Enforce more imports

- go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1 - go.pinniped.dev/generated/latest/client/concierge/clientset/versioned - go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme - go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned - go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
2026-01-08 15:21:55 +00:00 · 2024-05-12 17:03:48 -05:00
parent f5116cddb4
commit 513f43f465
23 changed files with 892 additions and 878 deletions
--- a/internal/controller/impersonatorconfig/impersonator_config.go
+++ b/internal/controller/impersonatorconfig/impersonator_config.go
@@ -32,7 +32,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"

-	"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	conciergeconfiginformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/config/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
@@ -193,9 +193,9 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error

 	strategy, err := c.doSync(syncCtx, credIssuer)
 	if err != nil {
-		strategy = &v1alpha1.CredentialIssuerStrategy{
-			Type:           v1alpha1.ImpersonationProxyStrategyType,
-			Status:         v1alpha1.ErrorStrategyStatus,
+		strategy = &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+			Type:           conciergeconfigv1alpha1.ImpersonationProxyStrategyType,
+			Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 			Reason:         strategyReasonForError(err),
 			Message:        err.Error(),
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
@@ -218,12 +218,12 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error
 // strategyReasonForError returns the proper v1alpha1.StrategyReason for a sync error. Some errors are occasionally
 // expected because there are multiple pods running, in these cases we should  report a Pending reason and we'll
 // recover on a following sync.
-func strategyReasonForError(err error) v1alpha1.StrategyReason {
+func strategyReasonForError(err error) conciergeconfigv1alpha1.StrategyReason {
 	switch {
 	case apierrors.IsConflict(err), apierrors.IsAlreadyExists(err):
-		return v1alpha1.PendingStrategyReason
+		return conciergeconfigv1alpha1.PendingStrategyReason
 	default:
-		return v1alpha1.ErrorDuringSetupStrategyReason
+		return conciergeconfigv1alpha1.ErrorDuringSetupStrategyReason
 	}
 }

@@ -243,7 +243,7 @@ type certNameInfo struct {
 	clientEndpoint string
 }

-func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, credIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuerStrategy, error) {
+func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, credIssuer *conciergeconfigv1alpha1.CredentialIssuer) (*conciergeconfigv1alpha1.CredentialIssuerStrategy, error) {
 	ctx := syncCtx.Context

 	impersonationSpec, err := c.loadImpersonationProxyConfiguration(credIssuer)
@@ -354,7 +354,7 @@ func (c *impersonatorConfigController) ensureCAAndTLSSecrets(

 func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret(
 	ctx context.Context,
-	tlsSpec *v1alpha1.ImpersonationProxyTLSSpec,
+	tlsSpec *conciergeconfigv1alpha1.ImpersonationProxyTLSSpec,
 ) ([]byte, error) {
 	if tlsSpec.SecretName == "" {
 		return nil, fmt.Errorf("must provide impersonationSpec.TLS.secretName if impersonationSpec.TLS is provided")
@@ -396,7 +396,7 @@ func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret(
 	return caBundle, nil
 }

-func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.ImpersonationProxySpec, error) {
+func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credIssuer *conciergeconfigv1alpha1.CredentialIssuer) (*conciergeconfigv1alpha1.ImpersonationProxySpec, error) {
 	// Make a copy of the spec since we got this object from informer cache.
 	spec := credIssuer.Spec.DeepCopy().ImpersonationProxy
 	if spec == nil {
@@ -405,7 +405,7 @@ func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credI

 	// Default service type to LoadBalancer (this is normally already done via CRD defaulting).
 	if spec.Service.Type == "" {
-		spec.Service.Type = v1alpha1.ImpersonationProxyServiceTypeLoadBalancer
+		spec.Service.Type = conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer
 	}

 	if err := validateCredentialIssuerSpec(spec); err != nil {
@@ -415,28 +415,28 @@ func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credI
 	return spec, nil
 }

-func (c *impersonatorConfigController) shouldHaveImpersonator(config *v1alpha1.ImpersonationProxySpec) bool {
-	return c.enabledByAutoMode(config) || config.Mode == v1alpha1.ImpersonationProxyModeEnabled
+func (c *impersonatorConfigController) shouldHaveImpersonator(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool {
+	return c.enabledByAutoMode(config) || config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeEnabled
 }

-func (c *impersonatorConfigController) enabledByAutoMode(config *v1alpha1.ImpersonationProxySpec) bool {
-	return config.Mode == v1alpha1.ImpersonationProxyModeAuto && !*c.hasControlPlaneNodes
+func (c *impersonatorConfigController) enabledByAutoMode(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool {
+	return config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeAuto && !*c.hasControlPlaneNodes
 }

-func (c *impersonatorConfigController) disabledByAutoMode(config *v1alpha1.ImpersonationProxySpec) bool {
-	return config.Mode == v1alpha1.ImpersonationProxyModeAuto && *c.hasControlPlaneNodes
+func (c *impersonatorConfigController) disabledByAutoMode(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool {
+	return config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeAuto && *c.hasControlPlaneNodes
 }

-func (c *impersonatorConfigController) disabledExplicitly(config *v1alpha1.ImpersonationProxySpec) bool {
-	return config.Mode == v1alpha1.ImpersonationProxyModeDisabled
+func (c *impersonatorConfigController) disabledExplicitly(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool {
+	return config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeDisabled
 }

-func (c *impersonatorConfigController) shouldHaveLoadBalancer(config *v1alpha1.ImpersonationProxySpec) bool {
-	return c.shouldHaveImpersonator(config) && config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeLoadBalancer
+func (c *impersonatorConfigController) shouldHaveLoadBalancer(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool {
+	return c.shouldHaveImpersonator(config) && config.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer
 }

-func (c *impersonatorConfigController) shouldHaveClusterIPService(config *v1alpha1.ImpersonationProxySpec) bool {
-	return c.shouldHaveImpersonator(config) && config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeClusterIP
+func (c *impersonatorConfigController) shouldHaveClusterIPService(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool {
+	return c.shouldHaveImpersonator(config) && config.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP
 }

 func (c *impersonatorConfigController) serviceExists(serviceName string) (bool, *corev1.Service, error) {
@@ -537,7 +537,7 @@ func (c *impersonatorConfigController) ensureImpersonatorIsStopped(shouldCloseEr
 	return stopErr
 }

-func (c *impersonatorConfigController) ensureLoadBalancerIsStarted(ctx context.Context, config *v1alpha1.ImpersonationProxySpec) error {
+func (c *impersonatorConfigController) ensureLoadBalancerIsStarted(ctx context.Context, config *conciergeconfigv1alpha1.ImpersonationProxySpec) error {
 	appNameLabel := c.labels[appLabelKey]
 	loadBalancer := corev1.Service{
 		Spec: corev1.ServiceSpec{
@@ -583,7 +583,7 @@ func (c *impersonatorConfigController) ensureLoadBalancerIsStopped(ctx context.C
 	return utilerrors.FilterOut(err, apierrors.IsNotFound)
 }

-func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx context.Context, config *v1alpha1.ImpersonationProxySpec) error {
+func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx context.Context, config *conciergeconfigv1alpha1.ImpersonationProxySpec) error {
 	appNameLabel := c.labels[appLabelKey]
 	clusterIP := corev1.Service{
 		Spec: corev1.ServiceSpec{
@@ -950,16 +950,16 @@ func (c *impersonatorConfigController) createCASecret(ctx context.Context) (*cer
 	return impersonationCA, nil
 }

-func (c *impersonatorConfigController) findDesiredTLSCertificateName(config *v1alpha1.ImpersonationProxySpec) (*certNameInfo, error) {
+func (c *impersonatorConfigController) findDesiredTLSCertificateName(config *conciergeconfigv1alpha1.ImpersonationProxySpec) (*certNameInfo, error) {
 	if config.ExternalEndpoint != "" {
 		return c.findTLSCertificateNameFromEndpointConfig(config), nil
-	} else if config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeClusterIP {
+	} else if config.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP {
 		return c.findTLSCertificateNameFromClusterIPService()
 	}
 	return c.findTLSCertificateNameFromLoadBalancer()
 }

-func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig(config *v1alpha1.ImpersonationProxySpec) *certNameInfo {
+func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig(config *conciergeconfigv1alpha1.ImpersonationProxySpec) *certNameInfo {
 	addr, _ := endpointaddr.Parse(config.ExternalEndpoint, 443)
 	endpoint := strings.TrimSuffix(addr.Endpoint(), ":443")

@@ -1136,42 +1136,42 @@ func (c *impersonatorConfigController) clearSignerCA() {
 	c.impersonationSigningCertProvider.UnsetCertKeyContent()
 }

-func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *v1alpha1.ImpersonationProxySpec, caBundle []byte) *v1alpha1.CredentialIssuerStrategy {
+func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *conciergeconfigv1alpha1.ImpersonationProxySpec, caBundle []byte) *conciergeconfigv1alpha1.CredentialIssuerStrategy {
 	switch {
 	case c.disabledExplicitly(config):
-		return &v1alpha1.CredentialIssuerStrategy{
-			Type:           v1alpha1.ImpersonationProxyStrategyType,
-			Status:         v1alpha1.ErrorStrategyStatus,
-			Reason:         v1alpha1.DisabledStrategyReason,
+		return &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+			Type:           conciergeconfigv1alpha1.ImpersonationProxyStrategyType,
+			Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+			Reason:         conciergeconfigv1alpha1.DisabledStrategyReason,
 			Message:        "impersonation proxy was explicitly disabled by configuration",
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
 		}
 	case c.disabledByAutoMode(config):
-		return &v1alpha1.CredentialIssuerStrategy{
-			Type:           v1alpha1.ImpersonationProxyStrategyType,
-			Status:         v1alpha1.ErrorStrategyStatus,
-			Reason:         v1alpha1.DisabledStrategyReason,
+		return &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+			Type:           conciergeconfigv1alpha1.ImpersonationProxyStrategyType,
+			Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+			Reason:         conciergeconfigv1alpha1.DisabledStrategyReason,
 			Message:        "automatically determined that impersonation proxy should be disabled",
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
 		}
 	case !nameInfo.ready:
-		return &v1alpha1.CredentialIssuerStrategy{
-			Type:           v1alpha1.ImpersonationProxyStrategyType,
-			Status:         v1alpha1.ErrorStrategyStatus,
-			Reason:         v1alpha1.PendingStrategyReason,
+		return &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+			Type:           conciergeconfigv1alpha1.ImpersonationProxyStrategyType,
+			Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+			Reason:         conciergeconfigv1alpha1.PendingStrategyReason,
 			Message:        "waiting for load balancer Service to be assigned IP or hostname",
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
 		}
 	default:
-		return &v1alpha1.CredentialIssuerStrategy{
-			Type:           v1alpha1.ImpersonationProxyStrategyType,
-			Status:         v1alpha1.SuccessStrategyStatus,
-			Reason:         v1alpha1.ListeningStrategyReason,
+		return &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+			Type:           conciergeconfigv1alpha1.ImpersonationProxyStrategyType,
+			Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
+			Reason:         conciergeconfigv1alpha1.ListeningStrategyReason,
 			Message:        "impersonation proxy is ready to accept client connections",
 			LastUpdateTime: metav1.NewTime(c.clock.Now()),
-			Frontend: &v1alpha1.CredentialIssuerFrontend{
-				Type: v1alpha1.ImpersonationProxyFrontendType,
-				ImpersonationProxyInfo: &v1alpha1.ImpersonationProxyInfo{
+			Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+				Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType,
+				ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{
 					Endpoint:                 "https://" + nameInfo.clientEndpoint,
 					CertificateAuthorityData: base64.StdEncoding.EncodeToString(caBundle),
 				},
@@ -1180,26 +1180,26 @@ func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, conf
 	}
 }

-func validateCredentialIssuerSpec(spec *v1alpha1.ImpersonationProxySpec) error {
+func validateCredentialIssuerSpec(spec *conciergeconfigv1alpha1.ImpersonationProxySpec) error {
 	// Validate that the mode is one of our known values.
 	switch spec.Mode {
-	case v1alpha1.ImpersonationProxyModeDisabled:
-	case v1alpha1.ImpersonationProxyModeAuto:
-	case v1alpha1.ImpersonationProxyModeEnabled:
+	case conciergeconfigv1alpha1.ImpersonationProxyModeDisabled:
+	case conciergeconfigv1alpha1.ImpersonationProxyModeAuto:
+	case conciergeconfigv1alpha1.ImpersonationProxyModeEnabled:
 	default:
 		return fmt.Errorf("invalid proxy mode %q (expected auto, disabled, or enabled)", spec.Mode)
 	}

 	// If disabled, ignore all other fields and consider the configuration valid.
-	if spec.Mode == v1alpha1.ImpersonationProxyModeDisabled {
+	if spec.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeDisabled {
 		return nil
 	}

 	// Validate that the service type is one of our known values.
 	switch spec.Service.Type {
-	case v1alpha1.ImpersonationProxyServiceTypeNone:
-	case v1alpha1.ImpersonationProxyServiceTypeLoadBalancer:
-	case v1alpha1.ImpersonationProxyServiceTypeClusterIP:
+	case conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone:
+	case conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer:
+	case conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP:
 	default:
 		return fmt.Errorf("invalid service type %q (expected None, LoadBalancer, or ClusterIP)", spec.Service.Type)
 	}
@@ -1210,7 +1210,7 @@ func validateCredentialIssuerSpec(spec *v1alpha1.ImpersonationProxySpec) error {
 	}

 	// If service is type "None", a non-empty external endpoint must be specified.
-	if spec.ExternalEndpoint == "" && spec.Service.Type == v1alpha1.ImpersonationProxyServiceTypeNone {
+	if spec.ExternalEndpoint == "" && spec.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone {
 		return fmt.Errorf("externalEndpoint must be set when service.type is None")
 	}

--- a/internal/controller/impersonatorconfig/impersonator_config_test.go
+++ b/internal/controller/impersonatorconfig/impersonator_config_test.go
--- a/internal/controller/issuerconfig/issuerconfig.go
+++ b/internal/controller/issuerconfig/issuerconfig.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package issuerconfig contains helpers for updating CredentialIssuer status entries.
@@ -12,12 +12,12 @@ import (
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
-	"go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 )

 // Update a strategy on an existing CredentialIssuer, merging into any existing strategy entries.
-func Update(ctx context.Context, client versioned.Interface, issuer *v1alpha1.CredentialIssuer, strategy v1alpha1.CredentialIssuerStrategy) error {
+func Update(ctx context.Context, client conciergeclientset.Interface, issuer *conciergeconfigv1alpha1.CredentialIssuer, strategy conciergeconfigv1alpha1.CredentialIssuerStrategy) error {
 	// Update the existing object to merge in the new strategy.
 	updated := issuer.DeepCopy()
 	mergeStrategy(&updated.Status, strategy)
@@ -33,8 +33,8 @@ func Update(ctx context.Context, client versioned.Interface, issuer *v1alpha1.Cr
 	return nil
 }

-func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1alpha1.CredentialIssuerStrategy) {
-	var existing *v1alpha1.CredentialIssuerStrategy
+func mergeStrategy(configToUpdate *conciergeconfigv1alpha1.CredentialIssuerStatus, strategy conciergeconfigv1alpha1.CredentialIssuerStrategy) {
+	var existing *conciergeconfigv1alpha1.CredentialIssuerStrategy
 	for i := range configToUpdate.Strategies {
 		if configToUpdate.Strategies[i].Type == strategy.Type {
 			existing = &configToUpdate.Strategies[i]
@@ -51,8 +51,8 @@ func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1a
 	sort.Stable(sortableStrategies(configToUpdate.Strategies))

 	// Special case: the "TokenCredentialRequestAPI" data is mirrored into the deprecated status.kubeConfigInfo field.
-	if strategy.Frontend != nil && strategy.Frontend.Type == v1alpha1.TokenCredentialRequestAPIFrontendType {
-		configToUpdate.KubeConfigInfo = &v1alpha1.CredentialIssuerKubeConfigInfo{
+	if strategy.Frontend != nil && strategy.Frontend.Type == conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType {
+		configToUpdate.KubeConfigInfo = &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{
 			Server:                   strategy.Frontend.TokenCredentialRequestAPIInfo.Server,
 			CertificateAuthorityData: strategy.Frontend.TokenCredentialRequestAPIInfo.CertificateAuthorityData,
 		}
@@ -60,13 +60,13 @@ func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1a
 }

 // weights are a set of priorities for each strategy type.
-var weights = map[v1alpha1.StrategyType]int{ //nolint:gochecknoglobals
-	v1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy
-	v1alpha1.ImpersonationProxyStrategyType:            1,
+var weights = map[conciergeconfigv1alpha1.StrategyType]int{ //nolint:gochecknoglobals
+	conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy
+	conciergeconfigv1alpha1.ImpersonationProxyStrategyType:            1,
 	// unknown strategy types will have weight 0 by default
 }

-type sortableStrategies []v1alpha1.CredentialIssuerStrategy
+type sortableStrategies []conciergeconfigv1alpha1.CredentialIssuerStrategy

 func (s sortableStrategies) Len() int { return len(s) }
 func (s sortableStrategies) Less(i, j int) bool {
@@ -77,7 +77,7 @@ func (s sortableStrategies) Less(i, j int) bool {
 }
 func (s sortableStrategies) Swap(i, j int) { s[i], s[j] = s[j], s[i] }

-func equalExceptLastUpdated(s1, s2 *v1alpha1.CredentialIssuerStrategy) bool {
+func equalExceptLastUpdated(s1, s2 *conciergeconfigv1alpha1.CredentialIssuerStrategy) bool {
 	s1 = s1.DeepCopy()
 	s2 = s2.DeepCopy()
 	s1.LastUpdateTime = metav1.Time{}
--- a/internal/controller/issuerconfig/issuerconfig_test.go
+++ b/internal/controller/issuerconfig/issuerconfig_test.go
@@ -14,7 +14,7 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 )

 func TestMergeStrategy(t *testing.T) {
@@ -23,27 +23,27 @@ func TestMergeStrategy(t *testing.T) {

 	tests := []struct {
 		name           string
-		configToUpdate v1alpha1.CredentialIssuerStatus
-		strategy       v1alpha1.CredentialIssuerStrategy
-		expected       v1alpha1.CredentialIssuerStatus
+		configToUpdate conciergeconfigv1alpha1.CredentialIssuerStatus
+		strategy       conciergeconfigv1alpha1.CredentialIssuerStrategy
+		expected       conciergeconfigv1alpha1.CredentialIssuerStatus
 	}{
 		{
 			name: "new entry",
-			configToUpdate: v1alpha1.CredentialIssuerStatus{
+			configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{
 				Strategies: nil,
 			},
-			strategy: v1alpha1.CredentialIssuerStrategy{
+			strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{
 				Type:           "Type1",
-				Status:         v1alpha1.SuccessStrategyStatus,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 				Reason:         "some reason",
 				Message:        "some message",
 				LastUpdateTime: t1,
 			},
-			expected: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			expected: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.SuccessStrategyStatus,
+						Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 						Reason:         "some reason",
 						Message:        "some message",
 						LastUpdateTime: t1,
@@ -53,41 +53,41 @@ func TestMergeStrategy(t *testing.T) {
 		},
 		{
 			name: "new entry updating deprecated kubeConfigInfo",
-			configToUpdate: v1alpha1.CredentialIssuerStatus{
+			configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{
 				Strategies: nil,
 			},
-			strategy: v1alpha1.CredentialIssuerStrategy{
+			strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{
 				Type:           "Type1",
-				Status:         v1alpha1.SuccessStrategyStatus,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 				Reason:         "some reason",
 				Message:        "some message",
 				LastUpdateTime: t1,
-				Frontend: &v1alpha1.CredentialIssuerFrontend{
+				Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
 					Type: "TokenCredentialRequestAPI",
-					TokenCredentialRequestAPIInfo: &v1alpha1.TokenCredentialRequestAPIInfo{
+					TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 						Server:                   "https://test-server",
 						CertificateAuthorityData: "test-ca-bundle",
 					},
 				},
 			},
-			expected: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			expected: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.SuccessStrategyStatus,
+						Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 						Reason:         "some reason",
 						Message:        "some message",
 						LastUpdateTime: t1,
-						Frontend: &v1alpha1.CredentialIssuerFrontend{
+						Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
 							Type: "TokenCredentialRequestAPI",
-							TokenCredentialRequestAPIInfo: &v1alpha1.TokenCredentialRequestAPIInfo{
+							TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 								Server:                   "https://test-server",
 								CertificateAuthorityData: "test-ca-bundle",
 							},
 						},
 					},
 				},
-				KubeConfigInfo: &v1alpha1.CredentialIssuerKubeConfigInfo{
+				KubeConfigInfo: &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{
 					Server:                   "https://test-server",
 					CertificateAuthorityData: "test-ca-bundle",
 				},
@@ -95,29 +95,29 @@ func TestMergeStrategy(t *testing.T) {
 		},
 		{
 			name: "existing entry to update",
-			configToUpdate: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason",
 						Message:        "some starting message",
 						LastUpdateTime: t2,
 					},
 				},
 			},
-			strategy: v1alpha1.CredentialIssuerStrategy{
+			strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{
 				Type:           "Type1",
-				Status:         v1alpha1.SuccessStrategyStatus,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 				Reason:         "some reason",
 				Message:        "some message",
 				LastUpdateTime: t1,
 			},
-			expected: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			expected: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.SuccessStrategyStatus,
+						Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 						Reason:         "some reason",
 						Message:        "some message",
 						LastUpdateTime: t1,
@@ -127,29 +127,29 @@ func TestMergeStrategy(t *testing.T) {
 		},
 		{
 			name: "existing entry matches except for LastUpdated time",
-			configToUpdate: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason",
 						Message:        "some starting message",
 						LastUpdateTime: t1,
 					},
 				},
 			},
-			strategy: v1alpha1.CredentialIssuerStrategy{
+			strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{
 				Type:           "Type1",
-				Status:         v1alpha1.ErrorStrategyStatus,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 				Reason:         "some starting reason",
 				Message:        "some starting message",
 				LastUpdateTime: t2,
 			},
-			expected: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			expected: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason",
 						Message:        "some starting message",
 						LastUpdateTime: t1,
@@ -159,36 +159,36 @@ func TestMergeStrategy(t *testing.T) {
 		},
 		{
 			name: "new entry among others",
-			configToUpdate: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type0",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason 0",
 						Message:        "some starting message 0",
 						LastUpdateTime: t2,
 					},
 					{
 						Type:           "Type2",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason 0",
 						Message:        "some starting message 0",
 						LastUpdateTime: t2,
 					},
 				},
 			},
-			strategy: v1alpha1.CredentialIssuerStrategy{
+			strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{
 				Type:           "Type1",
-				Status:         v1alpha1.SuccessStrategyStatus,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 				Reason:         "some reason",
 				Message:        "some message",
 				LastUpdateTime: t1,
 			},
-			expected: v1alpha1.CredentialIssuerStatus{
-				Strategies: []v1alpha1.CredentialIssuerStrategy{
+			expected: conciergeconfigv1alpha1.CredentialIssuerStatus{
+				Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{
 					{
 						Type:           "Type0",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason 0",
 						Message:        "some starting message 0",
 						LastUpdateTime: t2,
@@ -196,14 +196,14 @@ func TestMergeStrategy(t *testing.T) {
 					// Expect the Type1 entry to be sorted alphanumerically between the existing entries.
 					{
 						Type:           "Type1",
-						Status:         v1alpha1.SuccessStrategyStatus,
+						Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 						Reason:         "some reason",
 						Message:        "some message",
 						LastUpdateTime: t1,
 					},
 					{
 						Type:           "Type2",
-						Status:         v1alpha1.ErrorStrategyStatus,
+						Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 						Reason:         "some starting reason 0",
 						Message:        "some starting message 0",
 						LastUpdateTime: t2,
@@ -222,9 +222,9 @@ func TestMergeStrategy(t *testing.T) {
 }

 func TestStrategySorting(t *testing.T) {
-	expected := []v1alpha1.CredentialIssuerStrategy{
-		{Type: v1alpha1.KubeClusterSigningCertificateStrategyType},
-		{Type: v1alpha1.ImpersonationProxyStrategyType},
+	expected := []conciergeconfigv1alpha1.CredentialIssuerStrategy{
+		{Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType},
+		{Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType},
 		{Type: "Type1"},
 		{Type: "Type2"},
 		{Type: "Type3"},
@@ -233,7 +233,7 @@ func TestStrategySorting(t *testing.T) {
 		// Create a randomly shuffled copy of the expected output.
 		//nolint:gosec // this is not meant to be a secure random, just a seeded RNG for shuffling deterministically
 		rng := rand.New(rand.NewSource(seed))
-		output := make([]v1alpha1.CredentialIssuerStrategy, len(expected))
+		output := make([]conciergeconfigv1alpha1.CredentialIssuerStrategy, len(expected))
 		copy(output, expected)
 		rng.Shuffle(
 			len(output),
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@@ -32,7 +32,7 @@ import (
 	"k8s.io/utils/clock"
 	"k8s.io/utils/ptr"

-	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	configv1alpha1informers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/config/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/issuerconfig"
@@ -272,7 +272,7 @@ func (c *agentController) Sync(ctx controllerlib.Context) error {
 	controllerManagerPods, err := c.kubeSystemPods.Lister().Pods(ControllerManagerNamespace).List(controllerManagerLabels)
 	if err != nil {
 		err := fmt.Errorf("could not list controller manager pods: %w", err)
-		return c.failStrategyAndErr(ctx.Context, credIssuer, err, configv1alpha1.CouldNotFetchKeyStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, err, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason)
 	}
 	newestControllerManager := newestRunningPod(controllerManagerPods)

@@ -286,7 +286,7 @@ func (c *agentController) Sync(ctx controllerlib.Context) error {
 		} else {
 			err = errors.New(msg)
 		}
-		return c.failStrategyAndErr(ctx.Context, credIssuer, err, configv1alpha1.CouldNotFetchKeyStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, err, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason)
 	}

 	depErr := c.createOrUpdateDeployment(ctx, newestControllerManager)
@@ -301,7 +301,7 @@ func (c *agentController) Sync(ctx controllerlib.Context) error {
 	agentPods, err := c.agentPods.Lister().Pods(c.cfg.Namespace).List(agentLabels)
 	if err != nil {
 		err := fmt.Errorf("could not list agent pods: %w", err)
-		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotFetchKeyStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason)
 	}
 	newestAgentPod := newestRunningPod(agentPods)

@@ -309,42 +309,42 @@ func (c *agentController) Sync(ctx controllerlib.Context) error {
 	// the CredentialIssuer.
 	if newestAgentPod == nil {
 		err := fmt.Errorf("could not find a healthy agent pod (%s)", pluralize(agentPods))
-		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotFetchKeyStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason)
 	}

 	// Load the Kubernetes API info from the kube-public/cluster-info ConfigMap.
 	configMap, err := c.kubePublicConfigMaps.Lister().ConfigMaps(ClusterInfoNamespace).Get(clusterInfoName)
 	if err != nil {
 		err := fmt.Errorf("failed to get %s/%s configmap: %w", ClusterInfoNamespace, clusterInfoName, err)
-		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotGetClusterInfoStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason)
 	}

 	apiInfo, err := c.extractAPIInfo(configMap)
 	if err != nil {
 		err := fmt.Errorf("could not extract Kubernetes API endpoint info from %s/%s configmap: %w", ClusterInfoNamespace, clusterInfoName, err)
-		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotGetClusterInfoStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason)
 	}

 	// Load the certificate and key from the agent pod into our in-memory signer.
 	if err := c.loadSigningKey(ctx.Context, newestAgentPod); err != nil {
-		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotFetchKeyStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason)
 	}

 	if depErr != nil {
 		// if we get here, it means that we have successfully loaded a signing key but failed to reconcile the deployment.
 		// mark the status as failed and re-kick the sync loop until we are happy with the state of the deployment.
-		return c.failStrategyAndErr(ctx.Context, credIssuer, depErr, configv1alpha1.CouldNotFetchKeyStrategyReason)
+		return c.failStrategyAndErr(ctx.Context, credIssuer, depErr, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason)
 	}

 	// Set the CredentialIssuer strategy to successful.
-	return issuerconfig.Update(ctx.Context, c.client.PinnipedConcierge, credIssuer, configv1alpha1.CredentialIssuerStrategy{
-		Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-		Status:         configv1alpha1.SuccessStrategyStatus,
-		Reason:         configv1alpha1.FetchedKeyStrategyReason,
+	return issuerconfig.Update(ctx.Context, c.client.PinnipedConcierge, credIssuer, conciergeconfigv1alpha1.CredentialIssuerStrategy{
+		Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+		Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
+		Reason:         conciergeconfigv1alpha1.FetchedKeyStrategyReason,
 		Message:        "key was fetched successfully",
 		LastUpdateTime: metav1.NewTime(c.clock.Now()),
-		Frontend: &configv1alpha1.CredentialIssuerFrontend{
-			Type:                          configv1alpha1.TokenCredentialRequestAPIFrontendType,
+		Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+			Type:                          conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
 			TokenCredentialRequestAPIInfo: apiInfo,
 		},
 	})
@@ -454,10 +454,10 @@ func (c *agentController) createOrUpdateDeployment(ctx controllerlib.Context, ne
 	return err
 }

-func (c *agentController) failStrategyAndErr(ctx context.Context, credIssuer *configv1alpha1.CredentialIssuer, err error, reason configv1alpha1.StrategyReason) error {
-	updateErr := issuerconfig.Update(ctx, c.client.PinnipedConcierge, credIssuer, configv1alpha1.CredentialIssuerStrategy{
-		Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-		Status:         configv1alpha1.ErrorStrategyStatus,
+func (c *agentController) failStrategyAndErr(ctx context.Context, credIssuer *conciergeconfigv1alpha1.CredentialIssuer, err error, reason conciergeconfigv1alpha1.StrategyReason) error {
+	updateErr := issuerconfig.Update(ctx, c.client.PinnipedConcierge, credIssuer, conciergeconfigv1alpha1.CredentialIssuerStrategy{
+		Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+		Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
 		Reason:         reason,
 		Message:        err.Error(),
 		LastUpdateTime: metav1.NewTime(c.clock.Now()),
@@ -465,7 +465,7 @@ func (c *agentController) failStrategyAndErr(ctx context.Context, credIssuer *co
 	return utilerrors.NewAggregate([]error{err, updateErr})
 }

-func (c *agentController) extractAPIInfo(configMap *corev1.ConfigMap) (*configv1alpha1.TokenCredentialRequestAPIInfo, error) {
+func (c *agentController) extractAPIInfo(configMap *corev1.ConfigMap) (*conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo, error) {
 	kubeConfigYAML, kubeConfigPresent := configMap.Data[clusterInfoConfigMapKey]
 	if !kubeConfigPresent {
 		return nil, fmt.Errorf("missing %q key", clusterInfoConfigMapKey)
@@ -478,7 +478,7 @@ func (c *agentController) extractAPIInfo(configMap *corev1.ConfigMap) (*configv1
 	}

 	for _, v := range kubeconfig.Clusters {
-		result := &configv1alpha1.TokenCredentialRequestAPIInfo{
+		result := &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 			Server:                   v.Server,
 			CertificateAuthorityData: base64.StdEncoding.EncodeToString(v.CertificateAuthorityData),
 		}
--- a/internal/controller/kubecertagent/kubecertagent_test.go
+++ b/internal/controller/kubecertagent/kubecertagent_test.go
@@ -28,7 +28,7 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 	"k8s.io/utils/ptr"

-	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	conciergefake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
 	conciergeinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
 	"go.pinniped.dev/internal/controller/kubecertagent/mocks"
@@ -45,7 +45,7 @@ func TestAgentController(t *testing.T) {
 	t.Parallel()
 	now := time.Date(2021, 4, 13, 9, 57, 0, 0, time.UTC)

-	initialCredentialIssuer := &configv1alpha1.CredentialIssuer{
+	initialCredentialIssuer := &conciergeconfigv1alpha1.CredentialIssuer{
 		ObjectMeta: metav1.ObjectMeta{Name: "pinniped-concierge-config"},
 	}

@@ -247,7 +247,7 @@ func TestAgentController(t *testing.T) {
 		wantAgentDeployment              *appsv1.Deployment
 		wantDeploymentActionVerbs        []string
 		wantDeploymentDeleteActionOpts   []metav1.DeleteOptions
-		wantStrategy                     *configv1alpha1.CredentialIssuerStrategy
+		wantStrategy                     *conciergeconfigv1alpha1.CredentialIssuerStrategy
 	}{
 		{
 			name: "no CredentialIssuer found",
@@ -273,10 +273,10 @@ func TestAgentController(t *testing.T) {
 				"could not find a healthy kube-controller-manager pod (0 candidates): " +
 					"note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)",
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:   configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status: configv1alpha1.ErrorStrategyStatus,
-				Reason: configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:   conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status: conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message: "could not find a healthy kube-controller-manager pod (0 candidates): " +
 					"note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)",
 				LastUpdateTime: metav1.NewTime(now),
@@ -317,10 +317,10 @@ func TestAgentController(t *testing.T) {
 			wantDistinctErrors: []string{
 				"could not find a healthy kube-controller-manager pod (2 candidates)",
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not find a healthy kube-controller-manager pod (2 candidates)",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -344,10 +344,10 @@ func TestAgentController(t *testing.T) {
 			wantDistinctLogs: []string{
 				`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"kube-cert-agent-controller","caller":"kubecertagent/kubecertagent.go:<line>$kubecertagent.(*agentController).createOrUpdateDeployment","message":"creating new deployment","deployment":{"name":"pinniped-concierge-kube-cert-agent","namespace":"concierge"},"templatePod":{"name":"kube-controller-manager-1","namespace":"kube-system"}}`,
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not ensure agent deployment: some creation error",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -393,10 +393,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch", "create"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not find a healthy agent pod (1 candidate)",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -442,10 +442,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeploymentWithDefaultedPaths,
 			wantDeploymentActionVerbs: []string{"list", "watch", "create"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not find a healthy agent pod (1 candidate)",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -472,10 +472,10 @@ func TestAgentController(t *testing.T) {
 			wantDeploymentDeleteActionOpts: []metav1.DeleteOptions{
 				testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion),
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not find a healthy agent pod (1 candidate)",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -508,10 +508,10 @@ func TestAgentController(t *testing.T) {
 				testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion),
 				testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion),
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not ensure agent deployment: some delete error",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -545,10 +545,10 @@ func TestAgentController(t *testing.T) {
 			wantDeploymentDeleteActionOpts: []metav1.DeleteOptions{
 				testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion),
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not ensure agent deployment: some create error",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -591,10 +591,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeploymentWithExtraLabels,
 			wantDeploymentActionVerbs: []string{"list", "watch", "update"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not find a healthy agent pod (1 candidate)",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -614,10 +614,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeploymentWithHostNetwork,
 			wantDeploymentActionVerbs: []string{"list", "watch", "update"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotGetClusterInfoStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason,
 				Message:        "failed to get kube-public/cluster-info configmap: configmap \"cluster-info\" not found",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -640,10 +640,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotGetClusterInfoStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason,
 				Message:        "failed to get kube-public/cluster-info configmap: configmap \"cluster-info\" not found",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -667,10 +667,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotGetClusterInfoStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason,
 				Message:        "could not extract Kubernetes API endpoint info from kube-public/cluster-info configmap: missing \"kubeconfig\" key",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -694,10 +694,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotGetClusterInfoStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason,
 				Message:        "could not extract Kubernetes API endpoint info from kube-public/cluster-info configmap: key \"kubeconfig\" does not contain a valid kubeconfig",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -721,10 +721,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotGetClusterInfoStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason,
 				Message:        "could not extract Kubernetes API endpoint info from kube-public/cluster-info configmap: kubeconfig in key \"kubeconfig\" does not contain any clusters",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -750,10 +750,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not exec into agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: some exec error",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -779,10 +779,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        `failed to decode signing cert/key JSON from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: invalid character 'b' looking for beginning of value`,
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -808,10 +808,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        `failed to decode signing cert base64 from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: illegal base64 data at input byte 4`,
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -837,10 +837,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        `failed to decode signing key base64 from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: illegal base64 data at input byte 4`,
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -869,10 +869,10 @@ func TestAgentController(t *testing.T) {
 			},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "failed to set signing cert/key content from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: some dynamic cert error",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -895,15 +895,15 @@ func TestAgentController(t *testing.T) {
 			wantDistinctErrors:        []string{""},
 			wantAgentDeployment:       healthyAgentDeployment,
 			wantDeploymentActionVerbs: []string{"list", "watch"},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.SuccessStrategyStatus,
-				Reason:         configv1alpha1.FetchedKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.FetchedKeyStrategyReason,
 				Message:        "key was fetched successfully",
 				LastUpdateTime: metav1.NewTime(now),
-				Frontend: &configv1alpha1.CredentialIssuerFrontend{
-					Type: configv1alpha1.TokenCredentialRequestAPIFrontendType,
-					TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{
+				Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+					Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
+					TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 						Server:                   "https://test-kubernetes-endpoint.example.com",
 						CertificateAuthorityData: "dGVzdC1rdWJlcm5ldGVzLWNh",
 					},
@@ -941,10 +941,10 @@ func TestAgentController(t *testing.T) {
 				testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion),
 				testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion),
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.ErrorStrategyStatus,
-				Reason:         configv1alpha1.CouldNotFetchKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.ErrorStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason,
 				Message:        "could not ensure agent deployment: some delete error",
 				LastUpdateTime: metav1.NewTime(now),
 			},
@@ -967,15 +967,15 @@ func TestAgentController(t *testing.T) {
 			wantDistinctLogs: []string{
 				`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"kube-cert-agent-controller","caller":"kubecertagent/kubecertagent.go:<line>$kubecertagent.(*agentController).loadSigningKey","message":"successfully loaded signing key from agent pod into cache"}`,
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.SuccessStrategyStatus,
-				Reason:         configv1alpha1.FetchedKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.FetchedKeyStrategyReason,
 				Message:        "key was fetched successfully",
 				LastUpdateTime: metav1.NewTime(now),
-				Frontend: &configv1alpha1.CredentialIssuerFrontend{
-					Type: configv1alpha1.TokenCredentialRequestAPIFrontendType,
-					TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{
+				Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+					Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
+					TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 						Server:                   "https://test-kubernetes-endpoint.example.com",
 						CertificateAuthorityData: "dGVzdC1rdWJlcm5ldGVzLWNh",
 					},
@@ -1001,15 +1001,15 @@ func TestAgentController(t *testing.T) {
 			wantDistinctLogs: []string{
 				`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"kube-cert-agent-controller","caller":"kubecertagent/kubecertagent.go:<line>$kubecertagent.(*agentController).loadSigningKey","message":"successfully loaded signing key from agent pod into cache"}`,
 			},
-			wantStrategy: &configv1alpha1.CredentialIssuerStrategy{
-				Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
-				Status:         configv1alpha1.SuccessStrategyStatus,
-				Reason:         configv1alpha1.FetchedKeyStrategyReason,
+			wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{
+				Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
+				Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
+				Reason:         conciergeconfigv1alpha1.FetchedKeyStrategyReason,
 				Message:        "key was fetched successfully",
 				LastUpdateTime: metav1.NewTime(now),
-				Frontend: &configv1alpha1.CredentialIssuerFrontend{
-					Type: configv1alpha1.TokenCredentialRequestAPIFrontendType,
-					TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{
+				Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+					Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
+					TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 						Server:                   "https://overridden-server.example.com/some/path",
 						CertificateAuthorityData: "dGVzdC1rdWJlcm5ldGVzLWNh",
 					},
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -20,7 +20,7 @@ import (
 	corev1informers "k8s.io/client-go/informers/core/v1"

 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
-	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/conditionsutil"
@@ -232,7 +232,7 @@ type activeDirectoryWatcherController struct {
 	cache                                   UpstreamActiveDirectoryIdentityProviderICache
 	validatedSettingsCache                  upstreamwatchers.ValidatedSettingsCacheI
 	ldapDialer                              upstreamldap.LDAPDialer
-	client                                  pinnipedsupervisorclientset.Interface
+	client                                  supervisorclientset.Interface
 	activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer
 	secretInformer                          corev1informers.SecretInformer
 }
@@ -240,7 +240,7 @@ type activeDirectoryWatcherController struct {
 // New instantiates a new controllerlib.Controller which will populate the provided UpstreamActiveDirectoryIdentityProviderICache.
 func New(
 	idpCache UpstreamActiveDirectoryIdentityProviderICache,
-	client pinnipedsupervisorclientset.Interface,
+	client supervisorclientset.Interface,
 	activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer,
 	secretInformer corev1informers.SecretInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
@@ -263,7 +263,7 @@ func newInternal(
 	idpCache UpstreamActiveDirectoryIdentityProviderICache,
 	validatedSettingsCache upstreamwatchers.ValidatedSettingsCacheI,
 	ldapDialer upstreamldap.LDAPDialer,
-	client pinnipedsupervisorclientset.Interface,
+	client supervisorclientset.Interface,
 	activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer,
 	secretInformer corev1informers.SecretInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
--- a/internal/controller/supervisorconfig/federation_domain_watcher.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher.go
@@ -22,7 +22,7 @@ import (
 	"k8s.io/utils/clock"

 	supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1"
 	idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1"
 	"go.pinniped.dev/internal/celtransformer"
@@ -82,7 +82,7 @@ type federationDomainWatcherController struct {
 	federationDomainsSetter FederationDomainsSetter
 	apiGroup                string
 	clock                   clock.Clock
-	client                  pinnipedsupervisorclientset.Interface
+	client                  supervisorclientset.Interface

 	federationDomainInformer                configinformers.FederationDomainInformer
 	oidcIdentityProviderInformer            idpinformers.OIDCIdentityProviderInformer
@@ -99,7 +99,7 @@ func NewFederationDomainWatcherController(
 	federationDomainsSetter FederationDomainsSetter,
 	apiGroupSuffix string,
 	clock clock.Clock,
-	client pinnipedsupervisorclientset.Interface,
+	client supervisorclientset.Interface,
 	federationDomainInformer configinformers.FederationDomainInformer,
 	oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer,
 	ldapIdentityProviderInformer idpinformers.LDAPIdentityProviderInformer,
--- a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go
+++ b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/klog/v2"

 	supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controllerlib"
@@ -28,7 +28,7 @@ type federationDomainSecretsController struct {
 	secretHelper             SecretHelper
 	secretRefFunc            func(domain *supervisorconfigv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference
 	kubeClient               kubernetes.Interface
-	pinnipedClient           pinnipedsupervisorclientset.Interface
+	pinnipedClient           supervisorclientset.Interface
 	federationDomainInformer configinformers.FederationDomainInformer
 	secretInformer           corev1informers.SecretInformer
 }
@@ -40,7 +40,7 @@ func NewFederationDomainSecretsController(
 	secretHelper SecretHelper,
 	secretRefFunc func(domain *supervisorconfigv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference,
 	kubeClient kubernetes.Interface,
-	pinnipedClient pinnipedsupervisorclientset.Interface,
+	pinnipedClient supervisorclientset.Interface,
 	secretInformer corev1informers.SecretInformer,
 	federationDomainInformer configinformers.FederationDomainInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
--- a/internal/controller/supervisorconfig/jwks_writer.go
+++ b/internal/controller/supervisorconfig/jwks_writer.go
@@ -23,7 +23,7 @@ import (
 	"k8s.io/klog/v2"

 	supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/supervisorconfig/generator"
@@ -60,7 +60,7 @@ func generateECKey(r io.Reader) (any, error) {
 // secrets, both via a cache and via the API.
 type jwksWriterController struct {
 	jwksSecretLabels         map[string]string
-	pinnipedClient           pinnipedsupervisorclientset.Interface
+	pinnipedClient           supervisorclientset.Interface
 	kubeClient               kubernetes.Interface
 	federationDomainInformer configinformers.FederationDomainInformer
 	secretInformer           corev1informers.SecretInformer
@@ -71,7 +71,7 @@ type jwksWriterController struct {
 func NewJWKSWriterController(
 	jwksSecretLabels map[string]string,
 	kubeClient kubernetes.Interface,
-	pinnipedClient pinnipedsupervisorclientset.Interface,
+	pinnipedClient supervisorclientset.Interface,
 	secretInformer corev1informers.SecretInformer,
 	federationDomainInformer configinformers.FederationDomainInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,