diff --git a/deploy/README.md b/deploy/concierge/README.md
similarity index 86%
rename from deploy/README.md
rename to deploy/concierge/README.md
index 9f5cb13d..aecbeb0e 100644
--- a/deploy/README.md
+++ b/deploy/concierge/README.md
@@ -4,7 +4,7 @@
 
 If you would like to try Pinniped, but you don't have a compatible identity provider,
 you can use Pinniped's test identity provider.
-See [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
+See [deploy/local-user-authenticator/README.md](../../deploy/local-user-authenticator/README.md)
 for details.
 
 ## Installing the Latest Version with Default Options
@@ -26,14 +26,14 @@ kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.2
 ## Installing with Custom Options
 
 Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
-in the [deploy](../deploy) directory.
+in the `deploy/concierge` directory.
 Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
 
 1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
-1. The configuration options are in [deploy/values.yml](values.yaml).
+1. The configuration options are in [deploy/concierge/values.yml](values.yaml).
    Fill in the values in that file, or override those values using additional `ytt` command-line options in
    the command below. Use the release version tag as the `image_tag` value.
-2. In a terminal, cd to this `deploy` directory
+2. In a terminal, cd to this `deploy/concierge` directory
 3. To generate the final YAML files, run `ytt --file .`
 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
    For example: `ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file -`
diff --git a/deploy/config.pinniped.dev_credentialissuerconfigs.yaml b/deploy/concierge/config.pinniped.dev_credentialissuerconfigs.yaml
similarity index 100%
rename from deploy/config.pinniped.dev_credentialissuerconfigs.yaml
rename to deploy/concierge/config.pinniped.dev_credentialissuerconfigs.yaml
diff --git a/deploy/deployment.yaml b/deploy/concierge/deployment.yaml
similarity index 100%
rename from deploy/deployment.yaml
rename to deploy/concierge/deployment.yaml
diff --git a/deploy/idp.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/idp.pinniped.dev_webhookidentityproviders.yaml
similarity index 100%
rename from deploy/idp.pinniped.dev_webhookidentityproviders.yaml
rename to deploy/concierge/idp.pinniped.dev_webhookidentityproviders.yaml
diff --git a/deploy/rbac.yaml b/deploy/concierge/rbac.yaml
similarity index 100%
rename from deploy/rbac.yaml
rename to deploy/concierge/rbac.yaml
diff --git a/deploy/values.yaml b/deploy/concierge/values.yaml
similarity index 100%
rename from deploy/values.yaml
rename to deploy/concierge/values.yaml
diff --git a/deploy-local-user-authenticator/README.md b/deploy/local-user-authenticator/README.md
similarity index 96%
rename from deploy-local-user-authenticator/README.md
rename to deploy/local-user-authenticator/README.md
index d1d2f404..44334af9 100644
--- a/deploy-local-user-authenticator/README.md
+++ b/deploy/local-user-authenticator/README.md
@@ -31,14 +31,14 @@ kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.2
 ## Installing with Custom Options
 
 Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
-in the [deploy-local-user-authenticator](../deploy-local-user-authenticator) directory.
+in the `deploy/local-user-authenticator` directory.
 Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
 
 1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
-1. The configuration options are in [deploy-local-user-authenticator/values.yml](values.yaml).
+1. The configuration options are in [deploy/local-user-authenticator/values.yml](values.yaml).
    Fill in the values in that file, or override those values using additional `ytt` command-line options in
    the command below. Use the release version tag as the `image_tag` value.
-2. In a terminal, cd to this `deploy-local-user-authenticator` directory
+2. In a terminal, cd to this `deploy/local-user-authenticator` directory
 3. To generate the final YAML files, run `ytt --file .`
 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
    For example: `ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file -`
@@ -79,7 +79,7 @@ kubectl get secret local-user-authenticator-tls-serving-certificate --namespace
 
 When installing Pinniped on the same cluster, configure local-user-authenticator as an Identity Provider for Pinniped
 using the webhook URL `https://local-user-authenticator.local-user-authenticator.svc/authenticate`
-along with the CA bundle fetched by the above command. See [doc/demo.md](../doc/demo.md) for an example.
+along with the CA bundle fetched by the above command. See [doc/demo.md](../../doc/demo.md) for an example.
 
 ## Optional: Manually Testing the Webhook Endpoint After Installing
 
diff --git a/deploy-local-user-authenticator/deployment.yaml b/deploy/local-user-authenticator/deployment.yaml
similarity index 100%
rename from deploy-local-user-authenticator/deployment.yaml
rename to deploy/local-user-authenticator/deployment.yaml
diff --git a/deploy-local-user-authenticator/rbac.yaml b/deploy/local-user-authenticator/rbac.yaml
similarity index 100%
rename from deploy-local-user-authenticator/rbac.yaml
rename to deploy/local-user-authenticator/rbac.yaml
diff --git a/deploy-local-user-authenticator/values.yaml b/deploy/local-user-authenticator/values.yaml
similarity index 100%
rename from deploy-local-user-authenticator/values.yaml
rename to deploy/local-user-authenticator/values.yaml
diff --git a/deploy-supervisor/README.md b/deploy/supervisor/README.md
similarity index 90%
rename from deploy-supervisor/README.md
rename to deploy/supervisor/README.md
index 0a1c3106..7920b6cb 100644
--- a/deploy-supervisor/README.md
+++ b/deploy/supervisor/README.md
@@ -24,14 +24,14 @@ kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.3
 ## Installing with Custom Options
 
 Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
-in the [deploy-supervisor](../deploy-supervisor) directory.
+in the `deploy/supervisor` directory.
 Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
 
 1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
-1. The configuration options are in [deploy-supervisor/values.yml](values.yaml).
+1. The configuration options are in [deploy/supervisor/values.yml](values.yaml).
    Fill in the values in that file, or override those values using additional `ytt` command-line options in
    the command below. Use the release version tag as the `image_tag` value.
-2. In a terminal, cd to this `deploy-supervisor` directory
+2. In a terminal, cd to this `deploy/supervisor` directory
 3. To generate the final YAML files, run `ytt --file .`
 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
    For example: `ytt --file . | kapp deploy --yes --app pinniped-supervisor --diff-changes --file -`
diff --git a/deploy/config.pinniped.dev_oidcproviderconfigs.yaml b/deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml
similarity index 100%
rename from deploy/config.pinniped.dev_oidcproviderconfigs.yaml
rename to deploy/supervisor/config.pinniped.dev_oidcproviderconfigs.yaml
diff --git a/deploy-supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml
similarity index 100%
rename from deploy-supervisor/deployment.yaml
rename to deploy/supervisor/deployment.yaml
diff --git a/deploy-supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml
similarity index 100%
rename from deploy-supervisor/rbac.yaml
rename to deploy/supervisor/rbac.yaml
diff --git a/deploy-supervisor/values.yaml b/deploy/supervisor/values.yaml
similarity index 100%
rename from deploy-supervisor/values.yaml
rename to deploy/supervisor/values.yaml
diff --git a/doc/demo.md b/doc/demo.md
index 52d9e766..6318988c 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -11,7 +11,7 @@
 
    Don't have an identity provider of a type supported by Pinniped handy? No problem, there is a demo identity provider
    available. Start by installing local-user-authenticator on the same cluster where you would like to try Pinniped
-   by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md).
+   by following the directions in [deploy/local-user-authenticator/README.md](../deploy/local-user-authenticator/README.md).
    See below for an example of deploying this on kind.
 
 1. A kubeconfig where the current context points to the cluster and has admin-like
@@ -22,7 +22,7 @@
 Installing and trying Pinniped on any cluster will consist of the following general steps. See the next section below
 for a more specific example of installing onto a local kind cluster, including the exact commands to use for that case.
 
-1. Install Pinniped. See [deploy/README.md](../deploy/README.md).
+1. Install Pinniped. See [deploy/concierge/README.md](../deploy/concierge/README.md).
 1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest).
 1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information.
 1. Run `kubectl` commands using the generated kubeconfig. Pinniped will automatically be used for authentication during those commands.
@@ -38,9 +38,9 @@ as the identity provider.
 
 <!-- The following image was uploaded to GitHub's CDN using this awesome trick: https://gist.github.com/vinkla/dca76249ba6b73c5dd66a4e986df4c8d -->
 <p align="center" width="100%">
-<img 
+<img
   src="https://user-images.githubusercontent.com/25013435/95272990-b2ea9780-07f6-11eb-994d-872e3cb68457.gif"
-  alt="Pinniped Installation Demo" 
+  alt="Pinniped Installation Demo"
   width="80%"
   />
 </p>
@@ -88,7 +88,7 @@ as the identity provider.
 
    The `install-local-user-authenticator.yaml` file includes the default deployment options.
    If you would prefer to customize the available options, please
-   see [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
+   see [deploy/local-user-authenticator/README.md](../deploy/local-user-authenticator/README.md)
    for instructions on how to deploy using `ytt`.
 
 1. Create a test user named `pinny-the-seal` in the local-user-authenticator identity provider.
@@ -115,7 +115,7 @@ as the identity provider.
    ```
 
    The `install-pinniped.yaml` file includes the default deployment options.
-   If you would prefer to customize the available options, please see [deploy/README.md](../deploy/README.md)
+   If you would prefer to customize the available options, please see [deploy/concierge/README.md](../deploy/concierge/README.md)
    for instructions on how to deploy using `ytt`.
 
 1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using local-user-authenticator.
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index 0a7372ef..16b77077 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -26,7 +26,7 @@ docker_build_with_restart('image/local-user-auth', '.',
 # Render the local-user-authenticator installation manifest using ytt.
 k8s_yaml(local([
     'ytt',
-    '--file', '../../../deploy-local-user-authenticator',
+    '--file', '../../../deploy/local-user-authenticator',
     '--data-value', 'image_repo=image/local-user-auth',
     '--data-value', 'image_tag=tilt-dev',
 ]))
@@ -54,7 +54,7 @@ docker_build_with_restart('image/pinniped', '.',
 # Render the Pinniped server installation manifest using ytt.
 k8s_yaml(local([
     'sh', '-c',
-    'ytt --file ../../../deploy ' +
+    'ytt --file ../../../deploy/concierge ' +
     '--data-value namespace=integration ' +
     '--data-value image_repo=image/pinniped ' +
     '--data-value image_tag=tilt-dev ' +
diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh
index 7985140a..0e2cd87f 100755
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -164,7 +164,7 @@ if ! tilt_mode; then
   #
   # Deploy local-user-authenticator
   #
-  pushd deploy-local-user-authenticator >/dev/null
+  pushd deploy/local-user-authenticator >/dev/null
 
   log_note "Deploying the local-user-authenticator app to the cluster..."
   ytt --file . \
@@ -203,7 +203,7 @@ kubectl create secret generic "$test_username" \
 supervisor_app_name="pinniped-supervisor"
 supervisor_namespace="pinniped-supervisor"
 
-pushd deploy-supervisor >/dev/null
+pushd deploy/supervisor >/dev/null
 
 log_note "Deploying the Pinniped Supervisor app to the cluster..."
 ytt --file . \
@@ -246,7 +246,7 @@ if ! tilt_mode; then
   #
   # Deploy Pinniped
   #
-  pushd deploy >/dev/null
+  pushd deploy/concierge >/dev/null
 
   log_note "Deploying the Pinniped app to the cluster..."
   ytt --file . \
diff --git a/hack/update.sh b/hack/update.sh
index e6df6b94..98593f03 100755
--- a/hack/update.sh
+++ b/hack/update.sh
@@ -7,6 +7,20 @@ set -euo pipefail
 
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 
+# Generate code.
 xargs "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-versions.txt"
-cp "$ROOT/generated/1.19/crds/"*.yaml "$ROOT/deploy/"
+
+# Copy each CRD yaml to the app which should cause it to be installed.
+cp "$ROOT"/generated/1.19/crds/*oidcproviderconfigs.yaml "$ROOT/deploy/supervisor"
+cp "$ROOT"/generated/1.19/crds/*credentialissuerconfigs.yaml "$ROOT/deploy/concierge"
+cp "$ROOT"/generated/1.19/crds/*webhookidentityproviders.yaml "$ROOT/deploy/concierge"
+
+# Make sure we didn't miss any new CRDs.
+crdCount=$(find "$ROOT"/generated/1.19/crds/ -maxdepth 1 -type f -name '*.yaml' | wc -l | tr -d ' ')
+if [[ "$crdCount" != "3" ]]; then
+  echo "Looks like you added a new CRD. Please update this update.sh script to decide where to copy it and then run it again."
+  exit 1
+fi
+
+# Tidy.
 "$ROOT/hack/module.sh" tidy