diff --git a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
index db9f4ceff..85ea7a94c 100644
--- a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
@@ -3,12 +3,26 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
 // CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
 type CertificateAuthorityDataSourceSpec struct {
 	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
-	// Secrets must be of type kubernetes.io/tls or Opaque.
 	// Allowed values are "Secret" or "ConfigMap".
-	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
 	Kind string `json:"kind"`
 	// Name is the resource name of the secret or configmap from which to read the CA bundle.
 	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
diff --git a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
index 70f1c71cc..8c28d7505 100644
--- a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
@@ -3,12 +3,26 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
 // CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
 type CertificateAuthorityDataSourceSpec struct {
 	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
-	// Secrets must be of type kubernetes.io/tls or Opaque.
 	// Allowed values are "Secret" or "ConfigMap".
-	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
 	Kind string `json:"kind"`
 	// Name is the resource name of the secret or configmap from which to read the CA bundle.
 	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.