diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
index ed61a436c..fce5a0c5e 100644
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
@@ -56,9 +56,6 @@ const (
 	typeJWKSFetchValid     = "JWKSFetchValid"
 	typeAuthenticatorValid = "AuthenticatorValid"
 
-	reasonNotReady                                  = "NotReady"
-	reasonUnableToValidate                          = "UnableToValidate"
-	reasonInvalidIssuerURL                          = "InvalidIssuerURL"
 	reasonInvalidIssuerURLScheme                    = "InvalidIssuerURLScheme"
 	reasonInvalidIssuerURLFragment                  = "InvalidIssuerURLContainsFragment"
 	reasonInvalidIssuerURLQueryParams               = "InvalidIssuerURLContainsQueryParams"
@@ -322,7 +319,7 @@ func (c *jwtCacheFillerController) validateIssuer(issuer string, conditions []*m
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerURLValid,
 			Status:  metav1.ConditionFalse,
-			Reason:  reasonInvalidIssuerURL,
+			Reason:  conditionsutil.ReasonInvalidIssuerURL,
 			Message: msg,
 		})
 		return nil, conditions, false
@@ -386,7 +383,7 @@ func (c *jwtCacheFillerController) validateProviderDiscovery(ctx context.Context
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeDiscoveryValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: msgUnableToValidate,
 		})
 		return nil, nil, conditions, nil
@@ -421,7 +418,7 @@ func (c *jwtCacheFillerController) validateProviderJWKSURL(provider *coreosoidc.
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeJWKSURLValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: msgUnableToValidate,
 		})
 		return "", conditions, nil
@@ -484,7 +481,7 @@ func (c *jwtCacheFillerController) validateJWKSFetch(ctx context.Context, jwksUR
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeJWKSFetchValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: msgUnableToValidate,
 		})
 		return nil, conditions, nil
@@ -540,7 +537,7 @@ func (c *jwtCacheFillerController) validateJWKSFetch(ctx context.Context, jwksUR
 	conditions = append(conditions, &metav1.Condition{
 		Type:    typeJWKSFetchValid,
 		Status:  metav1.ConditionUnknown,
-		Reason:  reasonUnableToValidate,
+		Reason:  conditionsutil.ReasonUnableToValidate,
 		Message: msg,
 	})
 	return nil, conditions, fmt.Errorf("%s: %w", errText, verifyWithKeySetErr)
@@ -559,7 +556,7 @@ func (c *jwtCacheFillerController) newCachedJWTAuthenticator(
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeAuthenticatorValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: msgUnableToValidate,
 		})
 		return nil, conditions, nil
@@ -641,7 +638,7 @@ func (c *jwtCacheFillerController) updateStatus(
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionFalse,
-			Reason:  reasonNotReady,
+			Reason:  conditionsutil.ReasonNotReady,
 			Message: "the JWTAuthenticator is not ready: see other conditions for details",
 		})
 	} else {
diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
index ac6c615cc..45ab3f30e 100644
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -50,13 +50,10 @@ const (
 	typeEndpointURLValid       = "EndpointURLValid"
 	typeAuthenticatorValid     = "AuthenticatorValid"
 
-	reasonNotReady                   = "NotReady"
-	reasonUnableToValidate           = "UnableToValidate"
 	reasonUnableToCreateClient       = "UnableToCreateClient"
 	reasonUnableToInstantiateWebhook = "UnableToInstantiateWebhook"
 	reasonInvalidEndpointURL         = "InvalidEndpointURL"
 	reasonInvalidEndpointURLScheme   = "InvalidEndpointURLScheme"
-	reasonUnableToDialServer         = "UnableToDialServer"
 
 	msgUnableToValidate = "unable to validate; see other conditions for details"
 )
@@ -252,7 +249,7 @@ func newWebhookAuthenticator(
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeAuthenticatorValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: msgUnableToValidate,
 		})
 		return nil, conditions, nil
@@ -324,7 +321,7 @@ func (c *webhookCacheFillerController) validateConnection(certPool *x509.CertPoo
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeWebhookConnectionValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: msgUnableToValidate,
 		})
 		return conditions, nil
@@ -338,7 +335,7 @@ func (c *webhookCacheFillerController) validateConnection(certPool *x509.CertPoo
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeWebhookConnectionValid,
 			Status:  metav1.ConditionFalse,
-			Reason:  reasonUnableToDialServer,
+			Reason:  conditionsutil.ReasonUnableToDialServer,
 			Message: msg,
 		})
 		return conditions, fmt.Errorf("%s: %w", errText, err)
@@ -418,7 +415,7 @@ func (c *webhookCacheFillerController) updateStatus(
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionFalse,
-			Reason:  reasonNotReady,
+			Reason:  conditionsutil.ReasonNotReady,
 			Message: "the WebhookAuthenticator is not ready: see other conditions for details",
 		})
 	} else {
diff --git a/internal/controller/conditionsutil/conditions_util.go b/internal/controller/conditionsutil/conditions_util.go
index fd667ca10..91bc24c63 100644
--- a/internal/controller/conditionsutil/conditions_util.go
+++ b/internal/controller/conditionsutil/conditions_util.go
@@ -12,9 +12,13 @@ import (
 	"go.pinniped.dev/internal/plog"
 )
 
+// Some common reasons shared by conditions of various resources.
 const (
-	// TODO: why only move one here, why not more?
-	ReasonSuccess = "Success"
+	ReasonSuccess            = "Success"
+	ReasonNotReady           = "NotReady"
+	ReasonUnableToValidate   = "UnableToValidate"
+	ReasonUnableToDialServer = "UnableToDialServer"
+	ReasonInvalidIssuerURL   = "InvalidIssuerURL"
 )
 
 // MergeConditions merges conditions into conditionsToUpdate.
diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go
index cfd91a3c4..715b2b36f 100644
--- a/internal/controller/supervisorconfig/federation_domain_watcher.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher.go
@@ -48,9 +48,6 @@ const (
 	typeTransformsExpressionsValid           = "TransformsExpressionsValid"
 	typeTransformsExamplesPassed             = "TransformsExamplesPassed"
 
-	reasonNotReady                                    = "NotReady"
-	reasonUnableToValidate                            = "UnableToValidate"
-	reasonInvalidIssuerURL                            = "InvalidIssuerURL"
 	reasonDuplicateIssuer                             = "DuplicateIssuer"
 	reasonDifferentSecretRefsFound                    = "DifferentSecretRefsFound"
 	reasonLegacyConfigurationSuccess                  = "LegacyConfigurationSuccess"
@@ -792,7 +789,7 @@ func appendIssuerURLValidCondition(err error, conditions []*metav1.Condition) []
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerURLValid,
 			Status:  metav1.ConditionFalse,
-			Reason:  reasonInvalidIssuerURL,
+			Reason:  conditionsutil.ReasonInvalidIssuerURL,
 			Message: err.Error(),
 		})
 	} else {
@@ -818,7 +815,7 @@ func (c *federationDomainWatcherController) updateStatus(
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionFalse,
-			Reason:  reasonNotReady,
+			Reason:  conditionsutil.ReasonNotReady,
 			Message: "the FederationDomain is not ready: see other conditions for details",
 		})
 	} else {
@@ -885,13 +882,13 @@ func (v *crossFederationDomainConfigValidator) Validate(federationDomain *superv
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerIsUnique,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: "unable to check if spec.issuer is unique among all FederationDomains because URL cannot be parsed",
 		})
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeOneTLSSecretPerIssuerHostname,
 			Status:  metav1.ConditionUnknown,
-			Reason:  reasonUnableToValidate,
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: "unable to check if all FederationDomains are using the same TLS secret when using the same hostname in the spec.issuer URL because URL cannot be parsed",
 		})
 		return conditions
diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
index d54006cfd..7d8da94be 100644
--- a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
@@ -61,6 +61,9 @@ const (
 	GitHubConnectionValid        string = "GitHubConnectionValid"
 	ClaimsValid                  string = "ClaimsValid"
 
+	reasonInvalid     = "Invalid"
+	reasonInvalidHost = "InvalidHost"
+
 	defaultHost       = "github.com"
 	defaultApiBaseURL = "https://api.github.com"
 )
@@ -284,7 +287,7 @@ func validateOrganizationsPolicy(organizationsSpec *idpv1alpha1.GitHubOrganizati
 		return &metav1.Condition{
 			Type:    OrganizationsPolicyValid,
 			Status:  metav1.ConditionFalse,
-			Reason:  "Invalid",
+			Reason:  reasonInvalid,
 			Message: "spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",
 		}
 	}
@@ -292,7 +295,7 @@ func validateOrganizationsPolicy(organizationsSpec *idpv1alpha1.GitHubOrganizati
 	return &metav1.Condition{
 		Type:    OrganizationsPolicyValid,
 		Status:  metav1.ConditionFalse,
-		Reason:  "Invalid",
+		Reason:  reasonInvalid,
 		Message: "spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",
 	}
 }
@@ -397,7 +400,7 @@ func validateHost(gitHubAPIConfig idpv1alpha1.GitHubAPIConfig) (*metav1.Conditio
 		return &metav1.Condition{
 			Type:    HostValid,
 			Status:  metav1.ConditionFalse,
-			Reason:  "InvalidHost",
+			Reason:  reasonInvalidHost,
 			Message: fmt.Sprintf("spec.githubAPI.host (%q) is not valid: %s", host, reason),
 		}
 	}
@@ -432,7 +435,7 @@ func (c *gitHubWatcherController) validateGitHubConnection(
 		return &metav1.Condition{
 			Type:    GitHubConnectionValid,
 			Status:  metav1.ConditionUnknown,
-			Reason:  "UnableToValidate",
+			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: "unable to validate; see other conditions for details",
 		}, "", nil, nil
 	}
@@ -445,7 +448,7 @@ func (c *gitHubWatcherController) validateGitHubConnection(
 			return &metav1.Condition{
 				Type:    GitHubConnectionValid,
 				Status:  metav1.ConditionFalse,
-				Reason:  "UnableToDialServer",
+				Reason:  conditionsutil.ReasonUnableToDialServer,
 				Message: fmt.Sprintf("cannot dial server spec.githubAPI.host (%q): %s", address, buildDialErrorMessage(tlsDialErr)),
 			}, "", nil, tlsDialErr
 		}
@@ -483,7 +486,7 @@ func validateUserAndGroupAttributes(upstream *idpv1alpha1.GitHubIdentityProvider
 		return &metav1.Condition{
 			Type:    ClaimsValid,
 			Status:  metav1.ConditionFalse,
-			Reason:  "Invalid",
+			Reason:  reasonInvalid,
 			Message: message,
 		}
 	}