProviders(),
 				controllerlib.WithInformer,
 			),
 			singletonWorker,
@ -105,7 +105,7 @@ func startControllers(
 			supervisorconfig.NewJWKSObserverController(
 				dynamicJWKSProvider,
 				kubeInformers.Core().V1().Secrets(),
-				pinnipedInformers.Config().V1alpha1().OIDCProviderConfigs(),
+				pinnipedInformers.Config().V1alpha1().OIDCProviders(),
 				controllerlib.WithInformer,
 			),
 			singletonWorker,
@ -115,7 +115,7 @@ func startControllers(
 				dynamicTLSCertProvider,
 				cfg.NamesConfig.DefaultTLSCertificateSecret,
 				kubeInformers.Core().V1().Secrets(),
-				pinnipedInformers.Config().V1alpha1().OIDCProviderConfigs(),
+				pinnipedInformers.Config().V1alpha1().OIDCProviders(),
 				controllerlib.WithInformer,
 			),
 			singletonWorker,
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@ -124,13 +124,13 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 		}
 	}
-	credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientset, c.flags.namespace)
+	credentialIssuer, err := fetchPinnipedCredentialIssuer(clientset, c.flags.namespace)
 	if err != nil {
 		return err
 	}
-	if credentialIssuerConfig.Status.KubeConfigInfo == nil {
+	if credentialIssuer.Status.KubeConfigInfo == nil {
-		return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
+		return constable.Error(`CredentialIssuer "pinniped-config" was missing KubeConfigInfo`)
 	}
 	v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, c.flags.contextOverride)
@ -138,7 +138,7 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, cmd.ErrOrStderr())
+	err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuer, cmd.ErrOrStderr())
 	if err != nil {
 		return err
 	}
@ -153,14 +153,14 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuerConfig *configv1alpha1.CredentialIssuerConfig, warningsWriter io.Writer) error {
+func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuer *configv1alpha1.CredentialIssuer, warningsWriter io.Writer) error {
-	credentialIssuerConfigCA, err := base64.StdEncoding.DecodeString(credentialIssuerConfig.Status.KubeConfigInfo.CertificateAuthorityData)
+	credentialIssuerCA, err := base64.StdEncoding.DecodeString(credentialIssuer.Status.KubeConfigInfo.CertificateAuthorityData)
 	if err != nil {
 		return err
 	}
-	if v1Cluster.Server != credentialIssuerConfig.Status.KubeConfigInfo.Server ||
+	if v1Cluster.Server != credentialIssuer.Status.KubeConfigInfo.Server ||
-		!bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerConfigCA) {
+		!bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerCA) {
-		_, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n"))
+		_, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuer on the cluster. Using local kubeconfig values.\n"))
 		if err != nil {
 			return fmt.Errorf("output write error: %w", err)
 		}
@ -207,31 +207,31 @@ func getDefaultAuthenticator(clientset pinnipedclientset.Interface, namespace st
 	return authenticators[0].authenticatorType, authenticators[0].authenticatorName, nil
 }
-func fetchPinnipedCredentialIssuerConfig(clientset pinnipedclientset.Interface, pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuerConfig, error) {
+func fetchPinnipedCredentialIssuer(clientset pinnipedclientset.Interface, pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuer, error) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
-	credentialIssuerConfigs, err := clientset.ConfigV1alpha1().CredentialIssuerConfigs(pinnipedInstallationNamespace).List(ctx, metav1.ListOptions{})
+	credentialIssuers, err := clientset.ConfigV1alpha1().CredentialIssuers(pinnipedInstallationNamespace).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, err
 	}
-	if len(credentialIssuerConfigs.Items) == 0 {
+	if len(credentialIssuers.Items) == 0 {
 		return nil, constable.Error(fmt.Sprintf(
-			`No CredentialIssuerConfig was found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`,
+			`No CredentialIssuer was found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`,
 			pinnipedInstallationNamespace,
 			pinnipedInstallationNamespace,
 		))
 	}
-	if len(credentialIssuerConfigs.Items) > 1 {
+	if len(credentialIssuers.Items) > 1 {
 		return nil, constable.Error(fmt.Sprintf(
-			`More than one CredentialIssuerConfig was found in namespace "%s"`,
+			`More than one CredentialIssuer was found in namespace "%s"`,
 			pinnipedInstallationNamespace,
 		))
 	}
-	return &credentialIssuerConfigs.Items[0], nil
+	return &credentialIssuers.Items[0], nil
 }
 func newClientConfig(kubeconfigPathOverride string, currentContextName string) clientcmd.ClientConfig {
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@ -170,18 +170,18 @@ func (e expectedKubeconfigYAML) String() string {
 		`, e.clusterCAData, e.clusterServer, e.command, e.pinnipedEndpoint, e.pinnipedCABundle, e.namespace, e.token, e.authenticatorType, e.authenticatorName)
 }
-func newCredentialIssuerConfig(name, namespace, server, certificateAuthorityData string) *configv1alpha1.CredentialIssuerConfig {
+func newCredentialIssuer(name, namespace, server, certificateAuthorityData string) *configv1alpha1.CredentialIssuer {
-	return &configv1alpha1.CredentialIssuerConfig{
+	return &configv1alpha1.CredentialIssuer{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "CredentialIssuerConfig",
+			Kind:       "CredentialIssuer",
 			APIVersion: configv1alpha1.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
 		},
-		Status: configv1alpha1.CredentialIssuerConfigStatus{
+		Status: configv1alpha1.CredentialIssuerStatus{
-			KubeConfigInfo: &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
+			KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{
 				Server:                   server,
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(certificateAuthorityData)),
 			},
@ -264,59 +264,59 @@ func TestRun(t *testing.T) {
 			wantError: `multiple authenticators were found in namespace "test-namespace", so --authenticator-name/--authenticator-type must be specified`,
 		},
 		{
-			name: "fail to get CredentialIssuerConfigs",
+			name: "fail to get CredentialIssuers",
 			mocks: func(cmd *getKubeConfigCommand) {
 				clientset := pinnipedfake.NewSimpleClientset()
 				clientset.PrependReactor("*", "*", func(_ coretesting.Action) (bool, runtime.Object, error) {
-					return true, nil, fmt.Errorf("some error getting CredentialIssuerConfigs")
+					return true, nil, fmt.Errorf("some error getting CredentialIssuers")
 				})
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return clientset, nil
 				}
 			},
-			wantError: "some error getting CredentialIssuerConfigs",
+			wantError: "some error getting CredentialIssuers",
 		},
 		{
-			name: "zero CredentialIssuerConfigs found",
+			name: "zero CredentialIssuers found",
 			mocks: func(cmd *getKubeConfigCommand) {
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						newCredentialIssuerConfig("pinniped-config-1", "not-the-test-namespace", "", ""),
+						newCredentialIssuer("pinniped-config-1", "not-the-test-namespace", "", ""),
 					), nil
 				}
 			},
-			wantError: `No CredentialIssuerConfig was found in namespace "test-namespace". Is Pinniped installed on this cluster in namespace "test-namespace"?`,
+			wantError: `No CredentialIssuer was found in namespace "test-namespace". Is Pinniped installed on this cluster in namespace "test-namespace"?`,
 		},
 		{
-			name: "multiple CredentialIssuerConfigs found",
+			name: "multiple CredentialIssuers found",
 			mocks: func(cmd *getKubeConfigCommand) {
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						newCredentialIssuerConfig("pinniped-config-1", "test-namespace", "", ""),
+						newCredentialIssuer("pinniped-config-1", "test-namespace", "", ""),
-						newCredentialIssuerConfig("pinniped-config-2", "test-namespace", "", ""),
+						newCredentialIssuer("pinniped-config-2", "test-namespace", "", ""),
 					), nil
 				}
 			},
-			wantError: `More than one CredentialIssuerConfig was found in namespace "test-namespace"`,
+			wantError: `More than one CredentialIssuer was found in namespace "test-namespace"`,
 		},
 		{
-			name: "CredentialIssuerConfig missing KubeConfigInfo",
+			name: "CredentialIssuer missing KubeConfigInfo",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "", "")
+				ci := newCredentialIssuer("pinniped-config", "test-namespace", "", "")
-				cic.Status.KubeConfigInfo = nil
+				ci.Status.KubeConfigInfo = nil
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
-					return pinnipedfake.NewSimpleClientset(cic), nil
+					return pinnipedfake.NewSimpleClientset(ci), nil
 				}
 			},
-			wantError: `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`,
+			wantError: `CredentialIssuer "pinniped-config" was missing KubeConfigInfo`,
 		},
 		{
 			name: "KubeConfigInfo has invalid base64",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "")
+				ci := newCredentialIssuer("pinniped-config", "test-namespace", "https://example.com", "")
-				cic.Status.KubeConfigInfo.CertificateAuthorityData = "invalid-base64-test-ca"
+				ci.Status.KubeConfigInfo.CertificateAuthorityData = "invalid-base64-test-ca"
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
-					return pinnipedfake.NewSimpleClientset(cic), nil
+					return pinnipedfake.NewSimpleClientset(ci), nil
 				}
 			},
 			wantError: `illegal base64 data at input byte 7`,
@ -324,9 +324,9 @@ func TestRun(t *testing.T) {
 		{
 			name: "success using remote CA data",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cic := newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://fake-server-url-value", "fake-certificate-authority-data-value")
+				ci := newCredentialIssuer("pinniped-config", "test-namespace", "https://fake-server-url-value", "fake-certificate-authority-data-value")
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
-					return pinnipedfake.NewSimpleClientset(cic), nil
+					return pinnipedfake.NewSimpleClientset(ci), nil
 				}
 			},
 			wantStdout: expectedKubeconfigYAML{
@ -350,11 +350,11 @@ func TestRun(t *testing.T) {
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
 						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-authenticator"}},
-						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
+						newCredentialIssuer("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
 			},
-			wantStderr: `WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.`,
+			wantStderr: `WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuer on the cluster. Using local kubeconfig values.`,
 			wantStdout: expectedKubeconfigYAML{
 				clusterCAData:     "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
 				clusterServer:     "https://fake-server-url-value",
--- a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@ -39,7 +39,7 @@ data:
        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
    names:
      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
-      credentialIssuerConfig: (@= defaultResourceNameWithSuffix("config") @)
+      credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
      apiService: (@= defaultResourceNameWithSuffix("api") @)
    labels: (@= json.encode(labels()).rstrip() @)
    kubeCertAgent:
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@ -4,7 +4,7 @@
 #@ load("@ytt:overlay", "overlay")
 #@ load("helpers.lib.yaml", "labels")
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuerconfigs.config.concierge.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuers.config.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
  #@overlay/match missing_ok=True
--- a/deploy/supervisor/README.md
+++ b/deploy/supervisor/README.md
@ -59,9 +59,8 @@ The most common ways are:
 1. Or, define a [TCP LoadBalancer Service](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)
   which is a layer 4 load balancer and does not terminate TLS. In this case, the Supervisor app will need to be
-   configured with TLS certificates and will terminate the TLS connection itself (see the section about
+   configured with TLS certificates and will terminate the TLS connection itself (see the section about OIDCProvider
-   OIDCProviderConfig below). The LoadBalancer Service should be configured to use the HTTPS port 8443 of
+   below). The LoadBalancer Service should be configured to use the HTTPS port 443 of the Supervisor pods as its `targetPort`.
   the Supervisor pods as its `targetPort`.
   *Warning:* Do not expose the Supervisor's port 8080 to the public. It would not be secure for the OIDC protocol
   to use HTTP, because the user's secret OIDC tokens would be transmitted across the network without encryption.
@ -133,12 +132,12 @@ spec:
 ### Configuring the Supervisor to Act as an OIDC Provider
-The Supervisor can be configured as an OIDC provider by creating `OIDCProviderConfig` resources
+The Supervisor can be configured as an OIDC provider by creating `OIDCProvider` resources
 in the same namespace where the Supervisor app was installed. For example:
 ```yaml
 apiVersion: config.supervisor.pinniped.dev/v1alpha1
-kind: OIDCProviderConfig
+kind: OIDCProvider
 metadata:
  name: my-provider
  # Assuming that this is the namespace where the supervisor was installed. This is the default in install-supervisor.yaml.
@ -147,30 +146,32 @@ spec:
  # The hostname would typically match the DNS name of the public ingress or load balancer for the cluster.
  # Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional.
  issuer: https://my-issuer.example.com/any/path
  # Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`,
  # which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-  sniCertificateSecretName: my-tls-cert-secret
+  tls:
    secretName: my-tls-cert-secret
 ```
 #### Configuring TLS for the Supervisor OIDC Endpoints
 If you have terminated TLS outside the app, for example using an Ingress with TLS certificates, then you do not need to
-configure TLS certificates on the OIDCProviderConfig.
+configure TLS certificates on the OIDCProvider.
 If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will
 also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates:
-1. Each `OIDCProviderConfig` can be configured with TLS certificates, using the `sniCertificateSecretName` field.
+1. Each `OIDCProvider` can be configured with TLS certificates, using the `spec.tls.secretName` field.
 1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called
 `pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed.
-The default TLS certificate will be used for all OIDC providers which did not declare an `sniCertificateSecretName`.
+The default TLS certificate will be used for all OIDC providers which did not declare a `spec.tls.secretName`.
-Also, the `sniCertificateSecretName` will be ignored for incoming requests to the OIDC endpoints
+Also, the `spec.tls.secretName` will be ignored for incoming requests to the OIDC endpoints
 that use an IP address as the host, so those requests will always present the default TLS certificates
 to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`,
-then the TLS certificate defined by the `sniCertificateSecretName` will be used. If that issuer did not
+then the TLS certificate defined by the `spec.tls.secretName` will be used. If that issuer did not
-define `sniCertificateSecretName` then the default TLS certificate will be used. If neither exists,
+define `spec.tls.secretName` then the default TLS certificate will be used. If neither exists,
 then the client will get a TLS error because the server will not present any TLS certificate.
 It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the
--- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviderconfigs.yaml
+++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviderconfigs.yaml
@ -6,22 +6,20 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: oidcproviderconfigs.config.supervisor.pinniped.dev
+  name: oidcproviders.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
  names:
-    kind: OIDCProviderConfig
+    kind: OIDCProvider
-    listKind: OIDCProviderConfigList
+    listKind: OIDCProviderList
-    plural: oidcproviderconfigs
+    plural: oidcproviders
-    shortNames:
+    singular: oidcprovider
    - opc
    singular: oidcproviderconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        description: OIDCProvider describes the configuration of an OIDC provider.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@ -49,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
+              tls:
-                description: "SNICertificateSecretName is an optional name of a Secret
+                description: TLS configures how this OIDCProvider is served over Transport
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
+                  Layer Security (TLS).
-                  the TLS serving certificate for the HTTPS endpoints served by this
+                properties:
-                  OIDC Provider. When provided, the TLS Secret named here must contain
+                  secretName:
-                  keys named `tls.crt` and `tls.key` that contain the certificate
+                    description: "SecretName is an optional name of a Secret in the
-                  and private key to use for TLS. \n Server Name Indication (SNI)
+                      same namespace, of type `kubernetes.io/tls`, which contains
-                  is an extension to the Transport Layer Security (TLS) supported
+                      the TLS serving certificate for the HTTPS endpoints served by
-                  by all major browsers. \n SNICertificateSecretName is required if
+                      this OIDCProvider. When provided, the TLS Secret named here
-                  you would like to use different TLS certificates for issuers of
+                      must contain keys named `tls.crt` and `tls.key` that contain
-                  different hostnames. SNI requests do not include port numbers, so
+                      the certificate and private key to use for TLS. \n Server Name
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                      Indication (SNI) is an extension to the Transport Layer Security
-                  value even if they have different port numbers. \n SNICertificateSecretName
+                      (TLS) supported by all major browsers. \n SecretName is required
-                  is not required when you would like to use only the HTTP endpoints
+                      if you would like to use different TLS certificates for issuers
-                  (e.g. when terminating TLS at an Ingress). It is also not required
+                      of different hostnames. SNI requests do not include port numbers,
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                      so all issuers with the same DNS hostname must use the same
-                  to use the default TLS certificate, which is configured elsewhere.
+                      SecretName value even if they have different port numbers. \n
-                  \n When your Issuer URL's host is an IP address, then this field
+                      SecretName is not required when you would like to use only the
-                  is ignored. SNI does not work for IP addresses."
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
-                type: string
+                      is also not required when you would like all requests to this
                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
                      which is configured elsewhere. \n When your Issuer URL's host
                      is an IP address, then this field is ignored. SNI does not work
                      for IP addresses."
                    type: string
                type: object
            required:
            - issuer
            type: object
--- a/deploy/supervisor/rbac.yaml
+++ b/deploy/supervisor/rbac.yaml
@ -17,7 +17,7 @@ rules:
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  - apiGroups: [config.supervisor.pinniped.dev]
-    resources: [oidcproviderconfigs]
+    resources: [oidcproviders]
    verbs: [update, get, list, watch]
 ---
 kind: RoleBinding
--- a/deploy/supervisor/z0_crd_overlay.yaml
+++ b/deploy/supervisor/z0_crd_overlay.yaml
@ -4,7 +4,7 @@
 #@ load("@ytt:overlay", "overlay")
 #@ load("helpers.lib.yaml", "labels")
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcproviderconfigs.config.supervisor.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcproviders.config.supervisor.pinniped.dev"}}), expects=1
 ---
 metadata:
  #@overlay/match missing_ok=True
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@ -131,14 +131,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer"]
-==== CredentialIssuerConfig 
+==== CredentialIssuer 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfiglist[$$CredentialIssuerConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerlist[$$CredentialIssuerList$$]
 ****
 [cols="25a,75a", options="header"]
@ -146,18 +146,18 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
-==== CredentialIssuerConfigKubeConfigInfo 
+==== CredentialIssuerKubeConfigInfo 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -170,32 +170,32 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus"]
-==== CredentialIssuerConfigStatus 
+==== CredentialIssuerStatus 
 Status of a credential issuer.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfig[$$CredentialIssuerConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
+| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
-==== CredentialIssuerConfigStrategy 
+==== CredentialIssuerStrategy 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -217,14 +217,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovider"]
-==== OIDCProviderConfig 
+==== OIDCProvider 
-OIDCProviderConfig describes the configuration of an OIDC provider.
+OIDCProvider describes the configuration of an OIDC provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderlist[$$OIDCProviderList$$]
 ****
 [cols="25a,75a", options="header"]
@ -232,21 +232,21 @@ OIDCProviderConfig describes the configuration of an OIDC provider.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]__ | Spec of the OIDC provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfigstatus[$$OIDCProviderConfigStatus$$]__ | Status of the OIDC provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderstatus[$$OIDCProviderStatus$$]__ | Status of the OIDC provider.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfigspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec"]
-==== OIDCProviderConfigSpec 
+==== OIDCProviderSpec 
-OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+OIDCProviderSpec is a struct that describes an OIDC Provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovider[$$OIDCProvider$$]
 ****
 [cols="25a,75a", options="header"]
@ -254,34 +254,51 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
 SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderstatus"]
-==== OIDCProviderConfigStatus 
+==== OIDCProviderStatus 
-OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovider[$$OIDCProvider$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`status`* __OIDCProviderStatus__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
+| *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
 | *`message`* __string__ | Message provides human-readable details about the Status.
 | *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
 | *`jwksSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
 |===
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
 ==== OIDCProviderTLSSpec 
 OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
 .Appears In:
 ****
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
 | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
--- a/generated/1.17/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -12,7 +12,7 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@ -20,18 +20,18 @@ func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
-func (in *CredentialIssuerConfig) DeepCopy() *CredentialIssuerConfig {
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfig)
+	out := new(CredentialIssuer)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -39,29 +39,29 @@ func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopyInto(out *CredentialIssuerConfigKubeConfigInfo) {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigKubeConfigInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopy() *CredentialIssuerConfigKubeConfigInfo {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigKubeConfigInfo)
+	out := new(CredentialIssuerKubeConfigInfo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigList) {
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]CredentialIssuerConfig, len(*in))
+		*out = make([]CredentialIssuer, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -69,18 +69,18 @@ func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigLi
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
-func (in *CredentialIssuerConfigList) DeepCopy() *CredentialIssuerConfigList {
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigList)
+	out := new(CredentialIssuerList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -88,46 +88,46 @@ func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStatus) DeepCopyInto(out *CredentialIssuerConfigStatus) {
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
 	if in.Strategies != nil {
 		in, out := &in.Strategies, &out.Strategies
-		*out = make([]CredentialIssuerConfigStrategy, len(*in))
+		*out = make([]CredentialIssuerStrategy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.KubeConfigInfo != nil {
 		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
-		*out = new(CredentialIssuerConfigKubeConfigInfo)
+		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
-func (in *CredentialIssuerConfigStatus) DeepCopy() *CredentialIssuerConfigStatus {
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStatus)
+	out := new(CredentialIssuerStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStrategy) DeepCopyInto(out *CredentialIssuerConfigStrategy) {
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
 	*out = *in
 	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStrategy.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
-func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStrategy {
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStrategy)
+	out := new(CredentialIssuerStrategy)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.17/apis/supervisor/config/v1alpha1/register.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&OIDCProviderConfig{},
+		&OIDCProvider{},
-		&OIDCProviderConfigList{},
+		&OIDCProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go
@ -9,17 +9,40 @@ import (
 )
 // +kubebuilder:validation:Enum=Success;Duplicate;Invalid
-type OIDCProviderStatus string
+type OIDCProviderStatusCondition string
 const (
-	SuccessOIDCProviderStatus                         = OIDCProviderStatus("Success")
+	SuccessOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Success")
-	DuplicateOIDCProviderStatus                       = OIDCProviderStatus("Duplicate")
+	DuplicateOIDCProviderStatusCondition                       = OIDCProviderStatusCondition("Duplicate")
-	SameIssuerHostMustUseSameSecretOIDCProviderStatus = OIDCProviderStatus("SameIssuerHostMustUseSameSecret")
+	SameIssuerHostMustUseSameSecretOIDCProviderStatusCondition = OIDCProviderStatusCondition("SameIssuerHostMustUseSameSecret")
-	InvalidOIDCProviderStatus                         = OIDCProviderStatus("Invalid")
+	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )
-// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
-type OIDCProviderConfigSpec struct {
+type OIDCProviderTLSSpec struct {
 	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
 	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
 	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
 	// for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
 	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
 	// SecretName value even if they have different port numbers.
 	//
 	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
 	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
 	// use the default TLS certificate, which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 	//
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
 }
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
 	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
 	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
@ -31,35 +54,17 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
 	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
 	// contain the certificate and private key to use for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SNICertificateSecretName is required if you would like to use different TLS certificates for
 	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
 	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
 	//
 	// SNICertificateSecretName is not required when you would like to use only the
 	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
 	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
 	// which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
 	// for IP addresses.
 	//
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }
-// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
-type OIDCProviderConfigStatus struct {
+type OIDCProviderStatus struct {
 	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
 	// represent success or failure.
 	// +optional
-	Status OIDCProviderStatus `json:"status,omitempty"`
+	Status OIDCProviderStatusCondition `json:"status,omitempty"`
 	// Message provides human-readable details about the Status.
 	// +optional
@ -78,27 +83,25 @@ type OIDCProviderConfigStatus struct {
 	JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"`
 }
-// OIDCProviderConfig describes the configuration of an OIDC provider.
+// OIDCProvider describes the configuration of an OIDC provider.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:shortName=opc
+type OIDCProvider struct {
 type OIDCProviderConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Spec of the OIDC provider.
-	Spec OIDCProviderConfigSpec `json:"spec"`
+	Spec OIDCProviderSpec `json:"spec"`
 	// Status of the OIDC provider.
-	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+	Status OIDCProviderStatus `json:"status,omitempty"`
 }
-// List of OIDCProviderConfig objects.
+// List of OIDCProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
+type OIDCProviderList struct {
 type OIDCProviderConfigList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []OIDCProviderConfig `json:"items"`
+	Items []OIDCProvider `json:"items"`
 }
--- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -12,27 +12,27 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider.
-func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+func (in *OIDCProvider) DeepCopy() *OIDCProvider {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfig)
+	out := new(OIDCProvider)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+func (in *OIDCProvider) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -40,13 +40,13 @@ func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+func (in *OIDCProviderList) DeepCopyInto(out *OIDCProviderList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]OIDCProviderConfig, len(*in))
+		*out = make([]OIDCProvider, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -54,18 +54,18 @@ func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderList.
-func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+func (in *OIDCProviderList) DeepCopy() *OIDCProviderList {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigList)
+	out := new(OIDCProviderList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -73,23 +73,28 @@ func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(OIDCProviderTLSSpec)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderSpec.
-func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+func (in *OIDCProviderSpec) DeepCopy() *OIDCProviderSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigSpec)
+	out := new(OIDCProviderSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus) {
+func (in *OIDCProviderStatus) DeepCopyInto(out *OIDCProviderStatus) {
 	*out = *in
 	if in.LastUpdateTime != nil {
 		in, out := &in.LastUpdateTime, &out.LastUpdateTime
@ -99,12 +104,28 @@ func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderStatus.
-func (in *OIDCProviderConfigStatus) DeepCopy() *OIDCProviderConfigStatus {
+func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigStatus)
+	out := new(OIDCProviderStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
 	*out = *in
 	return
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
 func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
 	if in == nil {
 		return nil
 	}
 	out := new(OIDCProviderTLSSpec)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	CredentialIssuerConfigsGetter
+	CredentialIssuersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface {
+func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuerConfigs(c, namespace)
+	return newCredentialIssuers(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@ -0,0 +1,178 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
 	CredentialIssuers(namespace string) CredentialIssuerInterface
 }
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
 type CredentialIssuerInterface interface {
 	Create(*v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error)
 	Update(*v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error)
 	UpdateStatus(*v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error)
 	Delete(name string, options *v1.DeleteOptions) error
 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
 	Get(name string, options v1.GetOptions) (*v1alpha1.CredentialIssuer, error)
 	List(opts v1.ListOptions) (*v1alpha1.CredentialIssuerList, error)
 	Watch(opts v1.ListOptions) (watch.Interface, error)
 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error)
 	CredentialIssuerExpansion
 }
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuers returns a CredentialIssuers
 func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *credentialIssuers) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do().
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *credentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do().
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *credentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch()
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Body(credentialIssuer).
 		Do().
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		Body(credentialIssuer).
 		Do().
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
 		Body(credentialIssuer).
 		Do().
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(options).
 		Do().
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	var timeout time.Duration
 	if listOptions.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(options).
 		Do().
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *credentialIssuers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		SubResource(subresources...).
 		Name(name).
 		Body(data).
 		Do().
 		Into(result)
 	return
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
@ -1,178 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuerConfigsGetter has a method to return a CredentialIssuerConfigInterface.
 // A group's client should implement this interface.
 type CredentialIssuerConfigsGetter interface {
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface
 }
 // CredentialIssuerConfigInterface has methods to work with CredentialIssuerConfig resources.
 type CredentialIssuerConfigInterface interface {
 	Create(*v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error)
 	Update(*v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error)
 	UpdateStatus(*v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error)
 	Delete(name string, options *v1.DeleteOptions) error
 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
 	Get(name string, options v1.GetOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	List(opts v1.ListOptions) (*v1alpha1.CredentialIssuerConfigList, error)
 	Watch(opts v1.ListOptions) (watch.Interface, error)
 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error)
 	CredentialIssuerConfigExpansion
 }
 // credentialIssuerConfigs implements CredentialIssuerConfigInterface
 type credentialIssuerConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuerConfigs returns a CredentialIssuerConfigs
 func newCredentialIssuerConfigs(c *ConfigV1alpha1Client, namespace string) *credentialIssuerConfigs {
 	return &credentialIssuerConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *credentialIssuerConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do().
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *credentialIssuerConfigs) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do().
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *credentialIssuerConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch()
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Create(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Body(credentialIssuerConfig).
 		Do().
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Update(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		Body(credentialIssuerConfig).
 		Do().
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuerConfigs) UpdateStatus(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		SubResource("status").
 		Body(credentialIssuerConfig).
 		Do().
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *credentialIssuerConfigs) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		Body(options).
 		Do().
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuerConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	var timeout time.Duration
 	if listOptions.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(options).
 		Do().
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *credentialIssuerConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		SubResource(subresources...).
 		Name(name).
 		Body(data).
 		Do().
 		Into(result)
 	return
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.CredentialIssuerConfigInterface {
+func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuerConfigs{c, namespace}
+	return &FakeCredentialIssuers{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@ -0,0 +1,127 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
 var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuer"}
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerList{ListMeta: obj.(*v1alpha1.CredentialIssuerList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOptions)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
@ -1,127 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuerConfigs implements CredentialIssuerConfigInterface
 type FakeCredentialIssuerConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuerconfigsResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuerconfigs"}
 var credentialissuerconfigsKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuerConfig"}
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *FakeCredentialIssuerConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *FakeCredentialIssuerConfigs) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuerconfigsResource, credentialissuerconfigsKind, c.ns, opts), &v1alpha1.CredentialIssuerConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerConfigList{ListMeta: obj.(*v1alpha1.CredentialIssuerConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *FakeCredentialIssuerConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuerconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Create(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Update(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuerConfigs) UpdateStatus(credentialIssuerConfig *v1alpha1.CredentialIssuerConfig) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuerconfigsResource, "status", c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuerConfigs) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuerConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuerconfigsResource, c.ns, listOptions)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *FakeCredentialIssuerConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuerconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
--- a/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type CredentialIssuerConfigExpansion interface{}
+type CredentialIssuerExpansion interface{}
--- a/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@ -0,0 +1,76 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerInformer provides access to a shared informer and lister for
 // CredentialIssuers.
 type CredentialIssuerInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerLister
 }
 type credentialIssuerInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).Watch(options)
 			},
 		},
 		&configv1alpha1.CredentialIssuer{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuer{}, f.defaultInformer)
 }
 func (f *credentialIssuerInformer) Lister() v1alpha1.CredentialIssuerLister {
 	return v1alpha1.NewCredentialIssuerLister(f.Informer().GetIndexer())
 }
--- a/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
@ -1,76 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigInformer provides access to a shared informer and lister for
 // CredentialIssuerConfigs.
 type CredentialIssuerConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerConfigLister
 }
 type credentialIssuerConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).Watch(options)
 			},
 		},
 		&configv1alpha1.CredentialIssuerConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuerConfig{}, f.defaultInformer)
 }
 func (f *credentialIssuerConfigInformer) Lister() v1alpha1.CredentialIssuerConfigLister {
 	return v1alpha1.NewCredentialIssuerConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+	// CredentialIssuers returns a CredentialIssuerInformer.
-	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	CredentialIssuers() CredentialIssuerInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+// CredentialIssuers returns a CredentialIssuerInformer.
-func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
+func (v *version) CredentialIssuers() CredentialIssuerInformer {
-	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &credentialIssuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.17/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.17/client/concierge/informers/externalversions/generic.go
@ -46,8 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 		// Group=config.concierge.pinniped.dev, Version=v1alpha1
-	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuers"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuers().Informer()}, nil
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
--- a/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuer.go
+++ b/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuer.go
@ -0,0 +1,81 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerLister helps list CredentialIssuers.
 type CredentialIssuerLister interface {
 	// List lists all CredentialIssuers in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// CredentialIssuers returns an object that can list and get CredentialIssuers.
 	CredentialIssuers(namespace string) CredentialIssuerNamespaceLister
 	CredentialIssuerListerExpansion
 }
 // credentialIssuerLister implements the CredentialIssuerLister interface.
 type credentialIssuerLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerLister returns a new CredentialIssuerLister.
 func NewCredentialIssuerLister(indexer cache.Indexer) CredentialIssuerLister {
 	return &credentialIssuerLister{indexer: indexer}
 }
 // List lists all CredentialIssuers in the indexer.
 func (s *credentialIssuerLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // CredentialIssuers returns an object that can list and get CredentialIssuers.
 func (s *credentialIssuerLister) CredentialIssuers(namespace string) CredentialIssuerNamespaceLister {
 	return credentialIssuerNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerNamespaceLister helps list and get CredentialIssuers.
 type CredentialIssuerNamespaceLister interface {
 	// List lists all CredentialIssuers in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuer, error)
 	CredentialIssuerNamespaceListerExpansion
 }
 // credentialIssuerNamespaceLister implements the CredentialIssuerNamespaceLister
 // interface.
 type credentialIssuerNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuers in the indexer for a given namespace.
 func (s credentialIssuerNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 func (s credentialIssuerNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuer"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuer), nil
 }
--- a/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
@ -1,81 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigLister helps list CredentialIssuerConfigs.
 type CredentialIssuerConfigLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister
 	CredentialIssuerConfigListerExpansion
 }
 // credentialIssuerConfigLister implements the CredentialIssuerConfigLister interface.
 type credentialIssuerConfigLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerConfigLister returns a new CredentialIssuerConfigLister.
 func NewCredentialIssuerConfigLister(indexer cache.Indexer) CredentialIssuerConfigLister {
 	return &credentialIssuerConfigLister{indexer: indexer}
 }
 // List lists all CredentialIssuerConfigs in the indexer.
 func (s *credentialIssuerConfigLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 func (s *credentialIssuerConfigLister) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister {
 	return credentialIssuerConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerConfigNamespaceLister helps list and get CredentialIssuerConfigs.
 type CredentialIssuerConfigNamespaceLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuerConfig, error)
 	CredentialIssuerConfigNamespaceListerExpansion
 }
 // credentialIssuerConfigNamespaceLister implements the CredentialIssuerConfigNamespaceLister
 // interface.
 type credentialIssuerConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 func (s credentialIssuerConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 func (s credentialIssuerConfigNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuerconfig"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), nil
 }
--- a/generated/1.17/client/concierge/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.17/client/concierge/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// CredentialIssuerConfigListerExpansion allows custom methods to be added to
+// CredentialIssuerListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigLister.
+// CredentialIssuerLister.
-type CredentialIssuerConfigListerExpansion interface{}
+type CredentialIssuerListerExpansion interface{}
-// CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
+// CredentialIssuerNamespaceListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigNamespaceLister.
+// CredentialIssuerNamespaceLister.
-type CredentialIssuerConfigNamespaceListerExpansion interface{}
+type CredentialIssuerNamespaceListerExpansion interface{}
--- a/generated/1.17/client/concierge/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/concierge/openapi/zz_generated.openapi.go
@ -17,73 +17,73 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                    schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                      schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":         schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfig":               schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuer":                   schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo": schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo":     schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigList":           schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerList":               schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus":         schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStatus":             schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStrategy":           schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                     schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":                schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
@ -325,7 +325,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(re
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -353,7 +353,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStatus"),
 						},
 					},
 				},
@ -361,11 +361,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -393,7 +393,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -424,7 +424,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuer"),
 									},
 								},
 							},
@ -435,11 +435,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuer", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -453,7 +453,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"),
 									},
 								},
 							},
@ -462,7 +462,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo"),
 						},
 					},
 				},
@ -470,11 +470,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo", "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo", "go.pinniped.dev/generated/1.17/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	OIDCProviderConfigsGetter
+	OIDCProvidersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+func (c *ConfigV1alpha1Client) OIDCProviders(namespace string) OIDCProviderInterface {
-	return newOIDCProviderConfigs(c, namespace)
+	return newOIDCProviders(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+func (c *FakeConfigV1alpha1) OIDCProviders(namespace string) v1alpha1.OIDCProviderInterface {
-	return &FakeOIDCProviderConfigs{c, namespace}
+	return &FakeOIDCProviders{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcprovider.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcprovider.go
@ -0,0 +1,127 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeOIDCProviders implements OIDCProviderInterface
 type FakeOIDCProviders struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var oidcprovidersResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviders"}
 var oidcprovidersKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProvider"}
 // Get takes name of the oIDCProvider, and returns the corresponding oIDCProvider object, and an error if there is any.
 func (c *FakeOIDCProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(oidcprovidersResource, c.ns, name), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // List takes label and field selectors, and returns the list of OIDCProviders that match those selectors.
 func (c *FakeOIDCProviders) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(oidcprovidersResource, oidcprovidersKind, c.ns, opts), &v1alpha1.OIDCProviderList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.OIDCProviderList{ListMeta: obj.(*v1alpha1.OIDCProviderList).ListMeta}
 	for _, item := range obj.(*v1alpha1.OIDCProviderList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviders.
 func (c *FakeOIDCProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(oidcprovidersResource, c.ns, opts))
 }
 // Create takes the representation of a oIDCProvider and creates it.  Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *FakeOIDCProviders) Create(oIDCProvider *v1alpha1.OIDCProvider) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(oidcprovidersResource, c.ns, oIDCProvider), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // Update takes the representation of a oIDCProvider and updates it. Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *FakeOIDCProviders) Update(oIDCProvider *v1alpha1.OIDCProvider) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(oidcprovidersResource, c.ns, oIDCProvider), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeOIDCProviders) UpdateStatus(oIDCProvider *v1alpha1.OIDCProvider) (*v1alpha1.OIDCProvider, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(oidcprovidersResource, "status", c.ns, oIDCProvider), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // Delete takes name of the oIDCProvider and deletes it. Returns an error if one occurs.
 func (c *FakeOIDCProviders) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(oidcprovidersResource, c.ns, name), &v1alpha1.OIDCProvider{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeOIDCProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(oidcprovidersResource, c.ns, listOptions)
 	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderList{})
 	return err
 }
 // Patch applies the patch and returns the patched oIDCProvider.
 func (c *FakeOIDCProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(oidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go
@ -1,127 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
 type FakeOIDCProviderConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
 var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
 // Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
 func (c *FakeOIDCProviderConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
 func (c *FakeOIDCProviderConfigs) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
 func (c *FakeOIDCProviderConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *FakeOIDCProviderConfigs) Create(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *FakeOIDCProviderConfigs) Update(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeOIDCProviderConfigs) UpdateStatus(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(oidcproviderconfigsResource, "status", c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
 func (c *FakeOIDCProviderConfigs) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeOIDCProviderConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOptions)
 	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched oIDCProviderConfig.
 func (c *FakeOIDCProviderConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type OIDCProviderConfigExpansion interface{}
+type OIDCProviderExpansion interface{}
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcprovider.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcprovider.go
@ -0,0 +1,178 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // OIDCProvidersGetter has a method to return a OIDCProviderInterface.
 // A group's client should implement this interface.
 type OIDCProvidersGetter interface {
 	OIDCProviders(namespace string) OIDCProviderInterface
 }
 // OIDCProviderInterface has methods to work with OIDCProvider resources.
 type OIDCProviderInterface interface {
 	Create(*v1alpha1.OIDCProvider) (*v1alpha1.OIDCProvider, error)
 	Update(*v1alpha1.OIDCProvider) (*v1alpha1.OIDCProvider, error)
 	UpdateStatus(*v1alpha1.OIDCProvider) (*v1alpha1.OIDCProvider, error)
 	Delete(name string, options *v1.DeleteOptions) error
 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
 	Get(name string, options v1.GetOptions) (*v1alpha1.OIDCProvider, error)
 	List(opts v1.ListOptions) (*v1alpha1.OIDCProviderList, error)
 	Watch(opts v1.ListOptions) (watch.Interface, error)
 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProvider, err error)
 	OIDCProviderExpansion
 }
 // oIDCProviders implements OIDCProviderInterface
 type oIDCProviders struct {
 	client rest.Interface
 	ns     string
 }
 // newOIDCProviders returns a OIDCProviders
 func newOIDCProviders(c *ConfigV1alpha1Client, namespace string) *oIDCProviders {
 	return &oIDCProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the oIDCProvider, and returns the corresponding oIDCProvider object, and an error if there is any.
 func (c *oIDCProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do().
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of OIDCProviders that match those selectors.
 func (c *oIDCProviders) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.OIDCProviderList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do().
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviders.
 func (c *oIDCProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch()
 }
 // Create takes the representation of a oIDCProvider and creates it.  Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *oIDCProviders) Create(oIDCProvider *v1alpha1.OIDCProvider) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Body(oIDCProvider).
 		Do().
 		Into(result)
 	return
 }
 // Update takes the representation of a oIDCProvider and updates it. Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *oIDCProviders) Update(oIDCProvider *v1alpha1.OIDCProvider) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(oIDCProvider.Name).
 		Body(oIDCProvider).
 		Do().
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *oIDCProviders) UpdateStatus(oIDCProvider *v1alpha1.OIDCProvider) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(oIDCProvider.Name).
 		SubResource("status").
 		Body(oIDCProvider).
 		Do().
 		Into(result)
 	return
 }
 // Delete takes name of the oIDCProvider and deletes it. Returns an error if one occurs.
 func (c *oIDCProviders) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(name).
 		Body(options).
 		Do().
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *oIDCProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	var timeout time.Duration
 	if listOptions.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(options).
 		Do().
 		Error()
 }
 // Patch applies the patch and returns the patched oIDCProvider.
 func (c *oIDCProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		SubResource(subresources...).
 		Name(name).
 		Body(data).
 		Do().
 		Into(result)
 	return
 }
--- a/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go
+++ b/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go
@ -1,178 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
 // A group's client should implement this interface.
 type OIDCProviderConfigsGetter interface {
 	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
 }
 // OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
 type OIDCProviderConfigInterface interface {
 	Create(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
 	Update(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
 	UpdateStatus(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
 	Delete(name string, options *v1.DeleteOptions) error
 	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
 	Get(name string, options v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
 	List(opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
 	Watch(opts v1.ListOptions) (watch.Interface, error)
 	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
 	OIDCProviderConfigExpansion
 }
 // oIDCProviderConfigs implements OIDCProviderConfigInterface
 type oIDCProviderConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newOIDCProviderConfigs returns a OIDCProviderConfigs
 func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
 	return &oIDCProviderConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
 func (c *oIDCProviderConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do().
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
 func (c *oIDCProviderConfigs) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.OIDCProviderConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do().
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
 func (c *oIDCProviderConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch()
 }
 // Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *oIDCProviderConfigs) Create(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Body(oIDCProviderConfig).
 		Do().
 		Into(result)
 	return
 }
 // Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *oIDCProviderConfigs) Update(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(oIDCProviderConfig.Name).
 		Body(oIDCProviderConfig).
 		Do().
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *oIDCProviderConfigs) UpdateStatus(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(oIDCProviderConfig.Name).
 		SubResource("status").
 		Body(oIDCProviderConfig).
 		Do().
 		Into(result)
 	return
 }
 // Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
 func (c *oIDCProviderConfigs) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(name).
 		Body(options).
 		Do().
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *oIDCProviderConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	var timeout time.Duration
 	if listOptions.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(options).
 		Do().
 		Error()
 }
 // Patch applies the patch and returns the patched oIDCProviderConfig.
 func (c *oIDCProviderConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		SubResource(subresources...).
 		Name(name).
 		Body(data).
 		Do().
 		Into(result)
 	return
 }
--- a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	// OIDCProviders returns a OIDCProviderInformer.
-	OIDCProviderConfigs() OIDCProviderConfigInformer
+	OIDCProviders() OIDCProviderInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+// OIDCProviders returns a OIDCProviderInformer.
-func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+func (v *version) OIDCProviders() OIDCProviderInformer {
-	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &oIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcprovider.go
+++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcprovider.go
@ -0,0 +1,76 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // OIDCProviderInformer provides access to a shared informer and lister for
 // OIDCProviders.
 type OIDCProviderInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.OIDCProviderLister
 }
 type oIDCProviderInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewOIDCProviderInformer constructs a new informer for OIDCProvider type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredOIDCProviderInformer constructs a new informer for OIDCProvider type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviders(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviders(namespace).Watch(options)
 			},
 		},
 		&configv1alpha1.OIDCProvider{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *oIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *oIDCProviderInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.OIDCProvider{}, f.defaultInformer)
 }
 func (f *oIDCProviderInformer) Lister() v1alpha1.OIDCProviderLister {
 	return v1alpha1.NewOIDCProviderLister(f.Informer().GetIndexer())
 }
--- a/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcproviderconfig.go
+++ b/generated/1.17/client/supervisor/informers/externalversions/config/v1alpha1/oidcproviderconfig.go
@ -1,76 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // OIDCProviderConfigInformer provides access to a shared informer and lister for
 // OIDCProviderConfigs.
 type OIDCProviderConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.OIDCProviderConfigLister
 }
 type oIDCProviderConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(options)
 			},
 		},
 		&configv1alpha1.OIDCProviderConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
 }
 func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
 	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.17/client/supervisor/informers/externalversions/generic.go
+++ b/generated/1.17/client/supervisor/informers/externalversions/generic.go
@ -40,8 +40,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=config.supervisor.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil
 	}
--- a/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderListerExpansion allows custom methods to be added to
-// OIDCProviderConfigLister.
+// OIDCProviderLister.
-type OIDCProviderConfigListerExpansion interface{}
+type OIDCProviderListerExpansion interface{}
-// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderNamespaceListerExpansion allows custom methods to be added to
-// OIDCProviderConfigNamespaceLister.
+// OIDCProviderNamespaceLister.
-type OIDCProviderConfigNamespaceListerExpansion interface{}
+type OIDCProviderNamespaceListerExpansion interface{}
--- a/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcprovider.go
+++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcprovider.go
@ -0,0 +1,81 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // OIDCProviderLister helps list OIDCProviders.
 type OIDCProviderLister interface {
 	// List lists all OIDCProviders in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error)
 	// OIDCProviders returns an object that can list and get OIDCProviders.
 	OIDCProviders(namespace string) OIDCProviderNamespaceLister
 	OIDCProviderListerExpansion
 }
 // oIDCProviderLister implements the OIDCProviderLister interface.
 type oIDCProviderLister struct {
 	indexer cache.Indexer
 }
 // NewOIDCProviderLister returns a new OIDCProviderLister.
 func NewOIDCProviderLister(indexer cache.Indexer) OIDCProviderLister {
 	return &oIDCProviderLister{indexer: indexer}
 }
 // List lists all OIDCProviders in the indexer.
 func (s *oIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProvider))
 	})
 	return ret, err
 }
 // OIDCProviders returns an object that can list and get OIDCProviders.
 func (s *oIDCProviderLister) OIDCProviders(namespace string) OIDCProviderNamespaceLister {
 	return oIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // OIDCProviderNamespaceLister helps list and get OIDCProviders.
 type OIDCProviderNamespaceLister interface {
 	// List lists all OIDCProviders in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error)
 	// Get retrieves the OIDCProvider from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.OIDCProvider, error)
 	OIDCProviderNamespaceListerExpansion
 }
 // oIDCProviderNamespaceLister implements the OIDCProviderNamespaceLister
 // interface.
 type oIDCProviderNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all OIDCProviders in the indexer for a given namespace.
 func (s oIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProvider))
 	})
 	return ret, err
 }
 // Get retrieves the OIDCProvider from the indexer for a given namespace and name.
 func (s oIDCProviderNamespaceLister) Get(name string) (*v1alpha1.OIDCProvider, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("oidcprovider"), name)
 	}
 	return obj.(*v1alpha1.OIDCProvider), nil
 }
--- a/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcproviderconfig.go
+++ b/generated/1.17/client/supervisor/listers/config/v1alpha1/oidcproviderconfig.go
@ -1,81 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // OIDCProviderConfigLister helps list OIDCProviderConfigs.
 type OIDCProviderConfigLister interface {
 	// List lists all OIDCProviderConfigs in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
 	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
 	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
 	OIDCProviderConfigListerExpansion
 }
 // oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
 type oIDCProviderConfigLister struct {
 	indexer cache.Indexer
 }
 // NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
 func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
 	return &oIDCProviderConfigLister{indexer: indexer}
 }
 // List lists all OIDCProviderConfigs in the indexer.
 func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
 	})
 	return ret, err
 }
 // OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
 func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
 	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
 type OIDCProviderConfigNamespaceLister interface {
 	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
 	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
 	OIDCProviderConfigNamespaceListerExpansion
 }
 // oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
 // interface.
 type oIDCProviderConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all OIDCProviderConfigs in the indexer for a given namespace.
 func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
 	})
 	return ret, err
 }
 // Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
 func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), nil
 }
--- a/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go
@ -17,69 +17,70 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfig":       schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider":        schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigList":   schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList":    schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigSpec":   schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec":    schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus":  schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                           schema_pkg_apis_meta_v1_APIGroup(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                       schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                      schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                        schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                    schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                   schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                        schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                               schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                      schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                   schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                      schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                           schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                      schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                      schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                           schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                         schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                          schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                    schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                      schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                     schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                       schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                 schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                           schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                   schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                               schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                      schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                      schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                           schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                               schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                           schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                          schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                        schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                      schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                 schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                   schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                          schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                         schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                     schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                     schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                              schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                          schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                              schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                       schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                         schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                      schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                          schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                 schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                          schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                     schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                             schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                        schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                        schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                      schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                   schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                              schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                              schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                         schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                       schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                           schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                  schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                  schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                      schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                               schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                          schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                          schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                           schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                     schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                      schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                         schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                            schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                 schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                    schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
 		"k8s.io/apimachinery/pkg/version.Info":                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Description: "OIDCProvider describes the configuration of an OIDC provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@ -104,13 +105,13 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref common.Refere
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec of the OIDC provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the OIDC provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus"),
 						},
 					},
 				},
@ -118,15 +119,16 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigSpec", "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec", "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Type: []string{"object"},
+				Description: "List of OIDCProvider objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
@ -153,7 +155,7 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref common.Re
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider"),
 									},
 								},
 							},
@ -164,15 +166,15 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Description: "OIDCProviderSpec is a struct that describes an OIDC Provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"issuer": {
@ -182,25 +184,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigSpec(ref common.Re
 							Format:      "",
 						},
 					},
-					"sniCertificateSecretName": {
+					"tls": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
+							Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
-							Type:        []string{"string"},
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
 							Format:      "",
 						},
 					},
 				},
 				Required: []string{"issuer"},
 			},
 		},
 		Dependencies: []string{
 			"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.",
+				Description: "OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"status": {
@ -237,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigStatus(ref common.
 	}
 }
 func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"secretName": {
 						SchemaProps: spec.SchemaProps{
 							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 				},
 			},
 		},
 	}
 }
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
--- a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviderconfigs.yaml
+++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviderconfigs.yaml
@ -6,22 +6,20 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: oidcproviderconfigs.config.supervisor.pinniped.dev
+  name: oidcproviders.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
  names:
-    kind: OIDCProviderConfig
+    kind: OIDCProvider
-    listKind: OIDCProviderConfigList
+    listKind: OIDCProviderList
-    plural: oidcproviderconfigs
+    plural: oidcproviders
-    shortNames:
+    singular: oidcprovider
    - opc
    singular: oidcproviderconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        description: OIDCProvider describes the configuration of an OIDC provider.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@ -49,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
+              tls:
-                description: "SNICertificateSecretName is an optional name of a Secret
+                description: TLS configures how this OIDCProvider is served over Transport
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
+                  Layer Security (TLS).
-                  the TLS serving certificate for the HTTPS endpoints served by this
+                properties:
-                  OIDC Provider. When provided, the TLS Secret named here must contain
+                  secretName:
-                  keys named `tls.crt` and `tls.key` that contain the certificate
+                    description: "SecretName is an optional name of a Secret in the
-                  and private key to use for TLS. \n Server Name Indication (SNI)
+                      same namespace, of type `kubernetes.io/tls`, which contains
-                  is an extension to the Transport Layer Security (TLS) supported
+                      the TLS serving certificate for the HTTPS endpoints served by
-                  by all major browsers. \n SNICertificateSecretName is required if
+                      this OIDCProvider. When provided, the TLS Secret named here
-                  you would like to use different TLS certificates for issuers of
+                      must contain keys named `tls.crt` and `tls.key` that contain
-                  different hostnames. SNI requests do not include port numbers, so
+                      the certificate and private key to use for TLS. \n Server Name
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                      Indication (SNI) is an extension to the Transport Layer Security
-                  value even if they have different port numbers. \n SNICertificateSecretName
+                      (TLS) supported by all major browsers. \n SecretName is required
-                  is not required when you would like to use only the HTTP endpoints
+                      if you would like to use different TLS certificates for issuers
-                  (e.g. when terminating TLS at an Ingress). It is also not required
+                      of different hostnames. SNI requests do not include port numbers,
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                      so all issuers with the same DNS hostname must use the same
-                  to use the default TLS certificate, which is configured elsewhere.
+                      SecretName value even if they have different port numbers. \n
-                  \n When your Issuer URL's host is an IP address, then this field
+                      SecretName is not required when you would like to use only the
-                  is ignored. SNI does not work for IP addresses."
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
-                type: string
+                      is also not required when you would like all requests to this
                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
                      which is configured elsewhere. \n When your Issuer URL's host
                      is an IP address, then this field is ignored. SNI does not work
                      for IP addresses."
                    type: string
                type: object
            required:
            - issuer
            type: object
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@ -131,14 +131,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer"]
-==== CredentialIssuerConfig 
+==== CredentialIssuer 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfiglist[$$CredentialIssuerConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerlist[$$CredentialIssuerList$$]
 ****
 [cols="25a,75a", options="header"]
@ -146,18 +146,18 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
-==== CredentialIssuerConfigKubeConfigInfo 
+==== CredentialIssuerKubeConfigInfo 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -170,32 +170,32 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus"]
-==== CredentialIssuerConfigStatus 
+==== CredentialIssuerStatus 
 Status of a credential issuer.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfig[$$CredentialIssuerConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
+| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
-==== CredentialIssuerConfigStrategy 
+==== CredentialIssuerStrategy 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -217,14 +217,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovider"]
-==== OIDCProviderConfig 
+==== OIDCProvider 
-OIDCProviderConfig describes the configuration of an OIDC provider.
+OIDCProvider describes the configuration of an OIDC provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderlist[$$OIDCProviderList$$]
 ****
 [cols="25a,75a", options="header"]
@ -232,21 +232,21 @@ OIDCProviderConfig describes the configuration of an OIDC provider.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]__ | Spec of the OIDC provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfigstatus[$$OIDCProviderConfigStatus$$]__ | Status of the OIDC provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderstatus[$$OIDCProviderStatus$$]__ | Status of the OIDC provider.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfigspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec"]
-==== OIDCProviderConfigSpec 
+==== OIDCProviderSpec 
-OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+OIDCProviderSpec is a struct that describes an OIDC Provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovider[$$OIDCProvider$$]
 ****
 [cols="25a,75a", options="header"]
@ -254,34 +254,51 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
 SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderstatus"]
-==== OIDCProviderConfigStatus 
+==== OIDCProviderStatus 
-OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovider[$$OIDCProvider$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`status`* __OIDCProviderStatus__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
+| *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
 | *`message`* __string__ | Message provides human-readable details about the Status.
 | *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
 | *`jwksSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
 |===
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
 ==== OIDCProviderTLSSpec 
 OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
 .Appears In:
 ****
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
 | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
--- a/generated/1.18/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -12,7 +12,7 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@ -20,18 +20,18 @@ func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
-func (in *CredentialIssuerConfig) DeepCopy() *CredentialIssuerConfig {
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfig)
+	out := new(CredentialIssuer)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -39,29 +39,29 @@ func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopyInto(out *CredentialIssuerConfigKubeConfigInfo) {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigKubeConfigInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopy() *CredentialIssuerConfigKubeConfigInfo {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigKubeConfigInfo)
+	out := new(CredentialIssuerKubeConfigInfo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigList) {
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]CredentialIssuerConfig, len(*in))
+		*out = make([]CredentialIssuer, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -69,18 +69,18 @@ func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigLi
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
-func (in *CredentialIssuerConfigList) DeepCopy() *CredentialIssuerConfigList {
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigList)
+	out := new(CredentialIssuerList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -88,46 +88,46 @@ func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStatus) DeepCopyInto(out *CredentialIssuerConfigStatus) {
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
 	if in.Strategies != nil {
 		in, out := &in.Strategies, &out.Strategies
-		*out = make([]CredentialIssuerConfigStrategy, len(*in))
+		*out = make([]CredentialIssuerStrategy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.KubeConfigInfo != nil {
 		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
-		*out = new(CredentialIssuerConfigKubeConfigInfo)
+		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
-func (in *CredentialIssuerConfigStatus) DeepCopy() *CredentialIssuerConfigStatus {
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStatus)
+	out := new(CredentialIssuerStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStrategy) DeepCopyInto(out *CredentialIssuerConfigStrategy) {
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
 	*out = *in
 	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStrategy.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
-func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStrategy {
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStrategy)
+	out := new(CredentialIssuerStrategy)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.18/apis/supervisor/config/v1alpha1/register.go
+++ b/generated/1.18/apis/supervisor/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&OIDCProviderConfig{},
+		&OIDCProvider{},
-		&OIDCProviderConfigList{},
+		&OIDCProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcproviderconfig.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcproviderconfig.go
@ -9,17 +9,40 @@ import (
 )
 // +kubebuilder:validation:Enum=Success;Duplicate;Invalid
-type OIDCProviderStatus string
+type OIDCProviderStatusCondition string
 const (
-	SuccessOIDCProviderStatus                         = OIDCProviderStatus("Success")
+	SuccessOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Success")
-	DuplicateOIDCProviderStatus                       = OIDCProviderStatus("Duplicate")
+	DuplicateOIDCProviderStatusCondition                       = OIDCProviderStatusCondition("Duplicate")
-	SameIssuerHostMustUseSameSecretOIDCProviderStatus = OIDCProviderStatus("SameIssuerHostMustUseSameSecret")
+	SameIssuerHostMustUseSameSecretOIDCProviderStatusCondition = OIDCProviderStatusCondition("SameIssuerHostMustUseSameSecret")
-	InvalidOIDCProviderStatus                         = OIDCProviderStatus("Invalid")
+	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )
-// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
-type OIDCProviderConfigSpec struct {
+type OIDCProviderTLSSpec struct {
 	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
 	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
 	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
 	// for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
 	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
 	// SecretName value even if they have different port numbers.
 	//
 	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
 	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
 	// use the default TLS certificate, which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 	//
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
 }
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
 	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
 	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
@ -31,35 +54,17 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
 	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
 	// contain the certificate and private key to use for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SNICertificateSecretName is required if you would like to use different TLS certificates for
 	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
 	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
 	//
 	// SNICertificateSecretName is not required when you would like to use only the
 	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
 	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
 	// which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
 	// for IP addresses.
 	//
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }
-// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
-type OIDCProviderConfigStatus struct {
+type OIDCProviderStatus struct {
 	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
 	// represent success or failure.
 	// +optional
-	Status OIDCProviderStatus `json:"status,omitempty"`
+	Status OIDCProviderStatusCondition `json:"status,omitempty"`
 	// Message provides human-readable details about the Status.
 	// +optional
@ -78,27 +83,25 @@ type OIDCProviderConfigStatus struct {
 	JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"`
 }
-// OIDCProviderConfig describes the configuration of an OIDC provider.
+// OIDCProvider describes the configuration of an OIDC provider.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:shortName=opc
+type OIDCProvider struct {
 type OIDCProviderConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Spec of the OIDC provider.
-	Spec OIDCProviderConfigSpec `json:"spec"`
+	Spec OIDCProviderSpec `json:"spec"`
 	// Status of the OIDC provider.
-	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+	Status OIDCProviderStatus `json:"status,omitempty"`
 }
-// List of OIDCProviderConfig objects.
+// List of OIDCProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
+type OIDCProviderList struct {
 type OIDCProviderConfigList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []OIDCProviderConfig `json:"items"`
+	Items []OIDCProvider `json:"items"`
 }
--- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -12,27 +12,27 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider.
-func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+func (in *OIDCProvider) DeepCopy() *OIDCProvider {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfig)
+	out := new(OIDCProvider)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+func (in *OIDCProvider) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -40,13 +40,13 @@ func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+func (in *OIDCProviderList) DeepCopyInto(out *OIDCProviderList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]OIDCProviderConfig, len(*in))
+		*out = make([]OIDCProvider, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -54,18 +54,18 @@ func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderList.
-func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+func (in *OIDCProviderList) DeepCopy() *OIDCProviderList {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigList)
+	out := new(OIDCProviderList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -73,23 +73,28 @@ func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(OIDCProviderTLSSpec)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderSpec.
-func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+func (in *OIDCProviderSpec) DeepCopy() *OIDCProviderSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigSpec)
+	out := new(OIDCProviderSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus) {
+func (in *OIDCProviderStatus) DeepCopyInto(out *OIDCProviderStatus) {
 	*out = *in
 	if in.LastUpdateTime != nil {
 		in, out := &in.LastUpdateTime, &out.LastUpdateTime
@ -99,12 +104,28 @@ func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderStatus.
-func (in *OIDCProviderConfigStatus) DeepCopy() *OIDCProviderConfigStatus {
+func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigStatus)
+	out := new(OIDCProviderStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
 	*out = *in
 	return
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
 func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
 	if in == nil {
 		return nil
 	}
 	out := new(OIDCProviderTLSSpec)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	CredentialIssuerConfigsGetter
+	CredentialIssuersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface {
+func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuerConfigs(c, namespace)
+	return newCredentialIssuers(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@ -0,0 +1,182 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
 	CredentialIssuers(namespace string) CredentialIssuerInterface
 }
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
 type CredentialIssuerInterface interface {
 	Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (*v1alpha1.CredentialIssuer, error)
 	Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
 	UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuer, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error)
 	CredentialIssuerExpansion
 }
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuers returns a CredentialIssuers
 func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *credentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *credentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *credentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *credentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *credentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuerconfig.go
@ -1,182 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // CredentialIssuerConfigsGetter has a method to return a CredentialIssuerConfigInterface.
 // A group's client should implement this interface.
 type CredentialIssuerConfigsGetter interface {
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface
 }
 // CredentialIssuerConfigInterface has methods to work with CredentialIssuerConfig resources.
 type CredentialIssuerConfigInterface interface {
 	Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuerConfig, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerConfigList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error)
 	CredentialIssuerConfigExpansion
 }
 // credentialIssuerConfigs implements CredentialIssuerConfigInterface
 type credentialIssuerConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newCredentialIssuerConfigs returns a CredentialIssuerConfigs
 func newCredentialIssuerConfigs(c *ConfigV1alpha1Client, namespace string) *credentialIssuerConfigs {
 	return &credentialIssuerConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *credentialIssuerConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *credentialIssuerConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.CredentialIssuerConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *credentialIssuerConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *credentialIssuerConfigs) Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *credentialIssuerConfigs) UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(credentialIssuerConfig.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuerConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *credentialIssuerConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *credentialIssuerConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *credentialIssuerConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	result = &v1alpha1.CredentialIssuerConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("credentialissuerconfigs").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.CredentialIssuerConfigInterface {
+func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuerConfigs{c, namespace}
+	return &FakeCredentialIssuers{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@ -0,0 +1,129 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
 var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuer"}
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerList{ListMeta: obj.(*v1alpha1.CredentialIssuerList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuer), err
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuerconfig.go
@ -1,129 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeCredentialIssuerConfigs implements CredentialIssuerConfigInterface
 type FakeCredentialIssuerConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var credentialissuerconfigsResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuerconfigs"}
 var credentialissuerconfigsKind = schema.GroupVersionKind{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Kind: "CredentialIssuerConfig"}
 // Get takes name of the credentialIssuerConfig, and returns the corresponding credentialIssuerConfig object, and an error if there is any.
 func (c *FakeCredentialIssuerConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // List takes label and field selectors, and returns the list of CredentialIssuerConfigs that match those selectors.
 func (c *FakeCredentialIssuerConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(credentialissuerconfigsResource, credentialissuerconfigsKind, c.ns, opts), &v1alpha1.CredentialIssuerConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.CredentialIssuerConfigList{ListMeta: obj.(*v1alpha1.CredentialIssuerConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.CredentialIssuerConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested credentialIssuerConfigs.
 func (c *FakeCredentialIssuerConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(credentialissuerconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a credentialIssuerConfig and creates it.  Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Create(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Update takes the representation of a credentialIssuerConfig and updates it. Returns the server's representation of the credentialIssuerConfig, and an error, if there is any.
 func (c *FakeCredentialIssuerConfigs) Update(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(credentialissuerconfigsResource, c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuerConfigs) UpdateStatus(ctx context.Context, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(credentialissuerconfigsResource, "status", c.ns, credentialIssuerConfig), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
 // Delete takes name of the credentialIssuerConfig and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuerConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(credentialissuerconfigsResource, c.ns, name), &v1alpha1.CredentialIssuerConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuerConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(credentialissuerconfigsResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched credentialIssuerConfig.
 func (c *FakeCredentialIssuerConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuerConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(credentialissuerconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuerConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), err
 }
--- a/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type CredentialIssuerConfigExpansion interface{}
+type CredentialIssuerExpansion interface{}
--- a/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@ -0,0 +1,77 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerInformer provides access to a shared informer and lister for
 // CredentialIssuers.
 type CredentialIssuerInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerLister
 }
 type credentialIssuerInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuers(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.CredentialIssuer{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuer{}, f.defaultInformer)
 }
 func (f *credentialIssuerInformer) Lister() v1alpha1.CredentialIssuerLister {
 	return v1alpha1.NewCredentialIssuerLister(f.Informer().GetIndexer())
 }
--- a/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/credentialissuerconfig.go
@ -1,77 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/concierge/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/concierge/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/concierge/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigInformer provides access to a shared informer and lister for
 // CredentialIssuerConfigs.
 type CredentialIssuerConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.CredentialIssuerConfigLister
 }
 type credentialIssuerConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredCredentialIssuerConfigInformer constructs a new informer for CredentialIssuerConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCredentialIssuerConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().CredentialIssuerConfigs(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.CredentialIssuerConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *credentialIssuerConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredCredentialIssuerConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *credentialIssuerConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.CredentialIssuerConfig{}, f.defaultInformer)
 }
 func (f *credentialIssuerConfigInformer) Lister() v1alpha1.CredentialIssuerConfigLister {
 	return v1alpha1.NewCredentialIssuerConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.18/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+	// CredentialIssuers returns a CredentialIssuerInformer.
-	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	CredentialIssuers() CredentialIssuerInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
+// CredentialIssuers returns a CredentialIssuerInformer.
-func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
+func (v *version) CredentialIssuers() CredentialIssuerInformer {
-	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &credentialIssuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.18/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.18/client/concierge/informers/externalversions/generic.go
@ -46,8 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 		// Group=config.concierge.pinniped.dev, Version=v1alpha1
-	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuers"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuers().Informer()}, nil
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
--- a/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuer.go
+++ b/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuer.go
@ -0,0 +1,81 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerLister helps list CredentialIssuers.
 type CredentialIssuerLister interface {
 	// List lists all CredentialIssuers in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// CredentialIssuers returns an object that can list and get CredentialIssuers.
 	CredentialIssuers(namespace string) CredentialIssuerNamespaceLister
 	CredentialIssuerListerExpansion
 }
 // credentialIssuerLister implements the CredentialIssuerLister interface.
 type credentialIssuerLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerLister returns a new CredentialIssuerLister.
 func NewCredentialIssuerLister(indexer cache.Indexer) CredentialIssuerLister {
 	return &credentialIssuerLister{indexer: indexer}
 }
 // List lists all CredentialIssuers in the indexer.
 func (s *credentialIssuerLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // CredentialIssuers returns an object that can list and get CredentialIssuers.
 func (s *credentialIssuerLister) CredentialIssuers(namespace string) CredentialIssuerNamespaceLister {
 	return credentialIssuerNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerNamespaceLister helps list and get CredentialIssuers.
 type CredentialIssuerNamespaceLister interface {
 	// List lists all CredentialIssuers in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
 	// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuer, error)
 	CredentialIssuerNamespaceListerExpansion
 }
 // credentialIssuerNamespaceLister implements the CredentialIssuerNamespaceLister
 // interface.
 type credentialIssuerNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuers in the indexer for a given namespace.
 func (s credentialIssuerNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
 func (s credentialIssuerNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuer"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuer), nil
 }
--- a/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
+++ b/generated/1.18/client/concierge/listers/config/v1alpha1/credentialissuerconfig.go
@ -1,81 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // CredentialIssuerConfigLister helps list CredentialIssuerConfigs.
 type CredentialIssuerConfigLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 	CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister
 	CredentialIssuerConfigListerExpansion
 }
 // credentialIssuerConfigLister implements the CredentialIssuerConfigLister interface.
 type credentialIssuerConfigLister struct {
 	indexer cache.Indexer
 }
 // NewCredentialIssuerConfigLister returns a new CredentialIssuerConfigLister.
 func NewCredentialIssuerConfigLister(indexer cache.Indexer) CredentialIssuerConfigLister {
 	return &credentialIssuerConfigLister{indexer: indexer}
 }
 // List lists all CredentialIssuerConfigs in the indexer.
 func (s *credentialIssuerConfigLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // CredentialIssuerConfigs returns an object that can list and get CredentialIssuerConfigs.
 func (s *credentialIssuerConfigLister) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigNamespaceLister {
 	return credentialIssuerConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // CredentialIssuerConfigNamespaceLister helps list and get CredentialIssuerConfigs.
 type CredentialIssuerConfigNamespaceLister interface {
 	// List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error)
 	// Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.CredentialIssuerConfig, error)
 	CredentialIssuerConfigNamespaceListerExpansion
 }
 // credentialIssuerConfigNamespaceLister implements the CredentialIssuerConfigNamespaceLister
 // interface.
 type credentialIssuerConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all CredentialIssuerConfigs in the indexer for a given namespace.
 func (s credentialIssuerConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuerConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.CredentialIssuerConfig))
 	})
 	return ret, err
 }
 // Get retrieves the CredentialIssuerConfig from the indexer for a given namespace and name.
 func (s credentialIssuerConfigNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuerConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("credentialissuerconfig"), name)
 	}
 	return obj.(*v1alpha1.CredentialIssuerConfig), nil
 }
--- a/generated/1.18/client/concierge/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.18/client/concierge/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// CredentialIssuerConfigListerExpansion allows custom methods to be added to
+// CredentialIssuerListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigLister.
+// CredentialIssuerLister.
-type CredentialIssuerConfigListerExpansion interface{}
+type CredentialIssuerListerExpansion interface{}
-// CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
+// CredentialIssuerNamespaceListerExpansion allows custom methods to be added to
-// CredentialIssuerConfigNamespaceLister.
+// CredentialIssuerNamespaceLister.
-type CredentialIssuerConfigNamespaceListerExpansion interface{}
+type CredentialIssuerNamespaceListerExpansion interface{}
--- a/generated/1.18/client/concierge/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/concierge/openapi/zz_generated.openapi.go
@ -17,73 +17,73 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                    schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                      schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":         schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":     schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfig":               schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuer":                   schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo": schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo":     schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigList":           schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerList":               schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus":         schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStatus":             schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStrategy":           schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                     schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":                schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":            schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
@ -325,7 +325,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(re
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuer(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -353,7 +353,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStatus"),
 						},
 					},
 				},
@ -361,11 +361,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfig(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerKubeConfigInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -393,7 +393,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -424,7 +424,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuer"),
 									},
 								},
 							},
@ -435,11 +435,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigList(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuer", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@ -453,7 +453,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"),
 									},
 								},
 							},
@ -462,7 +462,7 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo"),
 						},
 					},
 				},
@ -470,11 +470,11 @@ func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo", "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerConfigStrategy"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerKubeConfigInfo", "go.pinniped.dev/generated/1.18/apis/concierge/config/v1alpha1.CredentialIssuerStrategy"},
 	}
 }
-func schema_apis_concierge_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_config_v1alpha1_CredentialIssuerStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	OIDCProviderConfigsGetter
+	OIDCProvidersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.supervisor.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+func (c *ConfigV1alpha1Client) OIDCProviders(namespace string) OIDCProviderInterface {
-	return newOIDCProviderConfigs(c, namespace)
+	return newOIDCProviders(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+func (c *FakeConfigV1alpha1) OIDCProviders(namespace string) v1alpha1.OIDCProviderInterface {
-	return &FakeOIDCProviderConfigs{c, namespace}
+	return &FakeOIDCProviders{c, namespace}
 }
 // RESTClient returns a RESTClient that is used to communicate
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcprovider.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcprovider.go
@ -0,0 +1,129 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeOIDCProviders implements OIDCProviderInterface
 type FakeOIDCProviders struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var oidcprovidersResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviders"}
 var oidcprovidersKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProvider"}
 // Get takes name of the oIDCProvider, and returns the corresponding oIDCProvider object, and an error if there is any.
 func (c *FakeOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(oidcprovidersResource, c.ns, name), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // List takes label and field selectors, and returns the list of OIDCProviders that match those selectors.
 func (c *FakeOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(oidcprovidersResource, oidcprovidersKind, c.ns, opts), &v1alpha1.OIDCProviderList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.OIDCProviderList{ListMeta: obj.(*v1alpha1.OIDCProviderList).ListMeta}
 	for _, item := range obj.(*v1alpha1.OIDCProviderList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviders.
 func (c *FakeOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(oidcprovidersResource, c.ns, opts))
 }
 // Create takes the representation of a oIDCProvider and creates it.  Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *FakeOIDCProviders) Create(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.CreateOptions) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(oidcprovidersResource, c.ns, oIDCProvider), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // Update takes the representation of a oIDCProvider and updates it. Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *FakeOIDCProviders) Update(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(oidcprovidersResource, c.ns, oIDCProvider), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeOIDCProviders) UpdateStatus(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.UpdateOptions) (*v1alpha1.OIDCProvider, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(oidcprovidersResource, "status", c.ns, oIDCProvider), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
 // Delete takes name of the oIDCProvider and deletes it. Returns an error if one occurs.
 func (c *FakeOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(oidcprovidersResource, c.ns, name), &v1alpha1.OIDCProvider{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(oidcprovidersResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderList{})
 	return err
 }
 // Patch applies the patch and returns the patched oIDCProvider.
 func (c *FakeOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProvider, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(oidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProvider{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProvider), err
 }
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go
@ -1,129 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	"context"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	testing "k8s.io/client-go/testing"
 )
 // FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
 type FakeOIDCProviderConfigs struct {
 	Fake *FakeConfigV1alpha1
 	ns   string
 }
 var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
 var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
 // Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
 func (c *FakeOIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
 func (c *FakeOIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
 	if obj == nil {
 		return nil, err
 	}
 	label, _, _ := testing.ExtractFromListOptions(opts)
 	if label == nil {
 		label = labels.Everything()
 	}
 	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
 	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
 		if label.Matches(labels.Set(item.Labels)) {
 			list.Items = append(list.Items, item)
 		}
 	}
 	return list, err
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
 func (c *FakeOIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
 		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
 }
 // Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *FakeOIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *FakeOIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeOIDCProviderConfigs) UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewUpdateSubresourceAction(oidcproviderconfigsResource, "status", c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
 // Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
 func (c *FakeOIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
 		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
 	return err
 }
 // DeleteCollection deletes a collection of objects.
 func (c *FakeOIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOpts)
 	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
 	return err
 }
 // Patch applies the patch and returns the patched oIDCProviderConfig.
 func (c *FakeOIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
 	obj, err := c.Fake.
 		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), err
 }
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@ -5,4 +5,4 @@
 package v1alpha1
-type OIDCProviderConfigExpansion interface{}
+type OIDCProviderExpansion interface{}
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcprovider.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcprovider.go
@ -0,0 +1,182 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // OIDCProvidersGetter has a method to return a OIDCProviderInterface.
 // A group's client should implement this interface.
 type OIDCProvidersGetter interface {
 	OIDCProviders(namespace string) OIDCProviderInterface
 }
 // OIDCProviderInterface has methods to work with OIDCProvider resources.
 type OIDCProviderInterface interface {
 	Create(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.CreateOptions) (*v1alpha1.OIDCProvider, error)
 	Update(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.UpdateOptions) (*v1alpha1.OIDCProvider, error)
 	UpdateStatus(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.UpdateOptions) (*v1alpha1.OIDCProvider, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCProvider, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCProviderList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProvider, err error)
 	OIDCProviderExpansion
 }
 // oIDCProviders implements OIDCProviderInterface
 type oIDCProviders struct {
 	client rest.Interface
 	ns     string
 }
 // newOIDCProviders returns a OIDCProviders
 func newOIDCProviders(c *ConfigV1alpha1Client, namespace string) *oIDCProviders {
 	return &oIDCProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the oIDCProvider, and returns the corresponding oIDCProvider object, and an error if there is any.
 func (c *oIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of OIDCProviders that match those selectors.
 func (c *oIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.OIDCProviderList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviders.
 func (c *oIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a oIDCProvider and creates it.  Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *oIDCProviders) Create(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.CreateOptions) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(oIDCProvider).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a oIDCProvider and updates it. Returns the server's representation of the oIDCProvider, and an error, if there is any.
 func (c *oIDCProviders) Update(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(oIDCProvider.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(oIDCProvider).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *oIDCProviders) UpdateStatus(ctx context.Context, oIDCProvider *v1alpha1.OIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(oIDCProvider.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(oIDCProvider).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the oIDCProvider and deletes it. Returns an error if one occurs.
 func (c *oIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *oIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched oIDCProvider.
 func (c *oIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProvider, err error) {
 	result = &v1alpha1.OIDCProvider{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("oidcproviders").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go
+++ b/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go
@ -1,182 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	"time"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	rest "k8s.io/client-go/rest"
 )
 // OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
 // A group's client should implement this interface.
 type OIDCProviderConfigsGetter interface {
 	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
 }
 // OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
 type OIDCProviderConfigInterface interface {
 	Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (*v1alpha1.OIDCProviderConfig, error)
 	Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
 	UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
 	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
 	OIDCProviderConfigExpansion
 }
 // oIDCProviderConfigs implements OIDCProviderConfigInterface
 type oIDCProviderConfigs struct {
 	client rest.Interface
 	ns     string
 }
 // newOIDCProviderConfigs returns a OIDCProviderConfigs
 func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
 	return &oIDCProviderConfigs{
 		client: c.RESTClient(),
 		ns:     namespace,
 	}
 }
 // Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
 func (c *oIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
 		Do(ctx).
 		Into(result)
 	return
 }
 // List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
 func (c *oIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	result = &v1alpha1.OIDCProviderConfigList{}
 	err = c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
 func (c *oIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	var timeout time.Duration
 	if opts.TimeoutSeconds != nil {
 		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
 	}
 	opts.Watch = true
 	return c.client.Get().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Watch(ctx)
 }
 // Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *oIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Post().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(oIDCProviderConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
 func (c *oIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(oIDCProviderConfig.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(oIDCProviderConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // UpdateStatus was generated because the type contains a Status member.
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *oIDCProviderConfigs) UpdateStatus(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Put().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(oIDCProviderConfig.Name).
 		SubResource("status").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(oIDCProviderConfig).
 		Do(ctx).
 		Into(result)
 	return
 }
 // Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
 func (c *oIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(name).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // DeleteCollection deletes a collection of objects.
 func (c *oIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
 	var timeout time.Duration
 	if listOpts.TimeoutSeconds != nil {
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
 		Body(&opts).
 		Do(ctx).
 		Error()
 }
 // Patch applies the patch and returns the patched oIDCProviderConfig.
 func (c *oIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
 	result = &v1alpha1.OIDCProviderConfig{}
 	err = c.client.Patch(pt).
 		Namespace(c.ns).
 		Resource("oidcproviderconfigs").
 		Name(name).
 		SubResource(subresources...).
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(data).
 		Do(ctx).
 		Into(result)
 	return
 }
--- a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/interface.go
@ -11,8 +11,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	// OIDCProviders returns a OIDCProviderInformer.
-	OIDCProviderConfigs() OIDCProviderConfigInformer
+	OIDCProviders() OIDCProviderInformer
 }
 type version struct {
@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+// OIDCProviders returns a OIDCProviderInformer.
-func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+func (v *version) OIDCProviders() OIDCProviderInformer {
-	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &oIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
--- a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcprovider.go
+++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcprovider.go
@ -0,0 +1,77 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // OIDCProviderInformer provides access to a shared informer and lister for
 // OIDCProviders.
 type OIDCProviderInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.OIDCProviderLister
 }
 type oIDCProviderInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewOIDCProviderInformer constructs a new informer for OIDCProvider type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredOIDCProviderInformer constructs a new informer for OIDCProvider type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviders(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviders(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.OIDCProvider{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *oIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *oIDCProviderInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.OIDCProvider{}, f.defaultInformer)
 }
 func (f *oIDCProviderInformer) Lister() v1alpha1.OIDCProviderLister {
 	return v1alpha1.NewOIDCProviderLister(f.Informer().GetIndexer())
 }
--- a/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcproviderconfig.go
+++ b/generated/1.18/client/supervisor/informers/externalversions/config/v1alpha1/oidcproviderconfig.go
@ -1,77 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	"context"
 	time "time"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // OIDCProviderConfigInformer provides access to a shared informer and lister for
 // OIDCProviderConfigs.
 type OIDCProviderConfigInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() v1alpha1.OIDCProviderConfigLister
 }
 type oIDCProviderConfigInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
 }
 // NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
 				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(context.TODO(), options)
 			},
 		},
 		&configv1alpha1.OIDCProviderConfig{},
 		resyncPeriod,
 		indexers,
 	)
 }
 func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
 }
 func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
 	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
 }
--- a/generated/1.18/client/supervisor/informers/externalversions/generic.go
+++ b/generated/1.18/client/supervisor/informers/externalversions/generic.go
@ -40,8 +40,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=config.supervisor.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil
 	}
--- a/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go
+++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/expansion_generated.go
@ -5,10 +5,10 @@
 package v1alpha1
-// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderListerExpansion allows custom methods to be added to
-// OIDCProviderConfigLister.
+// OIDCProviderLister.
-type OIDCProviderConfigListerExpansion interface{}
+type OIDCProviderListerExpansion interface{}
-// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderNamespaceListerExpansion allows custom methods to be added to
-// OIDCProviderConfigNamespaceLister.
+// OIDCProviderNamespaceLister.
-type OIDCProviderConfigNamespaceListerExpansion interface{}
+type OIDCProviderNamespaceListerExpansion interface{}
--- a/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcprovider.go
+++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcprovider.go
@ -0,0 +1,81 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // OIDCProviderLister helps list OIDCProviders.
 type OIDCProviderLister interface {
 	// List lists all OIDCProviders in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error)
 	// OIDCProviders returns an object that can list and get OIDCProviders.
 	OIDCProviders(namespace string) OIDCProviderNamespaceLister
 	OIDCProviderListerExpansion
 }
 // oIDCProviderLister implements the OIDCProviderLister interface.
 type oIDCProviderLister struct {
 	indexer cache.Indexer
 }
 // NewOIDCProviderLister returns a new OIDCProviderLister.
 func NewOIDCProviderLister(indexer cache.Indexer) OIDCProviderLister {
 	return &oIDCProviderLister{indexer: indexer}
 }
 // List lists all OIDCProviders in the indexer.
 func (s *oIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProvider))
 	})
 	return ret, err
 }
 // OIDCProviders returns an object that can list and get OIDCProviders.
 func (s *oIDCProviderLister) OIDCProviders(namespace string) OIDCProviderNamespaceLister {
 	return oIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // OIDCProviderNamespaceLister helps list and get OIDCProviders.
 type OIDCProviderNamespaceLister interface {
 	// List lists all OIDCProviders in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error)
 	// Get retrieves the OIDCProvider from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.OIDCProvider, error)
 	OIDCProviderNamespaceListerExpansion
 }
 // oIDCProviderNamespaceLister implements the OIDCProviderNamespaceLister
 // interface.
 type oIDCProviderNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all OIDCProviders in the indexer for a given namespace.
 func (s oIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProvider, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProvider))
 	})
 	return ret, err
 }
 // Get retrieves the OIDCProvider from the indexer for a given namespace and name.
 func (s oIDCProviderNamespaceLister) Get(name string) (*v1alpha1.OIDCProvider, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("oidcprovider"), name)
 	}
 	return obj.(*v1alpha1.OIDCProvider), nil
 }
--- a/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcproviderconfig.go
+++ b/generated/1.18/client/supervisor/listers/config/v1alpha1/oidcproviderconfig.go
@ -1,81 +0,0 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 // OIDCProviderConfigLister helps list OIDCProviderConfigs.
 type OIDCProviderConfigLister interface {
 	// List lists all OIDCProviderConfigs in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
 	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
 	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
 	OIDCProviderConfigListerExpansion
 }
 // oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
 type oIDCProviderConfigLister struct {
 	indexer cache.Indexer
 }
 // NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
 func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
 	return &oIDCProviderConfigLister{indexer: indexer}
 }
 // List lists all OIDCProviderConfigs in the indexer.
 func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
 	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
 	})
 	return ret, err
 }
 // OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
 func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
 	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
 }
 // OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
 type OIDCProviderConfigNamespaceLister interface {
 	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
 	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
 	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
 	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
 	OIDCProviderConfigNamespaceListerExpansion
 }
 // oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
 // interface.
 type oIDCProviderConfigNamespaceLister struct {
 	indexer   cache.Indexer
 	namespace string
 }
 // List lists all OIDCProviderConfigs in the indexer for a given namespace.
 func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
 	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
 		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
 	})
 	return ret, err
 }
 // Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
 func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
 	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
 		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
 	}
 	return obj.(*v1alpha1.OIDCProviderConfig), nil
 }
--- a/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go
@ -17,69 +17,70 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfig":       schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider":        schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigList":   schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList":    schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigSpec":   schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec":    schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus":  schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                           schema_pkg_apis_meta_v1_APIGroup(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                       schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                      schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                        schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                    schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                   schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                        schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                               schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                      schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                   schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                      schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                           schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                      schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                      schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                           schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                         schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                          schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                    schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                      schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                     schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                       schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                 schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                           schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                   schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                               schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                      schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                      schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                           schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                               schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                           schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                          schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                        schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                      schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                 schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                   schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                          schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                         schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                     schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                     schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                              schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                          schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                              schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                       schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                         schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                      schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                          schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                 schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                          schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                     schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                             schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                        schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                        schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                      schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                   schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                              schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                              schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                         schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                       schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                           schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                  schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                  schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                      schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                               schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                          schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                          schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                           schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                     schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                      schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                         schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                            schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                 schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                    schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
 		"k8s.io/apimachinery/pkg/version.Info":                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Description: "OIDCProvider describes the configuration of an OIDC provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@ -104,13 +105,13 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref common.Refere
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec of the OIDC provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the OIDC provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus"),
 						},
 					},
 				},
@ -118,15 +119,16 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfig(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigSpec", "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec", "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Type: []string{"object"},
+				Description: "List of OIDCProvider objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
@ -153,7 +155,7 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref common.Re
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfig"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider"),
 									},
 								},
 							},
@ -164,15 +166,15 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigList(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Description: "OIDCProviderSpec is a struct that describes an OIDC Provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"issuer": {
@ -182,25 +184,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigSpec(ref common.Re
 							Format:      "",
 						},
 					},
-					"sniCertificateSecretName": {
+					"tls": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
+							Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
-							Type:        []string{"string"},
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
 							Format:      "",
 						},
 					},
 				},
 				Required: []string{"issuer"},
 			},
 		},
 		Dependencies: []string{
 			"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
 	}
 }
-func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.",
+				Description: "OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"status": {
@ -237,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderConfigStatus(ref common.
 	}
 }
 func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"secretName": {
 						SchemaProps: spec.SchemaProps{
 							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 				},
 			},
 		},
 	}
 }
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuerconfigs.yaml
@ -6,16 +6,14 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: credentialissuerconfigs.config.concierge.pinniped.dev
+  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
  names:
-    kind: CredentialIssuerConfig
+    kind: CredentialIssuer
-    listKind: CredentialIssuerConfigList
+    listKind: CredentialIssuerList
-    plural: credentialissuerconfigs
+    plural: credentialissuers
-    shortNames:
+    singular: credentialissuer
    - cic
    singular: credentialissuerconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
--- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviderconfigs.yaml
+++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviderconfigs.yaml
@ -6,22 +6,20 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  name: oidcproviderconfigs.config.supervisor.pinniped.dev
+  name: oidcproviders.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
  names:
-    kind: OIDCProviderConfig
+    kind: OIDCProvider
-    listKind: OIDCProviderConfigList
+    listKind: OIDCProviderList
-    plural: oidcproviderconfigs
+    plural: oidcproviders
-    shortNames:
+    singular: oidcprovider
    - opc
    singular: oidcproviderconfig
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        description: OIDCProvider describes the configuration of an OIDC provider.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@ -49,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
+              tls:
-                description: "SNICertificateSecretName is an optional name of a Secret
+                description: TLS configures how this OIDCProvider is served over Transport
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
+                  Layer Security (TLS).
-                  the TLS serving certificate for the HTTPS endpoints served by this
+                properties:
-                  OIDC Provider. When provided, the TLS Secret named here must contain
+                  secretName:
-                  keys named `tls.crt` and `tls.key` that contain the certificate
+                    description: "SecretName is an optional name of a Secret in the
-                  and private key to use for TLS. \n Server Name Indication (SNI)
+                      same namespace, of type `kubernetes.io/tls`, which contains
-                  is an extension to the Transport Layer Security (TLS) supported
+                      the TLS serving certificate for the HTTPS endpoints served by
-                  by all major browsers. \n SNICertificateSecretName is required if
+                      this OIDCProvider. When provided, the TLS Secret named here
-                  you would like to use different TLS certificates for issuers of
+                      must contain keys named `tls.crt` and `tls.key` that contain
-                  different hostnames. SNI requests do not include port numbers, so
+                      the certificate and private key to use for TLS. \n Server Name
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
+                      Indication (SNI) is an extension to the Transport Layer Security
-                  value even if they have different port numbers. \n SNICertificateSecretName
+                      (TLS) supported by all major browsers. \n SecretName is required
-                  is not required when you would like to use only the HTTP endpoints
+                      if you would like to use different TLS certificates for issuers
-                  (e.g. when terminating TLS at an Ingress). It is also not required
+                      of different hostnames. SNI requests do not include port numbers,
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
+                      so all issuers with the same DNS hostname must use the same
-                  to use the default TLS certificate, which is configured elsewhere.
+                      SecretName value even if they have different port numbers. \n
-                  \n When your Issuer URL's host is an IP address, then this field
+                      SecretName is not required when you would like to use only the
-                  is ignored. SNI does not work for IP addresses."
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
-                type: string
+                      is also not required when you would like all requests to this
                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
                      which is configured elsewhere. \n When your Issuer URL's host
                      is an IP address, then this field is ignored. SNI does not work
                      for IP addresses."
                    type: string
                type: object
            required:
            - issuer
            type: object
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@ -131,14 +131,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuer"]
-==== CredentialIssuerConfig 
+==== CredentialIssuer 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfiglist[$$CredentialIssuerConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerlist[$$CredentialIssuerList$$]
 ****
 [cols="25a,75a", options="header"]
@ -146,18 +146,18 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
-==== CredentialIssuerConfigKubeConfigInfo 
+==== CredentialIssuerKubeConfigInfo 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -170,32 +170,32 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus"]
-==== CredentialIssuerConfigStatus 
+==== CredentialIssuerStatus 
 Status of a credential issuer.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfig[$$CredentialIssuerConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
+| *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstrategy"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
-==== CredentialIssuerConfigStrategy 
+==== CredentialIssuerStrategy 
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
 ****
 [cols="25a,75a", options="header"]
@ -217,14 +217,14 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuratio
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfig"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovider"]
-==== OIDCProviderConfig 
+==== OIDCProvider 
-OIDCProviderConfig describes the configuration of an OIDC provider.
+OIDCProvider describes the configuration of an OIDC provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderlist[$$OIDCProviderList$$]
 ****
 [cols="25a,75a", options="header"]
@ -232,21 +232,21 @@ OIDCProviderConfig describes the configuration of an OIDC provider.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]__ | Spec of the OIDC provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfigstatus[$$OIDCProviderConfigStatus$$]__ | Status of the OIDC provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderstatus[$$OIDCProviderStatus$$]__ | Status of the OIDC provider.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfigspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec"]
-==== OIDCProviderConfigSpec 
+==== OIDCProviderSpec 
-OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+OIDCProviderSpec is a struct that describes an OIDC Provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovider[$$OIDCProvider$$]
 ****
 [cols="25a,75a", options="header"]
@ -254,34 +254,51 @@ OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
 SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfigstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderstatus"]
-==== OIDCProviderConfigStatus 
+==== OIDCProviderStatus 
-OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
 .Appears In:
 ****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovider[$$OIDCProvider$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`status`* __OIDCProviderStatus__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
+| *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
 | *`message`* __string__ | Message provides human-readable details about the Status.
 | *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
 | *`jwksSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
 |===
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
 ==== OIDCProviderTLSSpec 
 OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
 .Appears In:
 ****
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
 ****
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
 | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
--- a/generated/1.19/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CredentialIssuerConfig{},
+		&CredentialIssuer{},
-		&CredentialIssuerConfigList{},
+		&CredentialIssuerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuerconfig.go
@ -25,17 +25,17 @@ const (
 )
 // Status of a credential issuer.
-type CredentialIssuerConfigStatus struct {
+type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
-	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
 	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
-	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
-type CredentialIssuerConfigKubeConfigInfo struct {
+type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
@ -47,7 +47,7 @@ type CredentialIssuerConfigKubeConfigInfo struct {
 }
 // Status of an integration strategy that was attempted by Pinniped.
-type CredentialIssuerConfigStrategy struct {
+type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@ -68,22 +68,21 @@ type CredentialIssuerConfigStrategy struct {
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:shortName=cic
-type CredentialIssuerConfig struct {
+type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Status of the credential issuer.
-	Status CredentialIssuerConfigStatus `json:"status"`
+	Status CredentialIssuerStatus `json:"status"`
 }
-// List of CredentialIssuerConfig objects.
+// List of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type CredentialIssuerConfigList struct {
+type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []CredentialIssuerConfig `json:"items"`
+	Items []CredentialIssuer `json:"items"`
 }
--- a/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -12,7 +12,7 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@ -20,18 +20,18 @@ func (in *CredentialIssuerConfig) DeepCopyInto(out *CredentialIssuerConfig) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
-func (in *CredentialIssuerConfig) DeepCopy() *CredentialIssuerConfig {
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfig)
+	out := new(CredentialIssuer)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -39,29 +39,29 @@ func (in *CredentialIssuerConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopyInto(out *CredentialIssuerConfigKubeConfigInfo) {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigKubeConfigInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
-func (in *CredentialIssuerConfigKubeConfigInfo) DeepCopy() *CredentialIssuerConfigKubeConfigInfo {
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigKubeConfigInfo)
+	out := new(CredentialIssuerKubeConfigInfo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigList) {
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]CredentialIssuerConfig, len(*in))
+		*out = make([]CredentialIssuer, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -69,18 +69,18 @@ func (in *CredentialIssuerConfigList) DeepCopyInto(out *CredentialIssuerConfigLi
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
-func (in *CredentialIssuerConfigList) DeepCopy() *CredentialIssuerConfigList {
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigList)
+	out := new(CredentialIssuerList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -88,46 +88,46 @@ func (in *CredentialIssuerConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStatus) DeepCopyInto(out *CredentialIssuerConfigStatus) {
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
 	if in.Strategies != nil {
 		in, out := &in.Strategies, &out.Strategies
-		*out = make([]CredentialIssuerConfigStrategy, len(*in))
+		*out = make([]CredentialIssuerStrategy, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.KubeConfigInfo != nil {
 		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
-		*out = new(CredentialIssuerConfigKubeConfigInfo)
+		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
-func (in *CredentialIssuerConfigStatus) DeepCopy() *CredentialIssuerConfigStatus {
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStatus)
+	out := new(CredentialIssuerStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CredentialIssuerConfigStrategy) DeepCopyInto(out *CredentialIssuerConfigStrategy) {
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
 	*out = *in
 	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerConfigStrategy.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
-func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStrategy {
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	if in == nil {
 		return nil
 	}
-	out := new(CredentialIssuerConfigStrategy)
+	out := new(CredentialIssuerStrategy)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.19/apis/supervisor/config/v1alpha1/register.go
+++ b/generated/1.19/apis/supervisor/config/v1alpha1/register.go
@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&OIDCProviderConfig{},
+		&OIDCProvider{},
-		&OIDCProviderConfigList{},
+		&OIDCProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcproviderconfig.go
+++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcproviderconfig.go
@ -9,17 +9,40 @@ import (
 )
 // +kubebuilder:validation:Enum=Success;Duplicate;Invalid
-type OIDCProviderStatus string
+type OIDCProviderStatusCondition string
 const (
-	SuccessOIDCProviderStatus                         = OIDCProviderStatus("Success")
+	SuccessOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Success")
-	DuplicateOIDCProviderStatus                       = OIDCProviderStatus("Duplicate")
+	DuplicateOIDCProviderStatusCondition                       = OIDCProviderStatusCondition("Duplicate")
-	SameIssuerHostMustUseSameSecretOIDCProviderStatus = OIDCProviderStatus("SameIssuerHostMustUseSameSecret")
+	SameIssuerHostMustUseSameSecretOIDCProviderStatusCondition = OIDCProviderStatusCondition("SameIssuerHostMustUseSameSecret")
-	InvalidOIDCProviderStatus                         = OIDCProviderStatus("Invalid")
+	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )
-// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
-type OIDCProviderConfigSpec struct {
+type OIDCProviderTLSSpec struct {
 	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
 	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
 	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
 	// for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
 	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
 	// SecretName value even if they have different port numbers.
 	//
 	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
 	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
 	// use the default TLS certificate, which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 	//
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
 }
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
 	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
 	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
@ -31,35 +54,17 @@ type OIDCProviderConfigSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`
-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
 	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
 	// contain the certificate and private key to use for TLS.
 	//
 	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
 	//
 	// SNICertificateSecretName is required if you would like to use different TLS certificates for
 	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
 	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
 	//
 	// SNICertificateSecretName is not required when you would like to use only the
 	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
 	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
 	// which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
 	// for IP addresses.
 	//
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }
-// OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC Provider.
+// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
-type OIDCProviderConfigStatus struct {
+type OIDCProviderStatus struct {
 	// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
 	// represent success or failure.
 	// +optional
-	Status OIDCProviderStatus `json:"status,omitempty"`
+	Status OIDCProviderStatusCondition `json:"status,omitempty"`
 	// Message provides human-readable details about the Status.
 	// +optional
@ -78,27 +83,25 @@ type OIDCProviderConfigStatus struct {
 	JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"`
 }
-// OIDCProviderConfig describes the configuration of an OIDC provider.
+// OIDCProvider describes the configuration of an OIDC provider.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:shortName=opc
+type OIDCProvider struct {
 type OIDCProviderConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Spec of the OIDC provider.
-	Spec OIDCProviderConfigSpec `json:"spec"`
+	Spec OIDCProviderSpec `json:"spec"`
 	// Status of the OIDC provider.
-	Status OIDCProviderConfigStatus `json:"status,omitempty"`
+	Status OIDCProviderStatus `json:"status,omitempty"`
 }
-// List of OIDCProviderConfig objects.
+// List of OIDCProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
+type OIDCProviderList struct {
 type OIDCProviderConfigList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []OIDCProviderConfig `json:"items"`
+	Items []OIDCProvider `json:"items"`
 }
--- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -12,27 +12,27 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider.
-func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+func (in *OIDCProvider) DeepCopy() *OIDCProvider {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfig)
+	out := new(OIDCProvider)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+func (in *OIDCProvider) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -40,13 +40,13 @@ func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+func (in *OIDCProviderList) DeepCopyInto(out *OIDCProviderList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]OIDCProviderConfig, len(*in))
+		*out = make([]OIDCProvider, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@ -54,18 +54,18 @@ func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderList.
-func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+func (in *OIDCProviderList) DeepCopy() *OIDCProviderList {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigList)
+	out := new(OIDCProviderList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@ -73,23 +73,28 @@ func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(OIDCProviderTLSSpec)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderSpec.
-func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+func (in *OIDCProviderSpec) DeepCopy() *OIDCProviderSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigSpec)
+	out := new(OIDCProviderSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus) {
+func (in *OIDCProviderStatus) DeepCopyInto(out *OIDCProviderStatus) {
 	*out = *in
 	if in.LastUpdateTime != nil {
 		in, out := &in.LastUpdateTime, &out.LastUpdateTime
@ -99,12 +104,28 @@ func (in *OIDCProviderConfigStatus) DeepCopyInto(out *OIDCProviderConfigStatus)
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderStatus.
-func (in *OIDCProviderConfigStatus) DeepCopy() *OIDCProviderConfigStatus {
+func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(OIDCProviderConfigStatus)
+	out := new(OIDCProviderStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
 	*out = *in
 	return
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
 func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
 	if in == nil {
 		return nil
 	}
 	out := new(OIDCProviderTLSSpec)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.19/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@ -13,7 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	CredentialIssuerConfigsGetter
+	CredentialIssuersGetter
 }
 // ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) CredentialIssuerConfigInterface {
+func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuerConfigs(c, namespace)
+	return newCredentialIssuers(c, namespace)
 }
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
--- a/Show More
+++ b/Show More
`@ -5,4 +5,4 @@`

	`package v1alpha1`	`package v1alpha1`

	`type CredentialIssuerConfigExpansion interface{}`	`type CredentialIssuerExpansion interface{}`