From 81390bba89b0051e0323ec1ca623c0db571c72f2 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 10:51:56 -0500
Subject: [PATCH 1/5] Rename `idp.pinniped.dev` to
 `idp.concierge.pinniped.dev`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 apis/{ => concierge}/idp/doc.go.tmpl          |   2 +-
 .../idp/v1alpha1/conversion.go.tmpl           |   0
 .../idp/v1alpha1/defaults.go.tmpl             |   0
 apis/{ => concierge}/idp/v1alpha1/doc.go.tmpl |   4 +-
 .../idp/v1alpha1/register.go.tmpl             |   2 +-
 .../idp/v1alpha1/types_meta.go.tmpl           |   0
 .../idp/v1alpha1/types_tls.go.tmpl            |   0
 .../idp/v1alpha1/types_webhook.go.tmpl        |   0
 cmd/pinniped/cmd/exchange_credential.go       |   2 +-
 cmd/pinniped/cmd/get_kubeconfig_test.go       |   2 +-
 ...pinniped.dev_webhookidentityproviders.yaml |   4 +-
 deploy/concierge/rbac.yaml                    |   2 +-
 deploy/concierge/z0_crd_overlay.yaml          |   2 +-
 doc/demo.md                                   |   2 +-
 generated/1.17/README.adoc                    |  34 +-
 .../apis => 1.17/apis/concierge}/idp/doc.go   |   2 +-
 .../idp/v1alpha1/conversion.go                |   0
 .../{ => concierge}/idp/v1alpha1/defaults.go  |   0
 .../apis/concierge}/idp/v1alpha1/doc.go       |   4 +-
 .../{ => concierge}/idp/v1alpha1/register.go  |   2 +-
 .../idp/v1alpha1/types_meta.go                |   0
 .../{ => concierge}/idp/v1alpha1/types_tls.go |   0
 .../idp/v1alpha1/types_webhook.go             |   0
 .../idp/v1alpha1/zz_generated.conversion.go   |   0
 .../idp/v1alpha1/zz_generated.deepcopy.go     |   0
 .../idp/v1alpha1/zz_generated.defaults.go     |   0
 .../idp/zz_generated.deepcopy.go              |   0
 .../clientset/versioned/fake/register.go      |   2 +-
 .../clientset/versioned/scheme/register.go    |   2 +-
 .../fake/fake_webhookidentityprovider.go      |   6 +-
 .../typed/idp/v1alpha1/idp_client.go          |   4 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../informers/externalversions/generic.go     |   4 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 488 +++++++++---------
 ...inniped.dev_webhookidentityproviders.yaml} |   4 +-
 generated/1.18/README.adoc                    |  34 +-
 .../1.18/apis/{ => concierge}/idp/doc.go      |   2 +-
 .../idp/v1alpha1/conversion.go                |   0
 .../{ => concierge}/idp/v1alpha1/defaults.go  |   0
 .../apis/concierge}/idp/v1alpha1/doc.go       |   4 +-
 .../{ => concierge}/idp/v1alpha1/register.go  |   2 +-
 .../idp/v1alpha1/types_meta.go                |   0
 .../{ => concierge}/idp/v1alpha1/types_tls.go |   0
 .../idp/v1alpha1/types_webhook.go             |   0
 .../idp/v1alpha1/zz_generated.conversion.go   |   0
 .../idp/v1alpha1/zz_generated.deepcopy.go     |   0
 .../idp/v1alpha1/zz_generated.defaults.go     |   0
 .../idp/zz_generated.deepcopy.go              |   0
 .../clientset/versioned/fake/register.go      |   2 +-
 .../clientset/versioned/scheme/register.go    |   2 +-
 .../fake/fake_webhookidentityprovider.go      |   6 +-
 .../typed/idp/v1alpha1/idp_client.go          |   4 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../informers/externalversions/generic.go     |   4 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 488 +++++++++---------
 ...pinniped.dev_webhookidentityproviders.yaml |   4 +-
 generated/1.19/README.adoc                    |  34 +-
 .../apis => 1.19/apis/concierge}/idp/doc.go   |   2 +-
 .../idp/v1alpha1/conversion.go                |   0
 .../{ => concierge}/idp/v1alpha1/defaults.go  |   0
 .../apis/{ => concierge}/idp/v1alpha1/doc.go  |   4 +-
 .../{ => concierge}/idp/v1alpha1/register.go  |   2 +-
 .../idp/v1alpha1/types_meta.go                |   0
 .../{ => concierge}/idp/v1alpha1/types_tls.go |   0
 .../idp/v1alpha1/types_webhook.go             |   0
 .../idp/v1alpha1/zz_generated.conversion.go   |   0
 .../idp/v1alpha1/zz_generated.deepcopy.go     |   0
 .../idp/v1alpha1/zz_generated.defaults.go     |   0
 .../idp/zz_generated.deepcopy.go              |   0
 .../clientset/versioned/fake/register.go      |   2 +-
 .../clientset/versioned/scheme/register.go    |   2 +-
 .../fake/fake_webhookidentityprovider.go      |   6 +-
 .../typed/idp/v1alpha1/idp_client.go          |   4 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../informers/externalversions/generic.go     |   4 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../idp/v1alpha1/webhookidentityprovider.go   |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 488 +++++++++---------
 ...inniped.dev_webhookidentityproviders.yaml} |   4 +-
 hack/lib/docs/config.yaml                     |   2 +-
 hack/lib/tilt/Tiltfile                        |   2 +-
 hack/lib/update-codegen.sh                    |   8 +-
 internal/client/client_test.go                |   4 +-
 .../identityprovider/idpcache/cache_test.go   |   2 +-
 .../webhookcachecleaner.go                    |   2 +-
 .../webhookcachecleaner_test.go               |   8 +-
 .../webhookcachefiller/webhookcachefiller.go  |   2 +-
 .../webhookcachefiller_test.go                |   2 +-
 .../concierge_credentialrequest_test.go       |   2 +-
 test/integration/kube_api_discovery_test.go   |   8 +-
 test/library/client.go                        |   2 +-
 test/library/env.go                           |   2 +-
 96 files changed, 871 insertions(+), 871 deletions(-)
 rename apis/{ => concierge}/idp/doc.go.tmpl (84%)
 rename apis/{ => concierge}/idp/v1alpha1/conversion.go.tmpl (100%)
 rename apis/{ => concierge}/idp/v1alpha1/defaults.go.tmpl (100%)
 rename apis/{ => concierge}/idp/v1alpha1/doc.go.tmpl (73%)
 rename apis/{ => concierge}/idp/v1alpha1/register.go.tmpl (96%)
 rename apis/{ => concierge}/idp/v1alpha1/types_meta.go.tmpl (100%)
 rename apis/{ => concierge}/idp/v1alpha1/types_tls.go.tmpl (100%)
 rename apis/{ => concierge}/idp/v1alpha1/types_webhook.go.tmpl (100%)
 rename generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml => deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml (98%)
 rename generated/{1.19/apis => 1.17/apis/concierge}/idp/doc.go (84%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/conversion.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/defaults.go (100%)
 rename generated/{1.18/apis => 1.17/apis/concierge}/idp/v1alpha1/doc.go (73%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/register.go (96%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/types_meta.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/types_tls.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/types_webhook.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/1.17/apis/{ => concierge}/idp/zz_generated.deepcopy.go (100%)
 rename generated/{1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml => 1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml} (98%)
 rename generated/1.18/apis/{ => concierge}/idp/doc.go (84%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/conversion.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/defaults.go (100%)
 rename generated/{1.17/apis => 1.18/apis/concierge}/idp/v1alpha1/doc.go (73%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/register.go (96%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/types_meta.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/types_tls.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/types_webhook.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/1.18/apis/{ => concierge}/idp/zz_generated.deepcopy.go (100%)
 rename deploy/concierge/idp.pinniped.dev_webhookidentityproviders.yaml => generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml (98%)
 rename generated/{1.17/apis => 1.19/apis/concierge}/idp/doc.go (84%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/conversion.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/defaults.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/doc.go (73%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/register.go (96%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/types_meta.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/types_tls.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/types_webhook.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/1.19/apis/{ => concierge}/idp/zz_generated.deepcopy.go (100%)
 rename generated/1.19/crds/{idp.pinniped.dev_webhookidentityproviders.yaml => idp.concierge.pinniped.dev_webhookidentityproviders.yaml} (98%)

diff --git a/apis/idp/doc.go.tmpl b/apis/concierge/idp/doc.go.tmpl
similarity index 84%
rename from apis/idp/doc.go.tmpl
rename to apis/concierge/idp/doc.go.tmpl
index 17d329436..22adc1b52 100644
--- a/apis/idp/doc.go.tmpl
+++ b/apis/concierge/idp/doc.go.tmpl
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 // +k8s:deepcopy-gen=package
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 
 // Package idp is the internal version of the Pinniped identity provider API.
 package idp
diff --git a/apis/idp/v1alpha1/conversion.go.tmpl b/apis/concierge/idp/v1alpha1/conversion.go.tmpl
similarity index 100%
rename from apis/idp/v1alpha1/conversion.go.tmpl
rename to apis/concierge/idp/v1alpha1/conversion.go.tmpl
diff --git a/apis/idp/v1alpha1/defaults.go.tmpl b/apis/concierge/idp/v1alpha1/defaults.go.tmpl
similarity index 100%
rename from apis/idp/v1alpha1/defaults.go.tmpl
rename to apis/concierge/idp/v1alpha1/defaults.go.tmpl
diff --git a/apis/idp/v1alpha1/doc.go.tmpl b/apis/concierge/idp/v1alpha1/doc.go.tmpl
similarity index 73%
rename from apis/idp/v1alpha1/doc.go.tmpl
rename to apis/concierge/idp/v1alpha1/doc.go.tmpl
index 1837041f6..86223a810 100644
--- a/apis/idp/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/idp/v1alpha1/doc.go.tmpl
@@ -3,9 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/idp
+// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/idp
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 // +groupGoName=IDP
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
diff --git a/apis/idp/v1alpha1/register.go.tmpl b/apis/concierge/idp/v1alpha1/register.go.tmpl
similarity index 96%
rename from apis/idp/v1alpha1/register.go.tmpl
rename to apis/concierge/idp/v1alpha1/register.go.tmpl
index 494aef367..021640359 100644
--- a/apis/idp/v1alpha1/register.go.tmpl
+++ b/apis/concierge/idp/v1alpha1/register.go.tmpl
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.pinniped.dev"
+const GroupName = "idp.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/apis/idp/v1alpha1/types_meta.go.tmpl b/apis/concierge/idp/v1alpha1/types_meta.go.tmpl
similarity index 100%
rename from apis/idp/v1alpha1/types_meta.go.tmpl
rename to apis/concierge/idp/v1alpha1/types_meta.go.tmpl
diff --git a/apis/idp/v1alpha1/types_tls.go.tmpl b/apis/concierge/idp/v1alpha1/types_tls.go.tmpl
similarity index 100%
rename from apis/idp/v1alpha1/types_tls.go.tmpl
rename to apis/concierge/idp/v1alpha1/types_tls.go.tmpl
diff --git a/apis/idp/v1alpha1/types_webhook.go.tmpl b/apis/concierge/idp/v1alpha1/types_webhook.go.tmpl
similarity index 100%
rename from apis/idp/v1alpha1/types_webhook.go.tmpl
rename to apis/concierge/idp/v1alpha1/types_webhook.go.tmpl
diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go
index 77679b8fb..919411005 100644
--- a/cmd/pinniped/cmd/exchange_credential.go
+++ b/cmd/pinniped/cmd/exchange_credential.go
@@ -16,7 +16,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	"go.pinniped.dev/internal/client"
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/here"
diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go
index 7834e1b44..231425912 100644
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@@ -17,8 +17,8 @@ import (
 	"k8s.io/client-go/rest"
 	coretesting "k8s.io/client-go/testing"
 
+	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	"go.pinniped.dev/internal/here"
diff --git a/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml
rename to deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
index 213b7ad20..af2416426 100644
--- a/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.pinniped.dev
+  name: webhookidentityproviders.idp.concierge.pinniped.dev
 spec:
-  group: idp.pinniped.dev
+  group: idp.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml
index 149ca4b33..1571d56dd 100644
--- a/deploy/concierge/rbac.yaml
+++ b/deploy/concierge/rbac.yaml
@@ -59,7 +59,7 @@ rules:
   - apiGroups: [ "" ]
     resources: [ pods/exec ]
     verbs: [ create ]
-  - apiGroups: [ config.pinniped.dev, idp.pinniped.dev ]
+  - apiGroups: [ config.pinniped.dev, idp.concierge.pinniped.dev ]
     resources: [ "*" ]
     verbs: [ create, get, list, update, watch ]
 ---
diff --git a/deploy/concierge/z0_crd_overlay.yaml b/deploy/concierge/z0_crd_overlay.yaml
index dfece13bb..7f637f7e8 100644
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@@ -10,7 +10,7 @@ metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
 
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.idp.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.idp.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
diff --git a/doc/demo.md b/doc/demo.md
index 6318988cd..8cc1a3688 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -122,7 +122,7 @@ as the identity provider.
 
     ```bash
     cat <<EOF | kubectl create --namespace pinniped -f -
-    apiVersion: idp.pinniped.dev/v1alpha1
+    apiVersion: idp.concierge.pinniped.dev/v1alpha1
     kind: WebhookIdentityProvider
     metadata:
       name: local-user-authenticator
diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc
index baf568de7..9cf1ecfda 100644
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -6,7 +6,7 @@
 
 .Packages
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
@@ -161,21 +161,21 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
-=== idp.pinniped.dev/v1alpha1
+[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
+=== idp.concierge.pinniped.dev/v1alpha1
 
 Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-condition"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-condition"]
 ==== Condition 
 
 Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -190,14 +190,14 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-tlsspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
 Configuration for configuring TLS on various identity providers.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -207,14 +207,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
 ==== WebhookIdentityProvider 
 
 WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -222,45 +222,45 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
 ==== WebhookIdentityProviderSpec 
 
 Spec for configuring a webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
 | *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
 ==== WebhookIdentityProviderStatus 
 
 Status of a webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
 |===
 
 
diff --git a/generated/1.19/apis/idp/doc.go b/generated/1.17/apis/concierge/idp/doc.go
similarity index 84%
rename from generated/1.19/apis/idp/doc.go
rename to generated/1.17/apis/concierge/idp/doc.go
index 17d329436..22adc1b52 100644
--- a/generated/1.19/apis/idp/doc.go
+++ b/generated/1.17/apis/concierge/idp/doc.go
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 // +k8s:deepcopy-gen=package
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 
 // Package idp is the internal version of the Pinniped identity provider API.
 package idp
diff --git a/generated/1.17/apis/idp/v1alpha1/conversion.go b/generated/1.17/apis/concierge/idp/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/conversion.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/conversion.go
diff --git a/generated/1.17/apis/idp/v1alpha1/defaults.go b/generated/1.17/apis/concierge/idp/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/defaults.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/defaults.go
diff --git a/generated/1.18/apis/idp/v1alpha1/doc.go b/generated/1.17/apis/concierge/idp/v1alpha1/doc.go
similarity index 73%
rename from generated/1.18/apis/idp/v1alpha1/doc.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/doc.go
index 95225bb6c..e756111be 100644
--- a/generated/1.18/apis/idp/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/idp/v1alpha1/doc.go
@@ -3,9 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/concierge/idp
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 // +groupGoName=IDP
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
diff --git a/generated/1.17/apis/idp/v1alpha1/register.go b/generated/1.17/apis/concierge/idp/v1alpha1/register.go
similarity index 96%
rename from generated/1.17/apis/idp/v1alpha1/register.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/register.go
index 494aef367..021640359 100644
--- a/generated/1.17/apis/idp/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/idp/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.pinniped.dev"
+const GroupName = "idp.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.17/apis/idp/v1alpha1/types_meta.go b/generated/1.17/apis/concierge/idp/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/types_meta.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/types_meta.go
diff --git a/generated/1.17/apis/idp/v1alpha1/types_tls.go b/generated/1.17/apis/concierge/idp/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/types_tls.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/types_tls.go
diff --git a/generated/1.17/apis/idp/v1alpha1/types_webhook.go b/generated/1.17/apis/concierge/idp/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/types_webhook.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/types_webhook.go
diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.17/apis/idp/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.17/apis/idp/zz_generated.deepcopy.go
rename to generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go
diff --git a/generated/1.17/client/clientset/versioned/fake/register.go b/generated/1.17/client/clientset/versioned/fake/register.go
index c4ef82154..2866783b8 100644
--- a/generated/1.17/client/clientset/versioned/fake/register.go
+++ b/generated/1.17/client/clientset/versioned/fake/register.go
@@ -6,9 +6,9 @@
 package fake
 
 import (
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
diff --git a/generated/1.17/client/clientset/versioned/scheme/register.go b/generated/1.17/client/clientset/versioned/scheme/register.go
index 2c313538b..9d4e26ea0 100644
--- a/generated/1.17/client/clientset/versioned/scheme/register.go
+++ b/generated/1.17/client/clientset/versioned/scheme/register.go
@@ -6,9 +6,9 @@
 package scheme
 
 import (
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
index e1c46f391..1d87624bd 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -21,9 +21,9 @@ type FakeWebhookIdentityProviders struct {
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
index fad008c10..4b5cb0c41 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	"go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
@@ -16,7 +16,7 @@ type IDPV1alpha1Interface interface {
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group.
+// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
 type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
index 9798d2214..afd49019a 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
@@ -8,7 +8,7 @@ package v1alpha1
 import (
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go
index e5ec9e49c..6e1501702 100644
--- a/generated/1.17/client/informers/externalversions/generic.go
+++ b/generated/1.17/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -47,7 +47,7 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
-		// Group=idp.pinniped.dev, Version=v1alpha1
+		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
index 5ed462b97..246ac27bd 100644
--- a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
@@ -8,7 +8,7 @@ package v1alpha1
 import (
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/idp/v1alpha1"
diff --git a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
index 1081006af..afe205731 100644
--- a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go
index 9ce251b34..9350e05af 100644
--- a/generated/1.17/client/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/openapi/zz_generated.openapi.go
@@ -17,6 +17,12 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
+		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
 		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
 		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
 		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
@@ -31,12 +37,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition":                                schema_117_apis_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.TLSSpec":                                  schema_117_apis_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider":                  schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderList":              schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec":              schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus":            schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
@@ -91,6 +91,244 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 	}
 }
 
+func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"type": {
+						SchemaProps: spec.SchemaProps{
+							Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "status of the condition, one of True, False, Unknown.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+					"lastTransitionTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+					"reason": {
+						SchemaProps: spec.SchemaProps{
+							Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Configuration for configuring TLS on various identity providers.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"certificateAuthorityData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec for configuring the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "List of WebhookIdentityProvider objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Spec for configuring a webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"endpoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Webhook server endpoint URL.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"tls": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TLS configuration.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec"),
+						},
+					},
+				},
+				Required: []string{"endpoint"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Status of a webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Represents the observations of an identity provider's current state.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition"},
+	}
+}
+
 func schema_apis_concierge_login_v1alpha1_ClusterCredential(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -642,244 +880,6 @@ func schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref common.Referen
 	}
 }
 
-func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"type": {
-						SchemaProps: spec.SchemaProps{
-							Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "status of the condition, one of True, False, Unknown.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"observedGeneration": {
-						SchemaProps: spec.SchemaProps{
-							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
-							Type:        []string{"integer"},
-							Format:      "int64",
-						},
-					},
-					"lastTransitionTime": {
-						SchemaProps: spec.SchemaProps{
-							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-					"reason": {
-						SchemaProps: spec.SchemaProps{
-							Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"message": {
-						SchemaProps: spec.SchemaProps{
-							Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-				Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
-	}
-}
-
-func schema_117_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"certificateAuthorityData": {
-						SchemaProps: spec.SchemaProps{
-							Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
-						},
-					},
-					"spec": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec"),
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus"),
-						},
-					},
-				},
-				Required: []string{"spec"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
-	}
-}
-
-func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
-						},
-					},
-					"items": {
-						SchemaProps: spec.SchemaProps{
-							Type: []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider"),
-									},
-								},
-							},
-						},
-					},
-				},
-				Required: []string{"items"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
-	}
-}
-
-func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"endpoint": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Webhook server endpoint URL.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"tls": {
-						SchemaProps: spec.SchemaProps{
-							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.TLSSpec"),
-						},
-					},
-				},
-				Required: []string{"endpoint"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.TLSSpec"},
-	}
-}
-
-func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"conditions": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-map-keys": []interface{}{
-									"type",
-								},
-								"x-kubernetes-list-type":       "map",
-								"x-kubernetes-patch-merge-key": "type",
-								"x-kubernetes-patch-strategy":  "merge",
-							},
-						},
-						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
-							Type:        []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition"),
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition"},
-	}
-}
-
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
diff --git a/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
index 213b7ad20..af2416426 100644
--- a/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.pinniped.dev
+  name: webhookidentityproviders.idp.concierge.pinniped.dev
 spec:
-  group: idp.pinniped.dev
+  group: idp.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc
index 0d3dabd97..42bbd525b 100644
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@@ -6,7 +6,7 @@
 
 .Packages
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
@@ -161,21 +161,21 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
-=== idp.pinniped.dev/v1alpha1
+[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
+=== idp.concierge.pinniped.dev/v1alpha1
 
 Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-condition"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-condition"]
 ==== Condition 
 
 Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -190,14 +190,14 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-tlsspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
 Configuration for configuring TLS on various identity providers.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -207,14 +207,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
 ==== WebhookIdentityProvider 
 
 WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -222,45 +222,45 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
 ==== WebhookIdentityProviderSpec 
 
 Spec for configuring a webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
 | *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
 ==== WebhookIdentityProviderStatus 
 
 Status of a webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
 |===
 
 
diff --git a/generated/1.18/apis/idp/doc.go b/generated/1.18/apis/concierge/idp/doc.go
similarity index 84%
rename from generated/1.18/apis/idp/doc.go
rename to generated/1.18/apis/concierge/idp/doc.go
index 17d329436..22adc1b52 100644
--- a/generated/1.18/apis/idp/doc.go
+++ b/generated/1.18/apis/concierge/idp/doc.go
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 // +k8s:deepcopy-gen=package
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 
 // Package idp is the internal version of the Pinniped identity provider API.
 package idp
diff --git a/generated/1.18/apis/idp/v1alpha1/conversion.go b/generated/1.18/apis/concierge/idp/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/conversion.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/conversion.go
diff --git a/generated/1.18/apis/idp/v1alpha1/defaults.go b/generated/1.18/apis/concierge/idp/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/defaults.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/defaults.go
diff --git a/generated/1.17/apis/idp/v1alpha1/doc.go b/generated/1.18/apis/concierge/idp/v1alpha1/doc.go
similarity index 73%
rename from generated/1.17/apis/idp/v1alpha1/doc.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/doc.go
index 915de628e..8053d0a2f 100644
--- a/generated/1.17/apis/idp/v1alpha1/doc.go
+++ b/generated/1.18/apis/concierge/idp/v1alpha1/doc.go
@@ -3,9 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/concierge/idp
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 // +groupGoName=IDP
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
diff --git a/generated/1.18/apis/idp/v1alpha1/register.go b/generated/1.18/apis/concierge/idp/v1alpha1/register.go
similarity index 96%
rename from generated/1.18/apis/idp/v1alpha1/register.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/register.go
index 494aef367..021640359 100644
--- a/generated/1.18/apis/idp/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/idp/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.pinniped.dev"
+const GroupName = "idp.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.18/apis/idp/v1alpha1/types_meta.go b/generated/1.18/apis/concierge/idp/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/types_meta.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/types_meta.go
diff --git a/generated/1.18/apis/idp/v1alpha1/types_tls.go b/generated/1.18/apis/concierge/idp/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/types_tls.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/types_tls.go
diff --git a/generated/1.18/apis/idp/v1alpha1/types_webhook.go b/generated/1.18/apis/concierge/idp/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/types_webhook.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/types_webhook.go
diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.18/apis/idp/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.18/apis/idp/zz_generated.deepcopy.go
rename to generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go
diff --git a/generated/1.18/client/clientset/versioned/fake/register.go b/generated/1.18/client/clientset/versioned/fake/register.go
index 24b90e32e..92d661cea 100644
--- a/generated/1.18/client/clientset/versioned/fake/register.go
+++ b/generated/1.18/client/clientset/versioned/fake/register.go
@@ -6,9 +6,9 @@
 package fake
 
 import (
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
diff --git a/generated/1.18/client/clientset/versioned/scheme/register.go b/generated/1.18/client/clientset/versioned/scheme/register.go
index d8373c67c..47b008a88 100644
--- a/generated/1.18/client/clientset/versioned/scheme/register.go
+++ b/generated/1.18/client/clientset/versioned/scheme/register.go
@@ -6,9 +6,9 @@
 package scheme
 
 import (
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
index fd10c7060..00071eee3 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -8,7 +8,7 @@ package fake
 import (
 	"context"
 
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -23,9 +23,9 @@ type FakeWebhookIdentityProviders struct {
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
index abb575ff2..45705e9a6 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	"go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
@@ -16,7 +16,7 @@ type IDPV1alpha1Interface interface {
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group.
+// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
 type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
index 0f262177a..389aff71b 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go
index 0738f86b1..1c522d115 100644
--- a/generated/1.18/client/informers/externalversions/generic.go
+++ b/generated/1.18/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -47,7 +47,7 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
-		// Group=idp.pinniped.dev, Version=v1alpha1
+		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
index 80c8d5fc9..30c79d4db 100644
--- a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/idp/v1alpha1"
diff --git a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
index 2ff082df9..6a9940c83 100644
--- a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go
index 50a1623df..bf054a3ec 100644
--- a/generated/1.18/client/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/openapi/zz_generated.openapi.go
@@ -17,6 +17,12 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
+		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
 		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
 		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
 		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
@@ -31,12 +37,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition":                                schema_118_apis_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.TLSSpec":                                  schema_118_apis_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider":                  schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderList":              schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec":              schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus":            schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
@@ -91,6 +91,244 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 	}
 }
 
+func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"type": {
+						SchemaProps: spec.SchemaProps{
+							Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "status of the condition, one of True, False, Unknown.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+					"lastTransitionTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+					"reason": {
+						SchemaProps: spec.SchemaProps{
+							Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Configuration for configuring TLS on various identity providers.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"certificateAuthorityData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec for configuring the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "List of WebhookIdentityProvider objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Spec for configuring a webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"endpoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Webhook server endpoint URL.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"tls": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TLS configuration.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec"),
+						},
+					},
+				},
+				Required: []string{"endpoint"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Status of a webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Represents the observations of an identity provider's current state.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition"},
+	}
+}
+
 func schema_apis_concierge_login_v1alpha1_ClusterCredential(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -642,244 +880,6 @@ func schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref common.Referen
 	}
 }
 
-func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"type": {
-						SchemaProps: spec.SchemaProps{
-							Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "status of the condition, one of True, False, Unknown.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"observedGeneration": {
-						SchemaProps: spec.SchemaProps{
-							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
-							Type:        []string{"integer"},
-							Format:      "int64",
-						},
-					},
-					"lastTransitionTime": {
-						SchemaProps: spec.SchemaProps{
-							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-					"reason": {
-						SchemaProps: spec.SchemaProps{
-							Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"message": {
-						SchemaProps: spec.SchemaProps{
-							Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-				Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
-	}
-}
-
-func schema_118_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"certificateAuthorityData": {
-						SchemaProps: spec.SchemaProps{
-							Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
-						},
-					},
-					"spec": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec"),
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus"),
-						},
-					},
-				},
-				Required: []string{"spec"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
-	}
-}
-
-func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
-						},
-					},
-					"items": {
-						SchemaProps: spec.SchemaProps{
-							Type: []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider"),
-									},
-								},
-							},
-						},
-					},
-				},
-				Required: []string{"items"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
-	}
-}
-
-func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"endpoint": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Webhook server endpoint URL.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"tls": {
-						SchemaProps: spec.SchemaProps{
-							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.TLSSpec"),
-						},
-					},
-				},
-				Required: []string{"endpoint"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.TLSSpec"},
-	}
-}
-
-func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"conditions": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-map-keys": []interface{}{
-									"type",
-								},
-								"x-kubernetes-list-type":       "map",
-								"x-kubernetes-patch-merge-key": "type",
-								"x-kubernetes-patch-strategy":  "merge",
-							},
-						},
-						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
-							Type:        []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition"),
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition"},
-	}
-}
-
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
diff --git a/deploy/concierge/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from deploy/concierge/idp.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
index 213b7ad20..af2416426 100644
--- a/deploy/concierge/idp.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.pinniped.dev
+  name: webhookidentityproviders.idp.concierge.pinniped.dev
 spec:
-  group: idp.pinniped.dev
+  group: idp.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc
index b43b2eb5f..1c8018cc2 100644
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@@ -6,7 +6,7 @@
 
 .Packages
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
@@ -161,21 +161,21 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
-=== idp.pinniped.dev/v1alpha1
+[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
+=== idp.concierge.pinniped.dev/v1alpha1
 
 Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-condition"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-condition"]
 ==== Condition 
 
 Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -190,14 +190,14 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-tlsspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
 Configuration for configuring TLS on various identity providers.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -207,14 +207,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
 ==== WebhookIdentityProvider 
 
 WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -222,45 +222,45 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
 ==== WebhookIdentityProviderSpec 
 
 Spec for configuring a webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
 | *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus"]
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
 ==== WebhookIdentityProviderStatus 
 
 Status of a webhook identity provider.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
 |===
 
 
diff --git a/generated/1.17/apis/idp/doc.go b/generated/1.19/apis/concierge/idp/doc.go
similarity index 84%
rename from generated/1.17/apis/idp/doc.go
rename to generated/1.19/apis/concierge/idp/doc.go
index 17d329436..22adc1b52 100644
--- a/generated/1.17/apis/idp/doc.go
+++ b/generated/1.19/apis/concierge/idp/doc.go
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 // +k8s:deepcopy-gen=package
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 
 // Package idp is the internal version of the Pinniped identity provider API.
 package idp
diff --git a/generated/1.19/apis/idp/v1alpha1/conversion.go b/generated/1.19/apis/concierge/idp/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/conversion.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/conversion.go
diff --git a/generated/1.19/apis/idp/v1alpha1/defaults.go b/generated/1.19/apis/concierge/idp/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/defaults.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/defaults.go
diff --git a/generated/1.19/apis/idp/v1alpha1/doc.go b/generated/1.19/apis/concierge/idp/v1alpha1/doc.go
similarity index 73%
rename from generated/1.19/apis/idp/v1alpha1/doc.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/doc.go
index acc44b96e..63c0d3c40 100644
--- a/generated/1.19/apis/idp/v1alpha1/doc.go
+++ b/generated/1.19/apis/concierge/idp/v1alpha1/doc.go
@@ -3,9 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/concierge/idp
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.pinniped.dev
+// +groupName=idp.concierge.pinniped.dev
 // +groupGoName=IDP
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
diff --git a/generated/1.19/apis/idp/v1alpha1/register.go b/generated/1.19/apis/concierge/idp/v1alpha1/register.go
similarity index 96%
rename from generated/1.19/apis/idp/v1alpha1/register.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/register.go
index 494aef367..021640359 100644
--- a/generated/1.19/apis/idp/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/idp/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.pinniped.dev"
+const GroupName = "idp.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.19/apis/idp/v1alpha1/types_meta.go b/generated/1.19/apis/concierge/idp/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/types_meta.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/types_meta.go
diff --git a/generated/1.19/apis/idp/v1alpha1/types_tls.go b/generated/1.19/apis/concierge/idp/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/types_tls.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/types_tls.go
diff --git a/generated/1.19/apis/idp/v1alpha1/types_webhook.go b/generated/1.19/apis/concierge/idp/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/types_webhook.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/types_webhook.go
diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.19/apis/idp/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.19/apis/idp/zz_generated.deepcopy.go
rename to generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go
diff --git a/generated/1.19/client/clientset/versioned/fake/register.go b/generated/1.19/client/clientset/versioned/fake/register.go
index dc1268ce0..6ac8af66c 100644
--- a/generated/1.19/client/clientset/versioned/fake/register.go
+++ b/generated/1.19/client/clientset/versioned/fake/register.go
@@ -6,9 +6,9 @@
 package fake
 
 import (
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
diff --git a/generated/1.19/client/clientset/versioned/scheme/register.go b/generated/1.19/client/clientset/versioned/scheme/register.go
index 41bcc8933..bec738f4b 100644
--- a/generated/1.19/client/clientset/versioned/scheme/register.go
+++ b/generated/1.19/client/clientset/versioned/scheme/register.go
@@ -6,9 +6,9 @@
 package scheme
 
 import (
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
index 3e31b6eb5..1b64361cf 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -8,7 +8,7 @@ package fake
 import (
 	"context"
 
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -23,9 +23,9 @@ type FakeWebhookIdentityProviders struct {
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
index 78af6a585..cf93cc9ab 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	"go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
@@ -16,7 +16,7 @@ type IDPV1alpha1Interface interface {
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group.
+// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
 type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
index 05948c7f9..b17cc8f2d 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go
index 46029aba2..424b73809 100644
--- a/generated/1.19/client/informers/externalversions/generic.go
+++ b/generated/1.19/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -47,7 +47,7 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
-		// Group=idp.pinniped.dev, Version=v1alpha1
+		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
index 5d8814a07..0238ec1a2 100644
--- a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
 	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/idp/v1alpha1"
diff --git a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
index 93c7de14f..ec0af7e10 100644
--- a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go
index 900e7b71b..ee18adb8e 100644
--- a/generated/1.19/client/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/openapi/zz_generated.openapi.go
@@ -17,6 +17,12 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
+		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
 		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
 		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
 		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
@@ -31,12 +37,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition":                                schema_119_apis_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.TLSSpec":                                  schema_119_apis_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider":                  schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderList":              schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec":              schema_119_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus":            schema_119_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
 		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
@@ -92,6 +92,244 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 	}
 }
 
+func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"type": {
+						SchemaProps: spec.SchemaProps{
+							Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "status of the condition, one of True, False, Unknown.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+					"lastTransitionTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+					"reason": {
+						SchemaProps: spec.SchemaProps{
+							Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Configuration for configuring TLS on various identity providers.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"certificateAuthorityData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec for configuring the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "List of WebhookIdentityProvider objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Spec for configuring a webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"endpoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Webhook server endpoint URL.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"tls": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TLS configuration.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec"),
+						},
+					},
+				},
+				Required: []string{"endpoint"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec"},
+	}
+}
+
+func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Status of a webhook identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Represents the observations of an identity provider's current state.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition"},
+	}
+}
+
 func schema_apis_concierge_login_v1alpha1_ClusterCredential(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -643,244 +881,6 @@ func schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref common.Referen
 	}
 }
 
-func schema_119_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"type": {
-						SchemaProps: spec.SchemaProps{
-							Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "status of the condition, one of True, False, Unknown.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"observedGeneration": {
-						SchemaProps: spec.SchemaProps{
-							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
-							Type:        []string{"integer"},
-							Format:      "int64",
-						},
-					},
-					"lastTransitionTime": {
-						SchemaProps: spec.SchemaProps{
-							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-					"reason": {
-						SchemaProps: spec.SchemaProps{
-							Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"message": {
-						SchemaProps: spec.SchemaProps{
-							Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-				Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
-	}
-}
-
-func schema_119_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"certificateAuthorityData": {
-						SchemaProps: spec.SchemaProps{
-							Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
-						},
-					},
-					"spec": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec"),
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus"),
-						},
-					},
-				},
-				Required: []string{"spec"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
-	}
-}
-
-func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
-						},
-					},
-					"items": {
-						SchemaProps: spec.SchemaProps{
-							Type: []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider"),
-									},
-								},
-							},
-						},
-					},
-				},
-				Required: []string{"items"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
-	}
-}
-
-func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"endpoint": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Webhook server endpoint URL.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"tls": {
-						SchemaProps: spec.SchemaProps{
-							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.TLSSpec"),
-						},
-					},
-				},
-				Required: []string{"endpoint"},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.TLSSpec"},
-	}
-}
-
-func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"conditions": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-map-keys": []interface{}{
-									"type",
-								},
-								"x-kubernetes-list-type":       "map",
-								"x-kubernetes-patch-merge-key": "type",
-								"x-kubernetes-patch-strategy":  "merge",
-							},
-						},
-						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
-							Type:        []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition"),
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition"},
-	}
-}
-
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
diff --git a/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
index 213b7ad20..af2416426 100644
--- a/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.pinniped.dev
+  name: webhookidentityproviders.idp.concierge.pinniped.dev
 spec:
-  group: idp.pinniped.dev
+  group: idp.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/hack/lib/docs/config.yaml b/hack/lib/docs/config.yaml
index 6efb47114..078c13cdf 100644
--- a/hack/lib/docs/config.yaml
+++ b/hack/lib/docs/config.yaml
@@ -4,7 +4,7 @@ processor:
   #  Ignore internal API versions
   ignoreGroupVersions:
     - "config.pinniped.dev/config"
-    - "idp.pinniped.dev/idp"
+    - "idp.concierge.pinniped.dev/idp"
     - "login.concierge.pinniped.dev/login"
   ignoreFields:
     - "TypeMeta$"
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index 67509cc44..653668545 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -170,7 +170,7 @@ k8s_resource(
         'pinniped-concierge:clusterrolebinding',
         'pinniped-concierge:serviceaccount',
         'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
-        'webhookidentityproviders.idp.pinniped.dev:customresourcedefinition',
+        'webhookidentityproviders.idp.concierge.pinniped.dev:customresourcedefinition',
         'v1alpha1.login.concierge.pinniped.dev:apiservice',
     ],
 )
diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh
index 001c8d55c..bef6aec01 100755
--- a/hack/lib/update-codegen.sh
+++ b/hack/lib/update-codegen.sh
@@ -110,7 +110,7 @@ echo "generating API-related code for our public API groups..."
         deepcopy \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-api > |"
 )
 
@@ -122,7 +122,7 @@ echo "generating API-related code for our internal API groups..."
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt"  2>&1 | sed "s|^|gen-int-api > |"
 )
 
@@ -137,7 +137,7 @@ echo "generating client code for our public API groups..."
         client,lister,informer \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt"  2>&1 | sed "s|^|gen-client > |"
 )
 
@@ -157,5 +157,5 @@ crd-ref-docs \
 # Generate CRD YAML
 (cd apis &&
     controller-gen paths=./config/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds &&
-    controller-gen paths=./idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
+    controller-gen paths=./concierge/idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
 )
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index 42a4c4028..bcb1e2e6c 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -16,8 +16,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	"go.pinniped.dev/internal/testutil"
 )
 
@@ -106,7 +106,7 @@ func TestExchangeToken(t *testing.T) {
 				  "spec": {
 					"token": "test-token",
 					"identityProvider": {
-						"apiGroup": "idp.pinniped.dev",
+						"apiGroup": "idp.concierge.pinniped.dev",
 						"kind": "WebhookIdentityProvider",
 						"name": "test-webhook"
 					}
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go
index c00396791..1cc0c292a 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/identityprovider/idpcache/cache_test.go
@@ -17,8 +17,8 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 
+	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	loginapi "go.pinniped.dev/generated/1.19/apis/concierge/login"
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
 )
 
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
index ba8944ab6..9ab9e1691 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
@@ -11,7 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/klog/v2"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
index 70ea0197b..e2450916c 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
@@ -12,7 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
@@ -24,19 +24,19 @@ func TestController(t *testing.T) {
 	t.Parallel()
 
 	testKey1 := idpcache.Key{
-		APIGroup:  "idp.pinniped.dev",
+		APIGroup:  "idp.concierge.pinniped.dev",
 		Kind:      "WebhookIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
 	testKey2 := idpcache.Key{
-		APIGroup:  "idp.pinniped.dev",
+		APIGroup:  "idp.concierge.pinniped.dev",
 		Kind:      "WebhookIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-two",
 	}
 	testKeyNonwebhook := idpcache.Key{
-		APIGroup:  "idp.pinniped.dev",
+		APIGroup:  "idp.concierge.pinniped.dev",
 		Kind:      "SomeOtherIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
index c2c642a51..0f6b5539b 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
@@ -20,7 +20,7 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
index cde852162..b46b3281f 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
@@ -19,7 +19,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index 87adb34c0..b4504cd88 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -16,8 +16,8 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	"go.pinniped.dev/test/library"
 )
 
diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go
index d030a0c29..473cc682b 100644
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -91,20 +91,20 @@ func TestGetAPIResourceList(t *testing.T) {
 		},
 		{
 			group: metav1.APIGroup{
-				Name: "idp.pinniped.dev",
+				Name: "idp.concierge.pinniped.dev",
 				Versions: []metav1.GroupVersionForDiscovery{
 					{
-						GroupVersion: "idp.pinniped.dev/v1alpha1",
+						GroupVersion: "idp.concierge.pinniped.dev/v1alpha1",
 						Version:      "v1alpha1",
 					},
 				},
 				PreferredVersion: metav1.GroupVersionForDiscovery{
-					GroupVersion: "idp.pinniped.dev/v1alpha1",
+					GroupVersion: "idp.concierge.pinniped.dev/v1alpha1",
 					Version:      "v1alpha1",
 				},
 			},
 			resourceByVersion: map[string][]metav1.APIResource{
-				"idp.pinniped.dev/v1alpha1": {
+				"idp.concierge.pinniped.dev/v1alpha1": {
 					{
 						Name:         "webhookidentityproviders",
 						SingularName: "webhookidentityprovider",
diff --git a/test/library/client.go b/test/library/client.go
index 95f798b45..50aa9057a 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -23,8 +23,8 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 
 	// Import to initialize client auth plugins - the kubeconfig that we use for
diff --git a/test/library/env.go b/test/library/env.go
index 22b8d6665..1ed59e1ae 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/yaml"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
 )
 
 type Capability string

From e69183aa8a1ff8f6df1b730b771f656c1f698919 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 11:03:25 -0500
Subject: [PATCH 2/5] Rename `idp.concierge.pinniped.dev` to
 `authentication.concierge.pinniped.dev`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 apis/concierge/authentication/doc.go.tmpl     |   8 +
 .../v1alpha1/conversion.go.tmpl               |   0
 .../v1alpha1/defaults.go.tmpl                 |   0
 .../v1alpha1/doc.go.tmpl                      |   5 +-
 .../v1alpha1/register.go.tmpl                 |   2 +-
 .../v1alpha1/types_meta.go.tmpl               |   0
 .../v1alpha1/types_tls.go.tmpl                |   0
 .../v1alpha1/types_webhook.go.tmpl            |   0
 apis/concierge/idp/doc.go.tmpl                |   8 -
 cmd/pinniped/cmd/exchange_credential.go       |   4 +-
 cmd/pinniped/cmd/get_kubeconfig.go            |   2 +-
 cmd/pinniped/cmd/get_kubeconfig_test.go       |   8 +-
 ...pinniped.dev_webhookidentityproviders.yaml |   4 +-
 ...pinniped.dev_webhookidentityproviders.yaml |   4 +-
 deploy/concierge/rbac.yaml                    |   2 +-
 deploy/concierge/z0_crd_overlay.yaml          |   2 +-
 doc/demo.md                                   |   2 +-
 generated/1.17/README.adoc                    | 210 +++++++++---------
 .../1.17/apis/concierge/authentication/doc.go |   8 +
 .../v1alpha1/conversion.go                    |   0
 .../v1alpha1/defaults.go                      |   0
 .../{idp => authentication}/v1alpha1/doc.go   |   5 +-
 .../v1alpha1/register.go                      |   2 +-
 .../v1alpha1/types_meta.go                    |   0
 .../v1alpha1/types_tls.go                     |   0
 .../v1alpha1/types_webhook.go                 |   0
 .../v1alpha1/zz_generated.conversion.go       |   0
 .../v1alpha1/zz_generated.deepcopy.go         |   0
 .../v1alpha1/zz_generated.defaults.go         |   0
 .../authentication}/zz_generated.deepcopy.go  |   2 +-
 generated/1.17/apis/concierge/idp/doc.go      |   8 -
 .../client/clientset/versioned/clientset.go   |  28 +--
 .../versioned/fake/clientset_generated.go     |  14 +-
 .../clientset/versioned/fake/register.go      |   4 +-
 .../clientset/versioned/scheme/register.go    |   4 +-
 .../v1alpha1/authentication_client.go}        |  28 +--
 .../{idp => authentication}/v1alpha1/doc.go   |   0
 .../v1alpha1/fake/doc.go                      |   0
 .../fake/fake_authentication_client.go}       |   8 +-
 .../fake/fake_webhookidentityprovider.go      |   8 +-
 .../v1alpha1/generated_expansion.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   4 +-
 .../{idp => authentication}/interface.go      |   4 +-
 .../v1alpha1/interface.go                     |   0
 .../v1alpha1/webhookidentityprovider.go       |  12 +-
 .../informers/externalversions/factory.go     |  12 +-
 .../informers/externalversions/generic.go     |  20 +-
 .../v1alpha1/expansion_generated.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 172 +++++++-------
 ...inniped.dev_webhookidentityproviders.yaml} |   4 +-
 generated/1.18/README.adoc                    | 210 +++++++++---------
 .../1.18/apis/concierge/authentication/doc.go |   8 +
 .../v1alpha1/conversion.go                    |   0
 .../v1alpha1/defaults.go                      |   0
 .../{idp => authentication}/v1alpha1/doc.go   |   5 +-
 .../authentication}/v1alpha1/register.go      |   2 +-
 .../v1alpha1/types_meta.go                    |   0
 .../v1alpha1/types_tls.go                     |   0
 .../v1alpha1/types_webhook.go                 |   0
 .../v1alpha1/zz_generated.conversion.go       |   0
 .../v1alpha1/zz_generated.deepcopy.go         |   0
 .../v1alpha1/zz_generated.defaults.go         |   0
 .../authentication}/zz_generated.deepcopy.go  |   2 +-
 generated/1.18/apis/concierge/idp/doc.go      |   8 -
 .../client/clientset/versioned/clientset.go   |  28 +--
 .../versioned/fake/clientset_generated.go     |  14 +-
 .../clientset/versioned/fake/register.go      |   4 +-
 .../clientset/versioned/scheme/register.go    |   4 +-
 .../v1alpha1/authentication_client.go}        |  28 +--
 .../{idp => authentication}/v1alpha1/doc.go   |   0
 .../v1alpha1/fake/doc.go                      |   0
 .../fake/fake_authentication_client.go}       |   8 +-
 .../fake/fake_webhookidentityprovider.go      |   8 +-
 .../v1alpha1/generated_expansion.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   4 +-
 .../{idp => authentication}/interface.go      |   4 +-
 .../v1alpha1/interface.go                     |   0
 .../v1alpha1/webhookidentityprovider.go       |  12 +-
 .../informers/externalversions/factory.go     |  12 +-
 .../informers/externalversions/generic.go     |  20 +-
 .../v1alpha1/expansion_generated.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 172 +++++++-------
 ...inniped.dev_webhookidentityproviders.yaml} |   4 +-
 generated/1.19/README.adoc                    | 210 +++++++++---------
 .../1.19/apis/concierge/authentication/doc.go |   8 +
 .../v1alpha1/conversion.go                    |   0
 .../v1alpha1/defaults.go                      |   0
 .../{idp => authentication}/v1alpha1/doc.go   |   5 +-
 .../authentication}/v1alpha1/register.go      |   2 +-
 .../v1alpha1/types_meta.go                    |   0
 .../v1alpha1/types_tls.go                     |   0
 .../v1alpha1/types_webhook.go                 |   0
 .../v1alpha1/zz_generated.conversion.go       |   0
 .../v1alpha1/zz_generated.deepcopy.go         |   0
 .../v1alpha1/zz_generated.defaults.go         |   0
 .../zz_generated.deepcopy.go                  |   2 +-
 generated/1.19/apis/concierge/idp/doc.go      |   8 -
 .../client/clientset/versioned/clientset.go   |  28 +--
 .../versioned/fake/clientset_generated.go     |  14 +-
 .../clientset/versioned/fake/register.go      |   4 +-
 .../clientset/versioned/scheme/register.go    |   4 +-
 .../v1alpha1/authentication_client.go}        |  28 +--
 .../{idp => authentication}/v1alpha1/doc.go   |   0
 .../v1alpha1/fake/doc.go                      |   0
 .../fake/fake_authentication_client.go}       |   8 +-
 .../fake/fake_webhookidentityprovider.go      |   8 +-
 .../v1alpha1/generated_expansion.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   4 +-
 .../{idp => authentication}/interface.go      |   4 +-
 .../v1alpha1/interface.go                     |   0
 .../v1alpha1/webhookidentityprovider.go       |  12 +-
 .../informers/externalversions/factory.go     |  12 +-
 .../informers/externalversions/generic.go     |  20 +-
 .../v1alpha1/expansion_generated.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 174 +++++++--------
 ...pinniped.dev_webhookidentityproviders.yaml | 149 +++++++++++++
 hack/lib/docs/config.yaml                     |   2 +-
 hack/lib/tilt/Tiltfile                        |   2 +-
 hack/lib/update-codegen.sh                    |   8 +-
 internal/client/client_test.go                |   6 +-
 .../identityprovider/idpcache/cache_test.go   |   4 +-
 .../webhookcachecleaner.go                    |   8 +-
 .../webhookcachecleaner_test.go               |  18 +-
 .../webhookcachefiller/webhookcachefiller.go  |  10 +-
 .../webhookcachefiller_test.go                |  26 +--
 .../controllermanager/prepare_controllers.go  |   4 +-
 .../concierge_credentialrequest_test.go       |   4 +-
 test/integration/kube_api_discovery_test.go   |   8 +-
 test/library/client.go                        |   8 +-
 test/library/env.go                           |   6 +-
 133 files changed, 1067 insertions(+), 922 deletions(-)
 create mode 100644 apis/concierge/authentication/doc.go.tmpl
 rename apis/concierge/{idp => authentication}/v1alpha1/conversion.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/defaults.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/doc.go.tmpl (83%)
 rename apis/concierge/{idp => authentication}/v1alpha1/register.go.tmpl (95%)
 rename apis/concierge/{idp => authentication}/v1alpha1/types_meta.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/types_tls.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go.tmpl (100%)
 delete mode 100644 apis/concierge/idp/doc.go.tmpl
 rename generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml (98%)
 create mode 100644 generated/1.17/apis/concierge/authentication/doc.go
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/conversion.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/defaults.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/doc.go (83%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/register.go (95%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/types_meta.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/types_tls.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/{1.18/apis/concierge/idp => 1.17/apis/concierge/authentication}/zz_generated.deepcopy.go (89%)
 delete mode 100644 generated/1.17/apis/concierge/idp/doc.go
 rename generated/1.17/client/clientset/versioned/typed/{idp/v1alpha1/idp_client.go => authentication/v1alpha1/authentication_client.go} (53%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/doc.go (100%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/doc.go (100%)
 rename generated/1.17/client/clientset/versioned/typed/{idp/v1alpha1/fake/fake_idp_client.go => authentication/v1alpha1/fake/fake_authentication_client.go} (66%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/fake_webhookidentityprovider.go (94%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/generated_expansion.go (100%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/1.17/client/informers/externalversions/{idp => authentication}/interface.go (94%)
 rename generated/1.17/client/informers/externalversions/{idp => authentication}/v1alpha1/interface.go (100%)
 rename generated/1.17/client/informers/externalversions/{idp => authentication}/v1alpha1/webhookidentityprovider.go (85%)
 rename generated/1.17/client/listers/{idp => authentication}/v1alpha1/expansion_generated.go (100%)
 rename generated/1.17/client/listers/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/{1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml} (98%)
 create mode 100644 generated/1.18/apis/concierge/authentication/doc.go
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/conversion.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/defaults.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/doc.go (83%)
 rename generated/{1.19/apis/concierge/idp => 1.18/apis/concierge/authentication}/v1alpha1/register.go (95%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/types_meta.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/types_tls.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/{1.17/apis/concierge/idp => 1.18/apis/concierge/authentication}/zz_generated.deepcopy.go (89%)
 delete mode 100644 generated/1.18/apis/concierge/idp/doc.go
 rename generated/1.18/client/clientset/versioned/typed/{idp/v1alpha1/idp_client.go => authentication/v1alpha1/authentication_client.go} (53%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/doc.go (100%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/doc.go (100%)
 rename generated/1.18/client/clientset/versioned/typed/{idp/v1alpha1/fake/fake_idp_client.go => authentication/v1alpha1/fake/fake_authentication_client.go} (66%)
 rename generated/{1.19/client/clientset/versioned/typed/idp => 1.18/client/clientset/versioned/typed/authentication}/v1alpha1/fake/fake_webhookidentityprovider.go (94%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/generated_expansion.go (100%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/1.18/client/informers/externalversions/{idp => authentication}/interface.go (94%)
 rename generated/1.18/client/informers/externalversions/{idp => authentication}/v1alpha1/interface.go (100%)
 rename generated/1.18/client/informers/externalversions/{idp => authentication}/v1alpha1/webhookidentityprovider.go (84%)
 rename generated/1.18/client/listers/{idp => authentication}/v1alpha1/expansion_generated.go (100%)
 rename generated/1.18/client/listers/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/{1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml} (98%)
 create mode 100644 generated/1.19/apis/concierge/authentication/doc.go
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/conversion.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/defaults.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/doc.go (83%)
 rename generated/{1.18/apis/concierge/idp => 1.19/apis/concierge/authentication}/v1alpha1/register.go (95%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/types_meta.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/types_tls.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/zz_generated.deepcopy.go (89%)
 delete mode 100644 generated/1.19/apis/concierge/idp/doc.go
 rename generated/1.19/client/clientset/versioned/typed/{idp/v1alpha1/idp_client.go => authentication/v1alpha1/authentication_client.go} (53%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/doc.go (100%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/doc.go (100%)
 rename generated/1.19/client/clientset/versioned/typed/{idp/v1alpha1/fake/fake_idp_client.go => authentication/v1alpha1/fake/fake_authentication_client.go} (66%)
 rename generated/{1.18/client/clientset/versioned/typed/idp => 1.19/client/clientset/versioned/typed/authentication}/v1alpha1/fake/fake_webhookidentityprovider.go (94%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/generated_expansion.go (100%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/1.19/client/informers/externalversions/{idp => authentication}/interface.go (94%)
 rename generated/1.19/client/informers/externalversions/{idp => authentication}/v1alpha1/interface.go (100%)
 rename generated/1.19/client/informers/externalversions/{idp => authentication}/v1alpha1/webhookidentityprovider.go (84%)
 rename generated/1.19/client/listers/{idp => authentication}/v1alpha1/expansion_generated.go (100%)
 rename generated/1.19/client/listers/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 create mode 100644 generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml

diff --git a/apis/concierge/authentication/doc.go.tmpl b/apis/concierge/authentication/doc.go.tmpl
new file mode 100644
index 000000000..c85584632
--- /dev/null
+++ b/apis/concierge/authentication/doc.go.tmpl
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/apis/concierge/idp/v1alpha1/conversion.go.tmpl b/apis/concierge/authentication/v1alpha1/conversion.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/conversion.go.tmpl
rename to apis/concierge/authentication/v1alpha1/conversion.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/defaults.go.tmpl b/apis/concierge/authentication/v1alpha1/defaults.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/defaults.go.tmpl
rename to apis/concierge/authentication/v1alpha1/defaults.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/doc.go.tmpl b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
similarity index 83%
rename from apis/concierge/idp/v1alpha1/doc.go.tmpl
rename to apis/concierge/authentication/v1alpha1/doc.go.tmpl
index 86223a810..4bd09774a 100644
--- a/apis/concierge/idp/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/apis/concierge/idp/v1alpha1/register.go.tmpl b/apis/concierge/authentication/v1alpha1/register.go.tmpl
similarity index 95%
rename from apis/concierge/idp/v1alpha1/register.go.tmpl
rename to apis/concierge/authentication/v1alpha1/register.go.tmpl
index 021640359..b372270dc 100644
--- a/apis/concierge/idp/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/apis/concierge/idp/v1alpha1/types_meta.go.tmpl b/apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/types_meta.go.tmpl
rename to apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/types_tls.go.tmpl b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/types_tls.go.tmpl
rename to apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/types_webhook.go.tmpl b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/types_webhook.go.tmpl
rename to apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
diff --git a/apis/concierge/idp/doc.go.tmpl b/apis/concierge/idp/doc.go.tmpl
deleted file mode 100644
index 22adc1b52..000000000
--- a/apis/concierge/idp/doc.go.tmpl
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go
index 919411005..0e8d99d76 100644
--- a/cmd/pinniped/cmd/exchange_credential.go
+++ b/cmd/pinniped/cmd/exchange_credential.go
@@ -16,7 +16,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/internal/client"
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/here"
@@ -143,7 +143,7 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 	idp := corev1.TypedLocalObjectReference{Name: idpName}
 	switch strings.ToLower(idpType) {
 	case "webhook":
-		idp.APIGroup = &idpv1alpha1.SchemeGroupVersion.Group
+		idp.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
 		idp.Kind = "WebhookIdentityProvider"
 	default:
 		return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidIDPType, idpType)
diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go
index 8ed99b0d3..fa6935af4 100644
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@@ -187,7 +187,7 @@ func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (str
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
-	webhooks, err := clientset.IDPV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
+	webhooks, err := clientset.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return "", "", err
 	}
diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go
index 231425912..23d920c5c 100644
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/client-go/rest"
 	coretesting "k8s.io/client-go/testing"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
@@ -256,8 +256,8 @@ func TestRun(t *testing.T) {
 				cmd.flags.idpType = ""
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
-						&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
+						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
+						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
 					), nil
 				}
 			},
@@ -349,7 +349,7 @@ func TestRun(t *testing.T) {
 
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
+						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
 						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
diff --git a/generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
index af2416426..5e7aba722 100644
--- a/generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
index af2416426..5e7aba722 100644
--- a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml
index 1571d56dd..714944be6 100644
--- a/deploy/concierge/rbac.yaml
+++ b/deploy/concierge/rbac.yaml
@@ -59,7 +59,7 @@ rules:
   - apiGroups: [ "" ]
     resources: [ pods/exec ]
     verbs: [ create ]
-  - apiGroups: [ config.pinniped.dev, idp.concierge.pinniped.dev ]
+  - apiGroups: [ config.pinniped.dev, authentication.concierge.pinniped.dev ]
     resources: [ "*" ]
     verbs: [ create, get, list, update, watch ]
 ---
diff --git a/deploy/concierge/z0_crd_overlay.yaml b/deploy/concierge/z0_crd_overlay.yaml
index 7f637f7e8..61f4c93e5 100644
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@@ -10,7 +10,7 @@ metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
 
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.idp.concierge.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.authentication.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
diff --git a/doc/demo.md b/doc/demo.md
index 8cc1a3688..8b6cef40a 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -122,7 +122,7 @@ as the identity provider.
 
     ```bash
     cat <<EOF | kubectl create --namespace pinniped -f -
-    apiVersion: idp.concierge.pinniped.dev/v1alpha1
+    apiVersion: authentication.concierge.pinniped.dev/v1alpha1
     kind: WebhookIdentityProvider
     metadata:
       name: local-user-authenticator
diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc
index 9cf1ecfda..081abb12a 100644
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -5,11 +5,115 @@
 == API Reference
 
 .Packages
+- xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
+[id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
+=== authentication.concierge.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
+==== TLSSpec 
+
+Configuration for configuring TLS on various identity providers.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
+==== WebhookIdentityProvider 
+
+WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
+==== WebhookIdentityProviderSpec 
+
+Spec for configuring a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | Webhook server endpoint URL.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
+==== WebhookIdentityProviderStatus 
+
+Status of a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-config-pinniped-dev-v1alpha1"]
 === config.pinniped.dev/v1alpha1
 
@@ -161,110 +265,6 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
-=== idp.concierge.pinniped.dev/v1alpha1
-
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-condition"]
-==== Condition 
-
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
-| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-tlsspec"]
-==== TLSSpec 
-
-Configuration for configuring TLS on various identity providers.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
-
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
-|===
-
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
-
-Spec for configuring a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
-
-Status of a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
-|===
-
-
-
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 
diff --git a/generated/1.17/apis/concierge/authentication/doc.go b/generated/1.17/apis/concierge/authentication/doc.go
new file mode 100644
index 000000000..c85584632
--- /dev/null
+++ b/generated/1.17/apis/concierge/authentication/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/conversion.go b/generated/1.17/apis/concierge/authentication/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/conversion.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/conversion.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/defaults.go b/generated/1.17/apis/concierge/authentication/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/defaults.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/defaults.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/doc.go b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
similarity index 83%
rename from generated/1.17/apis/concierge/idp/v1alpha1/doc.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
index e756111be..8cd69dfaf 100644
--- a/generated/1.17/apis/concierge/idp/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/register.go b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
similarity index 95%
rename from generated/1.17/apis/concierge/idp/v1alpha1/register.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/register.go
index 021640359..b372270dc 100644
--- a/generated/1.17/apis/concierge/idp/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/types_meta.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/types_meta.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/types_tls.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/types_tls.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/types_webhook.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/types_webhook.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/zz_generated.deepcopy.go
similarity index 89%
rename from generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go
rename to generated/1.17/apis/concierge/authentication/zz_generated.deepcopy.go
index 0b9642eaf..3a7a0f4b4 100644
--- a/generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/authentication/zz_generated.deepcopy.go
@@ -5,4 +5,4 @@
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
 
-package idp
+package authentication
diff --git a/generated/1.17/apis/concierge/idp/doc.go b/generated/1.17/apis/concierge/idp/doc.go
deleted file mode 100644
index 22adc1b52..000000000
--- a/generated/1.17/apis/concierge/idp/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/generated/1.17/client/clientset/versioned/clientset.go b/generated/1.17/client/clientset/versioned/clientset.go
index 9fdf9233b..99230a877 100644
--- a/generated/1.17/client/clientset/versioned/clientset.go
+++ b/generated/1.17/client/clientset/versioned/clientset.go
@@ -8,8 +8,8 @@ package versioned
 import (
 	"fmt"
 
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -18,8 +18,8 @@ import (
 
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
-	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 }
 
@@ -27,9 +27,14 @@ type Interface interface {
 // version included in a Clientset.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
-	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
-	loginV1alpha1  *loginv1alpha1.LoginV1alpha1Client
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -37,11 +42,6 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return c.iDPV1alpha1
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return c.loginV1alpha1
@@ -68,11 +68,11 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	}
 	var cs Clientset
 	var err error
-	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
-	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -92,8 +92,8 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 // panics if there is an error in the config.
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.NewForConfigOrDie(c)
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
-	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -103,8 +103,8 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
 	cs.configV1alpha1 = configv1alpha1.New(c)
-	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 	cs.loginV1alpha1 = loginv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
diff --git a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go
index 5ce3436b8..b8c4ba162 100644
--- a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go
@@ -7,10 +7,10 @@ package fake
 
 import (
 	clientset "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/config/v1alpha1/fake"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
-	fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
 	fakeloginv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/login/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,16 +67,16 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 
 var _ clientset.Interface = &Clientset{}
 
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
diff --git a/generated/1.17/client/clientset/versioned/fake/register.go b/generated/1.17/client/clientset/versioned/fake/register.go
index 2866783b8..da71772ed 100644
--- a/generated/1.17/client/clientset/versioned/fake/register.go
+++ b/generated/1.17/client/clientset/versioned/fake/register.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.17/client/clientset/versioned/scheme/register.go b/generated/1.17/client/clientset/versioned/scheme/register.go
index 9d4e26ea0..f257102f8 100644
--- a/generated/1.17/client/clientset/versioned/scheme/register.go
+++ b/generated/1.17/client/clientset/versioned/scheme/register.go
@@ -6,7 +6,7 @@
 package scheme
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
similarity index 53%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 4b5cb0c41..360fce0f1 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -6,27 +6,27 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
 
-type IDPV1alpha1Interface interface {
+type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
-type IDPV1alpha1Client struct {
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
+func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }
 
-// NewForConfig creates a new IDPV1alpha1Client for the given config.
-func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
 	config := *c
 	if err := setConfigDefaults(&config); err != nil {
 		return nil, err
@@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &IDPV1alpha1Client{client}, nil
+	return &AuthenticationV1alpha1Client{client}, nil
 }
 
-// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
 	return client
 }
 
-// New creates a new IDPV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *IDPV1alpha1Client {
-	return &IDPV1alpha1Client{c}
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
 }
 
 func setConfigDefaults(config *rest.Config) error {
@@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error {
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
similarity index 100%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
similarity index 100%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
similarity index 66%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 3d093d102..331981fa1 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -6,22 +6,22 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeIDPV1alpha1 struct {
+type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
+func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
similarity index 94%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
index 1d87624bd..30681a89f 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -17,13 +17,13 @@ import (
 
 // FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
 type FakeWebhookIdentityProviders struct {
-	Fake *FakeIDPV1alpha1
+	Fake *FakeAuthenticationV1alpha1
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
similarity index 100%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
index afd49019a..101145177 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
@@ -8,7 +8,7 @@ package v1alpha1
 import (
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -43,7 +43,7 @@ type webhookIdentityProviders struct {
 }
 
 // newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
+func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
 	return &webhookIdentityProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
diff --git a/generated/1.17/client/informers/externalversions/idp/interface.go b/generated/1.17/client/informers/externalversions/authentication/interface.go
similarity index 94%
rename from generated/1.17/client/informers/externalversions/idp/interface.go
rename to generated/1.17/client/informers/externalversions/authentication/interface.go
index deb662017..2dfbf1ade 100644
--- a/generated/1.17/client/informers/externalversions/idp/interface.go
+++ b/generated/1.17/client/informers/externalversions/authentication/interface.go
@@ -3,10 +3,10 @@
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package idp
+package authentication
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/informers/externalversions/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/informers/externalversions/authentication/v1alpha1"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
 )
 
diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
similarity index 100%
rename from generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go
rename to generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
similarity index 85%
rename from generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
index 246ac27bd..86d3336a2 100644
--- a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
@@ -8,10 +8,10 @@ package v1alpha1
 import (
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -48,16 +48,16 @@ func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, name
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
 			},
 		},
-		&idpv1alpha1.WebhookIdentityProvider{},
+		&authenticationv1alpha1.WebhookIdentityProvider{},
 		resyncPeriod,
 		indexers,
 	)
@@ -68,7 +68,7 @@ func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Inter
 }
 
 func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
 }
 
 func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
diff --git a/generated/1.17/client/informers/externalversions/factory.go b/generated/1.17/client/informers/externalversions/factory.go
index 414a8b20d..2c63113e8 100644
--- a/generated/1.17/client/informers/externalversions/factory.go
+++ b/generated/1.17/client/informers/externalversions/factory.go
@@ -11,8 +11,8 @@ import (
 	time "time"
 
 	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.17/client/informers/externalversions/authentication"
 	config "go.pinniped.dev/generated/1.17/client/informers/externalversions/config"
-	idp "go.pinniped.dev/generated/1.17/client/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
 	login "go.pinniped.dev/generated/1.17/client/informers/externalversions/login"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -161,19 +161,19 @@ type SharedInformerFactory interface {
 	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
+	Authentication() authentication.Interface
 	Config() config.Interface
-	IDP() idp.Interface
 	Login() login.Interface
 }
 
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
 
-func (f *sharedInformerFactory) IDP() idp.Interface {
-	return idp.New(f, f.namespace, f.tweakListOptions)
-}
-
 func (f *sharedInformerFactory) Login() login.Interface {
 	return login.New(f, f.namespace, f.tweakListOptions)
 }
diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go
index 6e1501702..e6f3f43eb 100644
--- a/generated/1.17/client/informers/externalversions/generic.go
+++ b/generated/1.17/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -41,15 +41,15 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=config.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
-		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
-	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+		// Group=config.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case configv1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
diff --git a/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
similarity index 100%
rename from generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go
rename to generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
diff --git a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
index afe205731..933b303da 100644
--- a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go
index 9350e05af..b8d43ca3a 100644
--- a/generated/1.17/client/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/openapi/zz_generated.openapi.go
@@ -17,81 +17,81 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus": schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":  schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":            schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":          schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":        schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                    schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                      schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                          schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                        schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                        schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                             schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                        schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                             schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                           schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                            schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                        schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                         schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                             schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                     schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                 schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                        schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                        schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                             schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                 schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                             schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                          schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                   schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                            schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                           schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                       schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                            schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                         schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                        schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                            schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                            schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                               schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                          schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                        schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                         schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                             schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                    schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                 schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                            schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                             schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                        schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                           schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                              schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -148,7 +148,7 @@ func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback)
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -168,7 +168,7 @@ func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -197,13 +197,13 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
 						},
 					},
 				},
@@ -211,11 +211,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -247,7 +247,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
 									},
 								},
 							},
@@ -258,11 +258,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -279,7 +279,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 					"tls": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec"),
 						},
 					},
 				},
@@ -287,11 +287,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -315,7 +315,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition"),
 									},
 								},
 							},
@@ -325,7 +325,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition"},
 	}
 }
 
diff --git a/generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
index af2416426..5e7aba722 100644
--- a/generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc
index 42bbd525b..ca7a442f3 100644
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@@ -5,11 +5,115 @@
 == API Reference
 
 .Packages
+- xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
+[id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
+=== authentication.concierge.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"]
+==== TLSSpec 
+
+Configuration for configuring TLS on various identity providers.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
+==== WebhookIdentityProvider 
+
+WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
+==== WebhookIdentityProviderSpec 
+
+Spec for configuring a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | Webhook server endpoint URL.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
+==== WebhookIdentityProviderStatus 
+
+Status of a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-config-pinniped-dev-v1alpha1"]
 === config.pinniped.dev/v1alpha1
 
@@ -161,110 +265,6 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
-=== idp.concierge.pinniped.dev/v1alpha1
-
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-condition"]
-==== Condition 
-
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
-| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-tlsspec"]
-==== TLSSpec 
-
-Configuration for configuring TLS on various identity providers.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
-
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
-|===
-
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
-
-Spec for configuring a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
-
-Status of a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
-|===
-
-
-
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 
diff --git a/generated/1.18/apis/concierge/authentication/doc.go b/generated/1.18/apis/concierge/authentication/doc.go
new file mode 100644
index 000000000..c85584632
--- /dev/null
+++ b/generated/1.18/apis/concierge/authentication/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/conversion.go b/generated/1.18/apis/concierge/authentication/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/conversion.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/conversion.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/defaults.go b/generated/1.18/apis/concierge/authentication/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/defaults.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/defaults.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/doc.go b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
similarity index 83%
rename from generated/1.18/apis/concierge/idp/v1alpha1/doc.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
index 8053d0a2f..49cd74309 100644
--- a/generated/1.18/apis/concierge/idp/v1alpha1/doc.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/register.go b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
similarity index 95%
rename from generated/1.19/apis/concierge/idp/v1alpha1/register.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/register.go
index 021640359..b372270dc 100644
--- a/generated/1.19/apis/concierge/idp/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/types_meta.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/types_meta.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/types_meta.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/types_tls.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/types_tls.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/types_webhook.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/types_webhook.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/zz_generated.deepcopy.go
similarity index 89%
rename from generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go
rename to generated/1.18/apis/concierge/authentication/zz_generated.deepcopy.go
index 0b9642eaf..3a7a0f4b4 100644
--- a/generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/authentication/zz_generated.deepcopy.go
@@ -5,4 +5,4 @@
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
 
-package idp
+package authentication
diff --git a/generated/1.18/apis/concierge/idp/doc.go b/generated/1.18/apis/concierge/idp/doc.go
deleted file mode 100644
index 22adc1b52..000000000
--- a/generated/1.18/apis/concierge/idp/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/generated/1.18/client/clientset/versioned/clientset.go b/generated/1.18/client/clientset/versioned/clientset.go
index fcd663cda..5201e527b 100644
--- a/generated/1.18/client/clientset/versioned/clientset.go
+++ b/generated/1.18/client/clientset/versioned/clientset.go
@@ -8,8 +8,8 @@ package versioned
 import (
 	"fmt"
 
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -18,8 +18,8 @@ import (
 
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
-	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 }
 
@@ -27,9 +27,14 @@ type Interface interface {
 // version included in a Clientset.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
-	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
-	loginV1alpha1  *loginv1alpha1.LoginV1alpha1Client
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -37,11 +42,6 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return c.iDPV1alpha1
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return c.loginV1alpha1
@@ -68,11 +68,11 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	}
 	var cs Clientset
 	var err error
-	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
-	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -92,8 +92,8 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 // panics if there is an error in the config.
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.NewForConfigOrDie(c)
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
-	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -103,8 +103,8 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
 	cs.configV1alpha1 = configv1alpha1.New(c)
-	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 	cs.loginV1alpha1 = loginv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
diff --git a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go
index 00b7ab1c6..b8b6aceac 100644
--- a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go
@@ -7,10 +7,10 @@ package fake
 
 import (
 	clientset "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/config/v1alpha1/fake"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
-	fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
 	fakeloginv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/login/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,16 +67,16 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 
 var _ clientset.Interface = &Clientset{}
 
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
diff --git a/generated/1.18/client/clientset/versioned/fake/register.go b/generated/1.18/client/clientset/versioned/fake/register.go
index 92d661cea..bdb2ee642 100644
--- a/generated/1.18/client/clientset/versioned/fake/register.go
+++ b/generated/1.18/client/clientset/versioned/fake/register.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.18/client/clientset/versioned/scheme/register.go b/generated/1.18/client/clientset/versioned/scheme/register.go
index 47b008a88..e41b4bf92 100644
--- a/generated/1.18/client/clientset/versioned/scheme/register.go
+++ b/generated/1.18/client/clientset/versioned/scheme/register.go
@@ -6,7 +6,7 @@
 package scheme
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
similarity index 53%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 45705e9a6..4073c3c6c 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -6,27 +6,27 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
 
-type IDPV1alpha1Interface interface {
+type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
-type IDPV1alpha1Client struct {
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
+func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }
 
-// NewForConfig creates a new IDPV1alpha1Client for the given config.
-func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
 	config := *c
 	if err := setConfigDefaults(&config); err != nil {
 		return nil, err
@@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &IDPV1alpha1Client{client}, nil
+	return &AuthenticationV1alpha1Client{client}, nil
 }
 
-// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
 	return client
 }
 
-// New creates a new IDPV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *IDPV1alpha1Client {
-	return &IDPV1alpha1Client{c}
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
 }
 
 func setConfigDefaults(config *rest.Config) error {
@@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error {
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
similarity index 100%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
similarity index 100%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
similarity index 66%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index ba62b2183..73de150f4 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -6,22 +6,22 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeIDPV1alpha1 struct {
+type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
+func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
similarity index 94%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
index 1b64361cf..05757ab00 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -8,7 +8,7 @@ package fake
 import (
 	"context"
 
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,13 +19,13 @@ import (
 
 // FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
 type FakeWebhookIdentityProviders struct {
-	Fake *FakeIDPV1alpha1
+	Fake *FakeAuthenticationV1alpha1
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
similarity index 100%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
index 389aff71b..157cb606d 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -44,7 +44,7 @@ type webhookIdentityProviders struct {
 }
 
 // newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
+func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
 	return &webhookIdentityProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
diff --git a/generated/1.18/client/informers/externalversions/idp/interface.go b/generated/1.18/client/informers/externalversions/authentication/interface.go
similarity index 94%
rename from generated/1.18/client/informers/externalversions/idp/interface.go
rename to generated/1.18/client/informers/externalversions/authentication/interface.go
index b6c033f9b..6770ff80c 100644
--- a/generated/1.18/client/informers/externalversions/idp/interface.go
+++ b/generated/1.18/client/informers/externalversions/authentication/interface.go
@@ -3,10 +3,10 @@
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package idp
+package authentication
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/informers/externalversions/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/informers/externalversions/authentication/v1alpha1"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
 )
 
diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
similarity index 100%
rename from generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go
rename to generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
similarity index 84%
rename from generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
index 30c79d4db..3225aa737 100644
--- a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,10 +9,10 @@ import (
 	"context"
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -49,16 +49,16 @@ func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, name
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
 			},
 		},
-		&idpv1alpha1.WebhookIdentityProvider{},
+		&authenticationv1alpha1.WebhookIdentityProvider{},
 		resyncPeriod,
 		indexers,
 	)
@@ -69,7 +69,7 @@ func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Inter
 }
 
 func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
 }
 
 func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
diff --git a/generated/1.18/client/informers/externalversions/factory.go b/generated/1.18/client/informers/externalversions/factory.go
index f3793b090..a2b67de75 100644
--- a/generated/1.18/client/informers/externalversions/factory.go
+++ b/generated/1.18/client/informers/externalversions/factory.go
@@ -11,8 +11,8 @@ import (
 	time "time"
 
 	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.18/client/informers/externalversions/authentication"
 	config "go.pinniped.dev/generated/1.18/client/informers/externalversions/config"
-	idp "go.pinniped.dev/generated/1.18/client/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
 	login "go.pinniped.dev/generated/1.18/client/informers/externalversions/login"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -161,19 +161,19 @@ type SharedInformerFactory interface {
 	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
+	Authentication() authentication.Interface
 	Config() config.Interface
-	IDP() idp.Interface
 	Login() login.Interface
 }
 
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
 
-func (f *sharedInformerFactory) IDP() idp.Interface {
-	return idp.New(f, f.namespace, f.tweakListOptions)
-}
-
 func (f *sharedInformerFactory) Login() login.Interface {
 	return login.New(f, f.namespace, f.tweakListOptions)
 }
diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go
index 1c522d115..0509c7d3f 100644
--- a/generated/1.18/client/informers/externalversions/generic.go
+++ b/generated/1.18/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -41,15 +41,15 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=config.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
-		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
-	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+		// Group=config.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case configv1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
diff --git a/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
similarity index 100%
rename from generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go
rename to generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
diff --git a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
index 6a9940c83..218cf682c 100644
--- a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go
index bf054a3ec..44332c47e 100644
--- a/generated/1.18/client/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/openapi/zz_generated.openapi.go
@@ -17,81 +17,81 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus": schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":  schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":            schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":          schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":        schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                    schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                      schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                          schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                        schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                        schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                             schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                        schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                             schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                           schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                            schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                        schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                         schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                             schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                     schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                 schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                        schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                        schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                             schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                 schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                             schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                          schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                   schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                            schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                           schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                       schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                            schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                         schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                        schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                            schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                            schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                               schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                          schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                        schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                         schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                             schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                    schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                 schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                            schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                             schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                        schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                           schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                              schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -148,7 +148,7 @@ func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback)
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -168,7 +168,7 @@ func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -197,13 +197,13 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
 						},
 					},
 				},
@@ -211,11 +211,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -247,7 +247,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
 									},
 								},
 							},
@@ -258,11 +258,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -279,7 +279,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 					"tls": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec"),
 						},
 					},
 				},
@@ -287,11 +287,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -315,7 +315,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition"),
 									},
 								},
 							},
@@ -325,7 +325,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition"},
 	}
 }
 
diff --git a/generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
index af2416426..5e7aba722 100644
--- a/generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc
index 1c8018cc2..00984654e 100644
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@@ -5,11 +5,115 @@
 == API Reference
 
 .Packages
+- xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
+[id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
+=== authentication.concierge.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"]
+==== TLSSpec 
+
+Configuration for configuring TLS on various identity providers.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
+==== WebhookIdentityProvider 
+
+WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
+==== WebhookIdentityProviderSpec 
+
+Spec for configuring a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | Webhook server endpoint URL.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
+==== WebhookIdentityProviderStatus 
+
+Status of a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-config-pinniped-dev-v1alpha1"]
 === config.pinniped.dev/v1alpha1
 
@@ -161,110 +265,6 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
-=== idp.concierge.pinniped.dev/v1alpha1
-
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-condition"]
-==== Condition 
-
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
-| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-tlsspec"]
-==== TLSSpec 
-
-Configuration for configuring TLS on various identity providers.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
-
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
-|===
-
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
-
-Spec for configuring a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
-
-Status of a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
-|===
-
-
-
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 
diff --git a/generated/1.19/apis/concierge/authentication/doc.go b/generated/1.19/apis/concierge/authentication/doc.go
new file mode 100644
index 000000000..c85584632
--- /dev/null
+++ b/generated/1.19/apis/concierge/authentication/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/conversion.go b/generated/1.19/apis/concierge/authentication/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/conversion.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/conversion.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/defaults.go b/generated/1.19/apis/concierge/authentication/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/defaults.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/defaults.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/doc.go b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
similarity index 83%
rename from generated/1.19/apis/concierge/idp/v1alpha1/doc.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
index 63c0d3c40..981b832f4 100644
--- a/generated/1.19/apis/concierge/idp/v1alpha1/doc.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/register.go b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
similarity index 95%
rename from generated/1.18/apis/concierge/idp/v1alpha1/register.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/register.go
index 021640359..b372270dc 100644
--- a/generated/1.18/apis/concierge/idp/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/types_meta.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/types_meta.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/types_meta.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/types_tls.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/types_tls.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/types_webhook.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/types_webhook.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/zz_generated.deepcopy.go
similarity index 89%
rename from generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go
rename to generated/1.19/apis/concierge/authentication/zz_generated.deepcopy.go
index 0b9642eaf..3a7a0f4b4 100644
--- a/generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/authentication/zz_generated.deepcopy.go
@@ -5,4 +5,4 @@
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
 
-package idp
+package authentication
diff --git a/generated/1.19/apis/concierge/idp/doc.go b/generated/1.19/apis/concierge/idp/doc.go
deleted file mode 100644
index 22adc1b52..000000000
--- a/generated/1.19/apis/concierge/idp/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/generated/1.19/client/clientset/versioned/clientset.go b/generated/1.19/client/clientset/versioned/clientset.go
index 297310750..13bdbea24 100644
--- a/generated/1.19/client/clientset/versioned/clientset.go
+++ b/generated/1.19/client/clientset/versioned/clientset.go
@@ -8,8 +8,8 @@ package versioned
 import (
 	"fmt"
 
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/login/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -18,8 +18,8 @@ import (
 
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
-	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 }
 
@@ -27,9 +27,14 @@ type Interface interface {
 // version included in a Clientset.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
-	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
-	loginV1alpha1  *loginv1alpha1.LoginV1alpha1Client
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -37,11 +42,6 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return c.iDPV1alpha1
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return c.loginV1alpha1
@@ -68,11 +68,11 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	}
 	var cs Clientset
 	var err error
-	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
-	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -92,8 +92,8 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 // panics if there is an error in the config.
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.NewForConfigOrDie(c)
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
-	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -103,8 +103,8 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
 	cs.configV1alpha1 = configv1alpha1.New(c)
-	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 	cs.loginV1alpha1 = loginv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
diff --git a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go
index 627c93884..b87c4e8ff 100644
--- a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go
@@ -7,10 +7,10 @@ package fake
 
 import (
 	clientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/config/v1alpha1/fake"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
-	fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/login/v1alpha1"
 	fakeloginv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/login/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,16 +67,16 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 
 var _ clientset.Interface = &Clientset{}
 
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
diff --git a/generated/1.19/client/clientset/versioned/fake/register.go b/generated/1.19/client/clientset/versioned/fake/register.go
index 6ac8af66c..c2e584bd2 100644
--- a/generated/1.19/client/clientset/versioned/fake/register.go
+++ b/generated/1.19/client/clientset/versioned/fake/register.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.19/client/clientset/versioned/scheme/register.go b/generated/1.19/client/clientset/versioned/scheme/register.go
index bec738f4b..9f3025803 100644
--- a/generated/1.19/client/clientset/versioned/scheme/register.go
+++ b/generated/1.19/client/clientset/versioned/scheme/register.go
@@ -6,7 +6,7 @@
 package scheme
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
similarity index 53%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index cf93cc9ab..cdfa725e7 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -6,27 +6,27 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
 
-type IDPV1alpha1Interface interface {
+type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
-type IDPV1alpha1Client struct {
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
+func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }
 
-// NewForConfig creates a new IDPV1alpha1Client for the given config.
-func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
 	config := *c
 	if err := setConfigDefaults(&config); err != nil {
 		return nil, err
@@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &IDPV1alpha1Client{client}, nil
+	return &AuthenticationV1alpha1Client{client}, nil
 }
 
-// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
 	return client
 }
 
-// New creates a new IDPV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *IDPV1alpha1Client {
-	return &IDPV1alpha1Client{c}
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
 }
 
 func setConfigDefaults(config *rest.Config) error {
@@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error {
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
similarity index 100%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
similarity index 100%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
similarity index 66%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 3181fd18c..f75f4480c 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -6,22 +6,22 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeIDPV1alpha1 struct {
+type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
+func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
similarity index 94%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
index 00071eee3..62fe34a86 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -8,7 +8,7 @@ package fake
 import (
 	"context"
 
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,13 +19,13 @@ import (
 
 // FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
 type FakeWebhookIdentityProviders struct {
-	Fake *FakeIDPV1alpha1
+	Fake *FakeAuthenticationV1alpha1
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
similarity index 100%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
index b17cc8f2d..1b7c24052 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -44,7 +44,7 @@ type webhookIdentityProviders struct {
 }
 
 // newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
+func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
 	return &webhookIdentityProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
diff --git a/generated/1.19/client/informers/externalversions/idp/interface.go b/generated/1.19/client/informers/externalversions/authentication/interface.go
similarity index 94%
rename from generated/1.19/client/informers/externalversions/idp/interface.go
rename to generated/1.19/client/informers/externalversions/authentication/interface.go
index 8094d853d..a8e51d7f4 100644
--- a/generated/1.19/client/informers/externalversions/idp/interface.go
+++ b/generated/1.19/client/informers/externalversions/authentication/interface.go
@@ -3,10 +3,10 @@
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package idp
+package authentication
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
 )
 
diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
similarity index 100%
rename from generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go
rename to generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
similarity index 84%
rename from generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
index 0238ec1a2..938349b54 100644
--- a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,10 +9,10 @@ import (
 	"context"
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -49,16 +49,16 @@ func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, name
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
 			},
 		},
-		&idpv1alpha1.WebhookIdentityProvider{},
+		&authenticationv1alpha1.WebhookIdentityProvider{},
 		resyncPeriod,
 		indexers,
 	)
@@ -69,7 +69,7 @@ func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Inter
 }
 
 func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
 }
 
 func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
diff --git a/generated/1.19/client/informers/externalversions/factory.go b/generated/1.19/client/informers/externalversions/factory.go
index 5f503b85b..58dcf259a 100644
--- a/generated/1.19/client/informers/externalversions/factory.go
+++ b/generated/1.19/client/informers/externalversions/factory.go
@@ -11,8 +11,8 @@ import (
 	time "time"
 
 	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication"
 	config "go.pinniped.dev/generated/1.19/client/informers/externalversions/config"
-	idp "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
 	login "go.pinniped.dev/generated/1.19/client/informers/externalversions/login"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -161,19 +161,19 @@ type SharedInformerFactory interface {
 	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
+	Authentication() authentication.Interface
 	Config() config.Interface
-	IDP() idp.Interface
 	Login() login.Interface
 }
 
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
 
-func (f *sharedInformerFactory) IDP() idp.Interface {
-	return idp.New(f, f.namespace, f.tweakListOptions)
-}
-
 func (f *sharedInformerFactory) Login() login.Interface {
 	return login.New(f, f.namespace, f.tweakListOptions)
 }
diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go
index 424b73809..6568bab8b 100644
--- a/generated/1.19/client/informers/externalversions/generic.go
+++ b/generated/1.19/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -41,15 +41,15 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=config.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
-		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
-	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+		// Group=config.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case configv1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
diff --git a/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
similarity index 100%
rename from generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go
rename to generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
diff --git a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
index ec0af7e10..ea0780056 100644
--- a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go
index ee18adb8e..24f3440ba 100644
--- a/generated/1.19/client/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/openapi/zz_generated.openapi.go
@@ -17,82 +17,82 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus": schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":  schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":            schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":          schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":        schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                    schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                      schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                          schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                            schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                        schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                        schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                             schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                        schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                             schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                           schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                            schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                        schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                         schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                             schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                     schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                 schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                        schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                        schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                             schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                 schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                             schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                          schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                   schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                            schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                           schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                       schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                            schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                         schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                        schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                            schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                            schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                               schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                          schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                        schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                         schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                             schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                    schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                 schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                            schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                             schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                        schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                           schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                              schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                      schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -149,7 +149,7 @@ func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback)
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -169,7 +169,7 @@ func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -198,13 +198,13 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
 						},
 					},
 				},
@@ -212,11 +212,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -248,7 +248,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
 									},
 								},
 							},
@@ -259,11 +259,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -280,7 +280,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 					"tls": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec"),
 						},
 					},
 				},
@@ -288,11 +288,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -316,7 +316,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition"),
 									},
 								},
 							},
@@ -326,7 +326,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition"},
 	}
 }
 
diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
new file mode 100644
index 000000000..5e7aba722
--- /dev/null
+++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -0,0 +1,149 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+spec:
+  group: authentication.concierge.pinniped.dev
+  names:
+    categories:
+    - all
+    - idp
+    - idps
+    kind: WebhookIdentityProvider
+    listKind: WebhookIdentityProviderList
+    plural: webhookidentityproviders
+    shortNames:
+    - webhookidp
+    - webhookidps
+    singular: webhookidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.endpoint
+      name: Endpoint
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: WebhookIdentityProvider describes the configuration of a Pinniped
+          webhook identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              endpoint:
+                description: Webhook server endpoint URL.
+                minLength: 1
+                pattern: ^https://
+                type: string
+              tls:
+                description: TLS configuration.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
+                      If omitted, a default set of system roots will be trusted.
+                    type: string
+                type: object
+            required:
+            - endpoint
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/hack/lib/docs/config.yaml b/hack/lib/docs/config.yaml
index 078c13cdf..999585972 100644
--- a/hack/lib/docs/config.yaml
+++ b/hack/lib/docs/config.yaml
@@ -4,7 +4,7 @@ processor:
   #  Ignore internal API versions
   ignoreGroupVersions:
     - "config.pinniped.dev/config"
-    - "idp.concierge.pinniped.dev/idp"
+    - "authentication.concierge.pinniped.dev/authentication"
     - "login.concierge.pinniped.dev/login"
   ignoreFields:
     - "TypeMeta$"
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index 653668545..8891632f3 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -170,7 +170,7 @@ k8s_resource(
         'pinniped-concierge:clusterrolebinding',
         'pinniped-concierge:serviceaccount',
         'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
-        'webhookidentityproviders.idp.concierge.pinniped.dev:customresourcedefinition',
+        'webhookidentityproviders.authentication.concierge.pinniped.dev:customresourcedefinition',
         'v1alpha1.login.concierge.pinniped.dev:apiservice',
     ],
 )
diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh
index bef6aec01..293ccae17 100755
--- a/hack/lib/update-codegen.sh
+++ b/hack/lib/update-codegen.sh
@@ -110,7 +110,7 @@ echo "generating API-related code for our public API groups..."
         deepcopy \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-api > |"
 )
 
@@ -122,7 +122,7 @@ echo "generating API-related code for our internal API groups..."
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt"  2>&1 | sed "s|^|gen-int-api > |"
 )
 
@@ -137,7 +137,7 @@ echo "generating client code for our public API groups..."
         client,lister,informer \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt"  2>&1 | sed "s|^|gen-client > |"
 )
 
@@ -157,5 +157,5 @@ crd-ref-docs \
 # Generate CRD YAML
 (cd apis &&
     controller-gen paths=./config/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds &&
-    controller-gen paths=./concierge/idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
+    controller-gen paths=./concierge/authentication/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
 )
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index bcb1e2e6c..58ae7a1a2 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -16,7 +16,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/internal/testutil"
 )
@@ -26,7 +26,7 @@ func TestExchangeToken(t *testing.T) {
 	ctx := context.Background()
 
 	testIDP := corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookIdentityProvider",
 		Name:     "test-webhook",
 	}
@@ -106,7 +106,7 @@ func TestExchangeToken(t *testing.T) {
 				  "spec": {
 					"token": "test-token",
 					"identityProvider": {
-						"apiGroup": "idp.concierge.pinniped.dev",
+						"apiGroup": "authentication.concierge.pinniped.dev",
 						"kind": "WebhookIdentityProvider",
 						"name": "test-webhook"
 					}
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go
index 1cc0c292a..24043bc89 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/identityprovider/idpcache/cache_test.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginapi "go.pinniped.dev/generated/1.19/apis/concierge/login"
 	"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
 )
@@ -76,7 +76,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		},
 		Spec: loginapi.TokenCredentialRequestSpec{
 			IdentityProvider: corev1.TypedLocalObjectReference{
-				APIGroup: &idpv1alpha.SchemeGroupVersion.Group,
+				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
 				Kind:     "WebhookIdentityProvider",
 				Name:     "test-name",
 			},
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
index 9ab9e1691..48b663514 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
@@ -11,8 +11,8 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/klog/v2"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
-	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
 	"go.pinniped.dev/internal/controllerlib"
@@ -51,7 +51,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 	}
 
 	// Index the current webhooks by key.
-	webhooksByKey := map[controllerlib.Key]*idpv1alpha1.WebhookIdentityProvider{}
+	webhooksByKey := map[controllerlib.Key]*auth1alpha1.WebhookIdentityProvider{}
 	for _, webhook := range webhooks {
 		key := controllerlib.Key{Namespace: webhook.Namespace, Name: webhook.Name}
 		webhooksByKey[key] = webhook
@@ -59,7 +59,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 
 	// Delete any entries from the cache which are no longer in the cluster.
 	for _, key := range c.cache.Keys() {
-		if key.APIGroup != idpv1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
+		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
 			continue
 		}
 		if _, exists := webhooksByKey[controllerlib.Key{Namespace: key.Namespace, Name: key.Name}]; !exists {
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
index e2450916c..28f8effac 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
@@ -12,7 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
@@ -24,19 +24,19 @@ func TestController(t *testing.T) {
 	t.Parallel()
 
 	testKey1 := idpcache.Key{
-		APIGroup:  "idp.concierge.pinniped.dev",
+		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "WebhookIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
 	testKey2 := idpcache.Key{
-		APIGroup:  "idp.concierge.pinniped.dev",
+		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "WebhookIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-two",
 	}
 	testKeyNonwebhook := idpcache.Key{
-		APIGroup:  "idp.concierge.pinniped.dev",
+		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "SomeOtherIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
@@ -54,7 +54,7 @@ func TestController(t *testing.T) {
 			name:         "no change",
 			initialCache: map[idpcache.Key]idpcache.Value{testKey1: nil},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -67,13 +67,13 @@ func TestController(t *testing.T) {
 			name:         "IDPs not yet added",
 			initialCache: nil,
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
 					},
 				},
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey2.Namespace,
 						Name:      testKey2.Name,
@@ -90,7 +90,7 @@ func TestController(t *testing.T) {
 				testKeyNonwebhook: nil,
 			},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -116,7 +116,7 @@ func TestController(t *testing.T) {
 			}
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
index 0f6b5539b..cf664bc40 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
@@ -20,8 +20,8 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
-	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
 	"go.pinniped.dev/internal/controllerlib"
@@ -69,7 +69,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 	}
 
 	c.cache.Store(idpcache.Key{
-		APIGroup:  idpv1alpha1.GroupName,
+		APIGroup:  auth1alpha1.GroupName,
 		Kind:      "WebhookIdentityProvider",
 		Namespace: ctx.Key.Namespace,
 		Name:      ctx.Key.Name,
@@ -81,7 +81,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle
 // used to validate TLS connections.
 func newWebhookAuthenticator(
-	spec *idpv1alpha1.WebhookIdentityProviderSpec,
+	spec *auth1alpha1.WebhookIdentityProviderSpec,
 	tempfileFunc func(string, string) (*os.File, error),
 	marshalFunc func(clientcmdapi.Config, string) error,
 ) (*webhook.WebhookTokenAuthenticator, error) {
@@ -122,7 +122,7 @@ func newWebhookAuthenticator(
 	return webhook.New(temp.Name(), version, implicitAuds, customDial)
 }
 
-func getCABundle(spec *idpv1alpha1.TLSSpec) ([]byte, error) {
+func getCABundle(spec *auth1alpha1.TLSSpec) ([]byte, error) {
 	if spec == nil {
 		return nil, nil
 	}
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
index b46b3281f..8172e7f48 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
@@ -19,7 +19,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
@@ -50,12 +50,12 @@ func TestController(t *testing.T) {
 			name:    "invalid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: idpv1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookIdentityProviderSpec{
 						Endpoint: "invalid url",
 					},
 				},
@@ -66,14 +66,14 @@ func TestController(t *testing.T) {
 			name:    "valid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: idpv1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookIdentityProviderSpec{
 						Endpoint: "https://example.com",
-						TLS:      &idpv1alpha1.TLSSpec{CertificateAuthorityData: ""},
+						TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},
 					},
 				},
 			},
@@ -93,7 +93,7 @@ func TestController(t *testing.T) {
 			cache := idpcache.New()
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
@@ -124,22 +124,22 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 
 	t.Run("marshal failure", func(t *testing.T) {
 		marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }
-		res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError)
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError)
 		require.Nil(t, res)
 		require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")
 	})
 
 	t.Run("invalid base64", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
 			Endpoint: "https://example.com",
-			TLS:      &idpv1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
+			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
 		}, ioutil.TempFile, clientcmd.WriteToFile)
 		require.Nil(t, res)
 		require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
 	})
 
 	t.Run("valid config with no TLS spec", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
 			Endpoint: "https://example.com",
 		}, ioutil.TempFile, clientcmd.WriteToFile)
 		require.NotNil(t, res)
@@ -154,9 +154,9 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 			_, err = w.Write([]byte(`{}`))
 			require.NoError(t, err)
 		})
-		spec := &idpv1alpha1.WebhookIdentityProviderSpec{
+		spec := &auth1alpha1.WebhookIdentityProviderSpec{
 			Endpoint: url,
-			TLS: &idpv1alpha1.TLSSpec{
+			TLS: &auth1alpha1.TLSSpec{
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),
 			},
 		}
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index e4bb8b320..228551e10 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -232,7 +232,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachefiller.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.IDP().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -240,7 +240,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachecleaner.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.IDP().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
 				klogr.New(),
 			),
 			singletonWorker,
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index b4504cd88..fdf240ce2 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -16,7 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/test/library"
 )
@@ -28,7 +28,7 @@ func TestUnsuccessfulCredentialRequest(t *testing.T) {
 	defer cancel()
 
 	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookIdentityProvider",
 		Name:     "some-webhook-that-does-not-exist",
 	}))
diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go
index 473cc682b..6facc8291 100644
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -91,20 +91,20 @@ func TestGetAPIResourceList(t *testing.T) {
 		},
 		{
 			group: metav1.APIGroup{
-				Name: "idp.concierge.pinniped.dev",
+				Name: "authentication.concierge.pinniped.dev",
 				Versions: []metav1.GroupVersionForDiscovery{
 					{
-						GroupVersion: "idp.concierge.pinniped.dev/v1alpha1",
+						GroupVersion: "authentication.concierge.pinniped.dev/v1alpha1",
 						Version:      "v1alpha1",
 					},
 				},
 				PreferredVersion: metav1.GroupVersionForDiscovery{
-					GroupVersion: "idp.concierge.pinniped.dev/v1alpha1",
+					GroupVersion: "authentication.concierge.pinniped.dev/v1alpha1",
 					Version:      "v1alpha1",
 				},
 			},
 			resourceByVersion: map[string][]metav1.APIResource{
-				"idp.concierge.pinniped.dev/v1alpha1": {
+				"authentication.concierge.pinniped.dev/v1alpha1": {
 					{
 						Name:         "webhookidentityproviders",
 						SingularName: "webhookidentityprovider",
diff --git a/test/library/client.go b/test/library/client.go
index 50aa9057a..285968f9b 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -23,7 +23,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 
@@ -127,12 +127,12 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	testEnv := IntegrationEnv(t)
 
 	client := NewPinnipedClientset(t)
-	webhooks := client.IDPV1alpha1().WebhookIdentityProviders(testEnv.ConciergeNamespace)
+	webhooks := client.AuthenticationV1alpha1().WebhookIdentityProviders(testEnv.ConciergeNamespace)
 
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 
-	idp, err := webhooks.Create(createContext, &idpv1alpha1.WebhookIdentityProvider{
+	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookIdentityProvider{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-webhook-",
 			Labels:       map[string]string{"pinniped.dev/test": ""},
@@ -153,7 +153,7 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	})
 
 	return corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookIdentityProvider",
 		Name:     idp.Name,
 	}
diff --git a/test/library/env.go b/test/library/env.go
index 1ed59e1ae..da5afb340 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/yaml"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 )
 
 type Capability string
@@ -33,7 +33,7 @@ type TestEnv struct {
 	SupervisorCustomLabels         map[string]string                       `json:"supervisorCustomLabels"`
 	ConciergeCustomLabels          map[string]string                       `json:"conciergeCustomLabels"`
 	Capabilities                   map[Capability]bool                     `json:"capabilities"`
-	TestWebhook                    idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
+	TestWebhook                    auth1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
 	SupervisorHTTPAddress          string                                  `json:"supervisorHttpAddress"`
 	SupervisorHTTPSAddress         string                                  `json:"supervisorHttpsAddress"`
 	SupervisorHTTPSIngressAddress  string                                  `json:"supervisorHttpsIngressAddress"`
@@ -100,7 +100,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
 	result.TestWebhook.Endpoint = needEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
 	result.SupervisorNamespace = needEnv(t, "PINNIPED_TEST_SUPERVISOR_NAMESPACE")
 	result.SupervisorAppName = needEnv(t, "PINNIPED_TEST_SUPERVISOR_APP_NAME")
-	result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
+	result.TestWebhook.TLS = &auth1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
 
 	result.SupervisorHTTPAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS")
 	result.SupervisorHTTPSIngressAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_INGRESS_ADDRESS")

From 0f25657a35bf01b917f83e537795e08c12c62e64 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 11:39:26 -0500
Subject: [PATCH 3/5] Rename WebhookIdentityProvider to WebhookAuthenticator.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 apis/concierge/authentication/doc.go.tmpl     |   2 +-
 .../authentication/v1alpha1/doc.go.tmpl       |   2 +-
 .../authentication/v1alpha1/register.go.tmpl  |   4 +-
 .../authentication/v1alpha1/types_tls.go.tmpl |   2 +-
 .../v1alpha1/types_webhook.go.tmpl            |  30 +--
 cmd/pinniped/cmd/exchange_credential.go       |   2 +-
 cmd/pinniped/cmd/get_kubeconfig.go            |   2 +-
 cmd/pinniped/cmd/get_kubeconfig_test.go       |   6 +-
 ...e.pinniped.dev_webhookauthenticators.yaml} |  29 ++-
 deploy/concierge/z0_crd_overlay.yaml          |   2 +-
 doc/demo.md                                   |   4 +-
 generated/1.17/README.adoc                    |  38 ++--
 .../1.17/apis/concierge/authentication/doc.go |   2 +-
 .../concierge/authentication/v1alpha1/doc.go  |   2 +-
 .../authentication/v1alpha1/register.go       |   4 +-
 .../authentication/v1alpha1/types_tls.go      |   2 +-
 .../authentication/v1alpha1/types_webhook.go  |  30 +--
 .../v1alpha1/zz_generated.deepcopy.go         |  38 ++--
 .../v1alpha1/authentication_client.go         |   6 +-
 .../fake/fake_authentication_client.go        |   4 +-
 .../fake/fake_webhookauthenticator.go         | 127 ++++++++++++
 .../fake/fake_webhookidentityprovider.go      | 127 ------------
 .../v1alpha1/generated_expansion.go           |   2 +-
 .../v1alpha1/webhookauthenticator.go          | 178 +++++++++++++++++
 .../v1alpha1/webhookidentityprovider.go       | 178 -----------------
 .../authentication/v1alpha1/interface.go      |  10 +-
 .../v1alpha1/webhookauthenticator.go          |  76 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  76 --------
 .../informers/externalversions/generic.go     |   4 +-
 .../v1alpha1/expansion_generated.go           |  12 +-
 .../v1alpha1/webhookauthenticator.go          |  81 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  81 --------
 .../client/openapi/zz_generated.openapi.go    | 176 ++++++++---------
 ...ge.pinniped.dev_webhookauthenticators.yaml |  29 ++-
 generated/1.18/README.adoc                    |  38 ++--
 .../1.18/apis/concierge/authentication/doc.go |   2 +-
 .../concierge/authentication/v1alpha1/doc.go  |   2 +-
 .../authentication/v1alpha1/register.go       |   4 +-
 .../authentication/v1alpha1/types_tls.go      |   2 +-
 .../authentication/v1alpha1/types_webhook.go  |  30 +--
 .../v1alpha1/zz_generated.deepcopy.go         |  38 ++--
 .../v1alpha1/authentication_client.go         |   6 +-
 .../fake/fake_authentication_client.go        |   4 +-
 .../fake/fake_webhookauthenticator.go         | 129 +++++++++++++
 .../fake/fake_webhookidentityprovider.go      | 129 -------------
 .../v1alpha1/generated_expansion.go           |   2 +-
 .../v1alpha1/webhookauthenticator.go          | 182 ++++++++++++++++++
 .../v1alpha1/webhookidentityprovider.go       | 182 ------------------
 .../authentication/v1alpha1/interface.go      |  10 +-
 .../v1alpha1/webhookauthenticator.go          |  77 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  77 --------
 .../informers/externalversions/generic.go     |   4 +-
 .../v1alpha1/expansion_generated.go           |  12 +-
 .../v1alpha1/webhookauthenticator.go          |  81 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  81 --------
 .../client/openapi/zz_generated.openapi.go    | 176 ++++++++---------
 ...e.pinniped.dev_webhookauthenticators.yaml} |  29 ++-
 generated/1.19/README.adoc                    |  38 ++--
 .../1.19/apis/concierge/authentication/doc.go |   2 +-
 .../concierge/authentication/v1alpha1/doc.go  |   2 +-
 .../authentication/v1alpha1/register.go       |   4 +-
 .../authentication/v1alpha1/types_tls.go      |   2 +-
 .../authentication/v1alpha1/types_webhook.go  |  30 +--
 .../v1alpha1/zz_generated.deepcopy.go         |  38 ++--
 .../v1alpha1/authentication_client.go         |   6 +-
 .../fake/fake_authentication_client.go        |   4 +-
 .../fake/fake_webhookauthenticator.go         | 129 +++++++++++++
 .../fake/fake_webhookidentityprovider.go      | 129 -------------
 .../v1alpha1/generated_expansion.go           |   2 +-
 .../v1alpha1/webhookauthenticator.go          | 182 ++++++++++++++++++
 .../v1alpha1/webhookidentityprovider.go       | 182 ------------------
 .../authentication/v1alpha1/interface.go      |  10 +-
 .../v1alpha1/webhookauthenticator.go          |  77 ++++++++
 .../v1alpha1/webhookidentityprovider.go       |  77 --------
 .../informers/externalversions/generic.go     |   4 +-
 .../v1alpha1/expansion_generated.go           |  12 +-
 .../v1alpha1/webhookauthenticator.go          |  86 +++++++++
 .../v1alpha1/webhookidentityprovider.go       |  86 ---------
 .../client/openapi/zz_generated.openapi.go    | 178 ++++++++---------
 ...e.pinniped.dev_webhookauthenticators.yaml} |  29 ++-
 ...pinniped.dev_webhookidentityproviders.yaml | 149 --------------
 hack/lib/tilt/Tiltfile                        |   2 +-
 hack/update.sh                                |   2 +-
 internal/client/client_test.go                |   4 +-
 .../identityprovider/idpcache/cache_test.go   |   2 +-
 .../webhookcachecleaner.go                    |  10 +-
 .../webhookcachecleaner_test.go               |  14 +-
 .../webhookcachefiller/webhookcachefiller.go  |  16 +-
 .../webhookcachefiller_test.go                |  20 +-
 .../controllermanager/prepare_controllers.go  |   4 +-
 .../concierge_credentialrequest_test.go       |   2 +-
 test/integration/kube_api_discovery_test.go   |   9 +-
 test/library/client.go                        |  16 +-
 test/library/env.go                           |  24 +--
 94 files changed, 2043 insertions(+), 2205 deletions(-)
 rename deploy/concierge/{authentication.concierge.pinniped.dev_webhookidentityproviders.yaml => authentication.concierge.pinniped.dev_webhookauthenticators.yaml} (89%)
 create mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
 delete mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
 create mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
 rename deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml (89%)
 create mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
 delete mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
 create mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
 rename generated/{1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml} (89%)
 create mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
 delete mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
 create mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
 create mode 100644 generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go
 delete mode 100644 generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
 rename generated/{1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml} (89%)
 delete mode 100644 generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml

diff --git a/apis/concierge/authentication/doc.go.tmpl b/apis/concierge/authentication/doc.go.tmpl
index c85584632..78e81bd63 100644
--- a/apis/concierge/authentication/doc.go.tmpl
+++ b/apis/concierge/authentication/doc.go.tmpl
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/apis/concierge/authentication/v1alpha1/doc.go.tmpl b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
index 4bd09774a..f1ad1a869 100644
--- a/apis/concierge/authentication/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/apis/concierge/authentication/v1alpha1/register.go.tmpl b/apis/concierge/authentication/v1alpha1/register.go.tmpl
index b372270dc..1a5163daa 100644
--- a/apis/concierge/authentication/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
index 2f2098c91..f882f2d6c 100644
--- a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
index 6e4763378..8124597ab 100644
--- a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go
index 0e8d99d76..481165fb0 100644
--- a/cmd/pinniped/cmd/exchange_credential.go
+++ b/cmd/pinniped/cmd/exchange_credential.go
@@ -144,7 +144,7 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 	switch strings.ToLower(idpType) {
 	case "webhook":
 		idp.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
-		idp.Kind = "WebhookIdentityProvider"
+		idp.Kind = "WebhookAuthenticator"
 	default:
 		return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidIDPType, idpType)
 	}
diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go
index fa6935af4..a0349eed8 100644
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@@ -187,7 +187,7 @@ func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (str
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
-	webhooks, err := clientset.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
+	webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return "", "", err
 	}
diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go
index 23d920c5c..430791730 100644
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@@ -256,8 +256,8 @@ func TestRun(t *testing.T) {
 				cmd.flags.idpType = ""
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
-						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
 					), nil
 				}
 			},
@@ -349,7 +349,7 @@ func TestRun(t *testing.T) {
 
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
 						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba722..9ae6152e1 100644
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/deploy/concierge/z0_crd_overlay.yaml b/deploy/concierge/z0_crd_overlay.yaml
index 61f4c93e5..c5050f04d 100644
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@@ -10,7 +10,7 @@ metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
 
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.authentication.concierge.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookauthenticators.authentication.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
diff --git a/doc/demo.md b/doc/demo.md
index 8b6cef40a..4d6fcafed 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -118,12 +118,12 @@ as the identity provider.
    If you would prefer to customize the available options, please see [deploy/concierge/README.md](../deploy/concierge/README.md)
    for instructions on how to deploy using `ytt`.
 
-1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using local-user-authenticator.
+1. Create a `WebhookAuthenticator` object to configure Pinniped to authenticate using local-user-authenticator.
 
     ```bash
     cat <<EOF | kubectl create --namespace pinniped -f -
     apiVersion: authentication.concierge.pinniped.dev/v1alpha1
-    kind: WebhookIdentityProvider
+    kind: WebhookAuthenticator
     metadata:
       name: local-user-authenticator
     spec:
diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc
index 081abb12a..e004e05ee 100644
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -13,7 +13,7 @@
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
 === authentication.concierge.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 
 
 
@@ -24,7 +24,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -42,11 +42,11 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various identity providers.
+Configuration for configuring TLS on various authenticators.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -56,14 +56,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
+==== WebhookAuthenticator 
 
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+WebhookAuthenticator describes the configuration of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorlist[$$WebhookAuthenticatorList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -71,21 +71,21 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]__ | Spec for configuring the authenticator.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]__ | Status of the authenticator.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec"]
+==== WebhookAuthenticatorSpec 
 
-Spec for configuring a webhook identity provider.
+Spec for configuring a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -96,20 +96,20 @@ Spec for configuring a webhook identity provider.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus"]
+==== WebhookAuthenticatorStatus 
 
-Status of a webhook identity provider.
+Status of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of the authenticator's current state.
 |===
 
 
diff --git a/generated/1.17/apis/concierge/authentication/doc.go b/generated/1.17/apis/concierge/authentication/doc.go
index c85584632..78e81bd63 100644
--- a/generated/1.17/apis/concierge/authentication/doc.go
+++ b/generated/1.17/apis/concierge/authentication/doc.go
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
index 8cd69dfaf..52b71edd0 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/register.go b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
index b372270dc..1a5163daa 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
index 2f2098c91..f882f2d6c 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
index 6e4763378..8124597ab 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
index cb0f46c85..a4e27af74 100644
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -54,18 +54,18 @@ func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
-func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProvider)
+	out := new(WebhookAuthenticator)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -73,13 +73,13 @@ func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]WebhookIdentityProvider, len(*in))
+		*out = make([]WebhookAuthenticator, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,18 +87,18 @@ func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
-func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderList)
+	out := new(WebhookAuthenticatorList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -106,7 +106,7 @@ func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
@@ -116,18 +116,18 @@ func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
-func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderSpec)
+	out := new(WebhookAuthenticatorSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
@@ -139,12 +139,12 @@ func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProvid
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
-func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderStatus)
+	out := new(WebhookAuthenticatorStatus)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 360fce0f1..7455289a0 100644
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -13,7 +13,7 @@ import (
 
 type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	WebhookIdentityProvidersGetter
+	WebhookAuthenticatorsGetter
 }
 
 // AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
@@ -21,8 +21,8 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
-	return newWebhookIdentityProviders(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c, namespace)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 331981fa1..09e7a1a84 100644
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -15,8 +15,8 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
-	return &FakeWebhookIdentityProviders{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
new file mode 100644
index 000000000..e79d48c24
--- /dev/null
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,127 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+	ns   string
+}
+
+var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
+
+var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookAuthenticator"}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
deleted file mode 100644
index 30681a89f..000000000
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
+++ /dev/null
@@ -1,127 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	testing "k8s.io/client-go/testing"
-)
-
-// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
-type FakeWebhookIdentityProviders struct {
-	Fake *FakeAuthenticationV1alpha1
-	ns   string
-}
-
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
-
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *FakeWebhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
-
-	if obj == nil {
-		return nil, err
-	}
-
-	label, _, _ := testing.ExtractFromListOptions(opts)
-	if label == nil {
-		label = labels.Everything()
-	}
-	list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
-	for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
-		if label.Matches(labels.Set(item.Labels)) {
-			list.Items = append(list.Items, item)
-		}
-	}
-	return list, err
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *FakeWebhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
-	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
-
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *FakeWebhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *FakeWebhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
-	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	return err
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *FakeWebhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOptions)
-
-	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
-	return err
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *FakeWebhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
index 69ebc739d..e1b1f2b40 100644
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -5,4 +5,4 @@
 
 package v1alpha1
 
-type WebhookIdentityProviderExpansion interface{}
+type WebhookAuthenticatorExpansion interface{}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..584599c0a
--- /dev/null
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,178 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(*v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error)
+	Update(*v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(*v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+	ns     string
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Body(webhookAuthenticator).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		Body(webhookAuthenticator).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *webhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		Body(webhookAuthenticator).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 101145177..000000000
--- a/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,178 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"time"
-
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
-)
-
-// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
-// A group's client should implement this interface.
-type WebhookIdentityProvidersGetter interface {
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
-}
-
-// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
-type WebhookIdentityProviderInterface interface {
-	Create(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
-	Update(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
-	UpdateStatus(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
-	Delete(name string, options *v1.DeleteOptions) error
-	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
-	Get(name string, options v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	List(opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
-	Watch(opts v1.ListOptions) (watch.Interface, error)
-	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
-	WebhookIdentityProviderExpansion
-}
-
-// webhookIdentityProviders implements WebhookIdentityProviderInterface
-type webhookIdentityProviders struct {
-	client rest.Interface
-	ns     string
-}
-
-// newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
-	return &webhookIdentityProviders{
-		client: c.RESTClient(),
-		ns:     namespace,
-	}
-}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *webhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		VersionedParams(&options, scheme.ParameterCodec).
-		Do().
-		Into(result)
-	return
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *webhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	result = &v1alpha1.WebhookIdentityProviderList{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Do().
-		Into(result)
-	return
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *webhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	opts.Watch = true
-	return c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Watch()
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Post().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Body(webhookIdentityProvider).
-		Do().
-		Into(result)
-	return
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		Body(webhookIdentityProvider).
-		Do().
-		Into(result)
-	return
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-
-func (c *webhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		SubResource("status").
-		Body(webhookIdentityProvider).
-		Do().
-		Into(result)
-	return
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *webhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		Body(options).
-		Do().
-		Error()
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *webhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	var timeout time.Duration
-	if listOptions.TimeoutSeconds != nil {
-		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
-	}
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&listOptions, scheme.ParameterCodec).
-		Timeout(timeout).
-		Body(options).
-		Do().
-		Error()
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *webhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Patch(pt).
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		SubResource(subresources...).
-		Name(name).
-		Body(data).
-		Do().
-		Into(result)
-	return
-}
diff --git a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
index 03455e4ab..a42951288 100644
--- a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
@@ -11,8 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-	WebhookIdentityProviders() WebhookIdentityProviderInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
 }
 
 type version struct {
@@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
-	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
diff --git a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..549b47d15
--- /dev/null
+++ b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
diff --git a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 86d3336a2..000000000
--- a/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	time "time"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
-	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderInformer provides access to a shared informer and lister for
-// WebhookIdentityProviders.
-type WebhookIdentityProviderInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() v1alpha1.WebhookIdentityProviderLister
-}
-
-type webhookIdentityProviderInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
-			},
-		},
-		&authenticationv1alpha1.WebhookIdentityProvider{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
-}
-
-func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
-	return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
-}
diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go
index e6f3f43eb..287c34939 100644
--- a/generated/1.17/client/informers/externalversions/generic.go
+++ b/generated/1.17/client/informers/externalversions/generic.go
@@ -42,8 +42,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 
 		// Group=config.pinniped.dev, Version=v1alpha1
 	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
diff --git a/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go b/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
index f0b280e1b..25e1ad662 100644
--- a/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
@@ -5,10 +5,10 @@
 
 package v1alpha1
 
-// WebhookIdentityProviderListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderLister.
-type WebhookIdentityProviderListerExpansion interface{}
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
 
-// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderNamespaceLister.
-type WebhookIdentityProviderNamespaceListerExpansion interface{}
+// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorNamespaceLister.
+type WebhookAuthenticatorNamespaceListerExpansion interface{}
diff --git a/generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go b/generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..dcf18bee4
--- /dev/null
+++ b/generated/1.17/client/listers/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorLister helps list WebhookAuthenticators.
+type WebhookAuthenticatorLister interface {
+	// List lists all WebhookAuthenticators in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	WebhookAuthenticatorListerExpansion
+}
+
+// webhookAuthenticatorLister implements the WebhookAuthenticatorLister interface.
+type webhookAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewWebhookAuthenticatorLister returns a new WebhookAuthenticatorLister.
+func NewWebhookAuthenticatorLister(indexer cache.Indexer) WebhookAuthenticatorLister {
+	return &webhookAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all WebhookAuthenticators in the indexer.
+func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
+	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
+type WebhookAuthenticatorNamespaceLister interface {
+	// List lists all WebhookAuthenticators in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
+	WebhookAuthenticatorNamespaceListerExpansion
+}
+
+// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
+// interface.
+type webhookAuthenticatorNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all WebhookAuthenticators in the indexer for a given namespace.
+func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("webhookauthenticator"), name)
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), nil
+}
diff --git a/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 933b303da..000000000
--- a/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
-type WebhookIdentityProviderLister interface {
-	// List lists all WebhookIdentityProviders in the indexer.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
-	WebhookIdentityProviderListerExpansion
-}
-
-// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
-type webhookIdentityProviderLister struct {
-	indexer cache.Indexer
-}
-
-// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
-func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
-	return &webhookIdentityProviderLister{indexer: indexer}
-}
-
-// List lists all WebhookIdentityProviders in the indexer.
-func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
-	return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
-type WebhookIdentityProviderNamespaceLister interface {
-	// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
-	WebhookIdentityProviderNamespaceListerExpansion
-}
-
-// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
-// interface.
-type webhookIdentityProviderNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
-	if err != nil {
-		return nil, err
-	}
-	if !exists {
-		return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), nil
-}
diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go
index b8d43ca3a..821f0ba8f 100644
--- a/generated/1.17/client/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/openapi/zz_generated.openapi.go
@@ -17,77 +17,77 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                              schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                       schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":         schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":                   schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":                 schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":               schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                           schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                       schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                       schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":                     schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -152,7 +152,7 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
+				Description: "Configuration for configuring TLS on various authenticators.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"certificateAuthorityData": {
@@ -168,11 +168,11 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Description: "WebhookAuthenticator describes the configuration of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -196,14 +196,14 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
+							Description: "Spec for configuring the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
+							Description: "Status of the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus"),
 						},
 					},
 				},
@@ -211,15 +211,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec", "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
+				Description: "List of WebhookAuthenticator objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -247,7 +247,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator"),
 									},
 								},
 							},
@@ -258,15 +258,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookAuthenticator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
+				Description: "Spec for configuring a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"endpoint": {
@@ -291,11 +291,11 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(r
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
+				Description: "Status of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"conditions": {
@@ -310,7 +310,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
+							Description: "Represents the observations of the authenticator's current state.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba722..9ae6152e1 100644
--- a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc
index ca7a442f3..3dc20e722 100644
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@@ -13,7 +13,7 @@
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
 === authentication.concierge.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 
 
 
@@ -24,7 +24,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -42,11 +42,11 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various identity providers.
+Configuration for configuring TLS on various authenticators.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -56,14 +56,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
+==== WebhookAuthenticator 
 
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+WebhookAuthenticator describes the configuration of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorlist[$$WebhookAuthenticatorList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -71,21 +71,21 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]__ | Spec for configuring the authenticator.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]__ | Status of the authenticator.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec"]
+==== WebhookAuthenticatorSpec 
 
-Spec for configuring a webhook identity provider.
+Spec for configuring a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -96,20 +96,20 @@ Spec for configuring a webhook identity provider.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus"]
+==== WebhookAuthenticatorStatus 
 
-Status of a webhook identity provider.
+Status of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of the authenticator's current state.
 |===
 
 
diff --git a/generated/1.18/apis/concierge/authentication/doc.go b/generated/1.18/apis/concierge/authentication/doc.go
index c85584632..78e81bd63 100644
--- a/generated/1.18/apis/concierge/authentication/doc.go
+++ b/generated/1.18/apis/concierge/authentication/doc.go
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
index 49cd74309..00a19514a 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/register.go b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
index b372270dc..1a5163daa 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
index 2f2098c91..f882f2d6c 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
index 6e4763378..8124597ab 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
index cb0f46c85..a4e27af74 100644
--- a/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -54,18 +54,18 @@ func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
-func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProvider)
+	out := new(WebhookAuthenticator)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -73,13 +73,13 @@ func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]WebhookIdentityProvider, len(*in))
+		*out = make([]WebhookAuthenticator, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,18 +87,18 @@ func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
-func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderList)
+	out := new(WebhookAuthenticatorList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -106,7 +106,7 @@ func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
@@ -116,18 +116,18 @@ func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
-func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderSpec)
+	out := new(WebhookAuthenticatorSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
@@ -139,12 +139,12 @@ func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProvid
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
-func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderStatus)
+	out := new(WebhookAuthenticatorStatus)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 4073c3c6c..4b4ff7dbc 100644
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -13,7 +13,7 @@ import (
 
 type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	WebhookIdentityProvidersGetter
+	WebhookAuthenticatorsGetter
 }
 
 // AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
@@ -21,8 +21,8 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
-	return newWebhookIdentityProviders(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c, namespace)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 73de150f4..dfad16751 100644
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -15,8 +15,8 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
-	return &FakeWebhookIdentityProviders{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
new file mode 100644
index 000000000..83adeb87c
--- /dev/null
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+	ns   string
+}
+
+var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
+
+var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookAuthenticator"}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
deleted file mode 100644
index 05757ab00..000000000
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	"context"
-
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	testing "k8s.io/client-go/testing"
-)
-
-// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
-type FakeWebhookIdentityProviders struct {
-	Fake *FakeAuthenticationV1alpha1
-	ns   string
-}
-
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
-
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
-
-	if obj == nil {
-		return nil, err
-	}
-
-	label, _, _ := testing.ExtractFromListOptions(opts)
-	if label == nil {
-		label = labels.Everything()
-	}
-	list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
-	for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
-		if label.Matches(labels.Set(item.Labels)) {
-			list.Items = append(list.Items, item)
-		}
-	}
-	return list, err
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
-
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	return err
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts)
-
-	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
-	return err
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
index 69ebc739d..e1b1f2b40 100644
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -5,4 +5,4 @@
 
 package v1alpha1
 
-type WebhookIdentityProviderExpansion interface{}
+type WebhookAuthenticatorExpansion interface{}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..2e5b78db5
--- /dev/null
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+	ns     string
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 157cb606d..000000000
--- a/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	"time"
-
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
-)
-
-// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
-// A group's client should implement this interface.
-type WebhookIdentityProvidersGetter interface {
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
-}
-
-// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
-type WebhookIdentityProviderInterface interface {
-	Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
-	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
-	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
-	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
-	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
-	WebhookIdentityProviderExpansion
-}
-
-// webhookIdentityProviders implements WebhookIdentityProviderInterface
-type webhookIdentityProviders struct {
-	client rest.Interface
-	ns     string
-}
-
-// newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
-	return &webhookIdentityProviders{
-		client: c.RESTClient(),
-		ns:     namespace,
-	}
-}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		VersionedParams(&options, scheme.ParameterCodec).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	result = &v1alpha1.WebhookIdentityProviderList{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	opts.Watch = true
-	return c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Watch(ctx)
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Post().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		SubResource("status").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	var timeout time.Duration
-	if listOpts.TimeoutSeconds != nil {
-		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
-	}
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&listOpts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Patch(pt).
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		SubResource(subresources...).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(data).
-		Do(ctx).
-		Into(result)
-	return
-}
diff --git a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
index 4445a99aa..14832425f 100644
--- a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
@@ -11,8 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-	WebhookIdentityProviders() WebhookIdentityProviderInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
 }
 
 type version struct {
@@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
-	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
diff --git a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..47c511c66
--- /dev/null
+++ b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
diff --git a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 3225aa737..000000000
--- a/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	time "time"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
-	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderInformer provides access to a shared informer and lister for
-// WebhookIdentityProviders.
-type WebhookIdentityProviderInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() v1alpha1.WebhookIdentityProviderLister
-}
-
-type webhookIdentityProviderInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
-			},
-		},
-		&authenticationv1alpha1.WebhookIdentityProvider{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
-}
-
-func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
-	return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
-}
diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go
index 0509c7d3f..441b1947e 100644
--- a/generated/1.18/client/informers/externalversions/generic.go
+++ b/generated/1.18/client/informers/externalversions/generic.go
@@ -42,8 +42,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 
 		// Group=config.pinniped.dev, Version=v1alpha1
 	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
diff --git a/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go b/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
index f0b280e1b..25e1ad662 100644
--- a/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
@@ -5,10 +5,10 @@
 
 package v1alpha1
 
-// WebhookIdentityProviderListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderLister.
-type WebhookIdentityProviderListerExpansion interface{}
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
 
-// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderNamespaceLister.
-type WebhookIdentityProviderNamespaceListerExpansion interface{}
+// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorNamespaceLister.
+type WebhookAuthenticatorNamespaceListerExpansion interface{}
diff --git a/generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go b/generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..f6a60ff29
--- /dev/null
+++ b/generated/1.18/client/listers/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorLister helps list WebhookAuthenticators.
+type WebhookAuthenticatorLister interface {
+	// List lists all WebhookAuthenticators in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	WebhookAuthenticatorListerExpansion
+}
+
+// webhookAuthenticatorLister implements the WebhookAuthenticatorLister interface.
+type webhookAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewWebhookAuthenticatorLister returns a new WebhookAuthenticatorLister.
+func NewWebhookAuthenticatorLister(indexer cache.Indexer) WebhookAuthenticatorLister {
+	return &webhookAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all WebhookAuthenticators in the indexer.
+func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
+	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
+type WebhookAuthenticatorNamespaceLister interface {
+	// List lists all WebhookAuthenticators in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
+	WebhookAuthenticatorNamespaceListerExpansion
+}
+
+// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
+// interface.
+type webhookAuthenticatorNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all WebhookAuthenticators in the indexer for a given namespace.
+func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("webhookauthenticator"), name)
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), nil
+}
diff --git a/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 218cf682c..000000000
--- a/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
-type WebhookIdentityProviderLister interface {
-	// List lists all WebhookIdentityProviders in the indexer.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
-	WebhookIdentityProviderListerExpansion
-}
-
-// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
-type webhookIdentityProviderLister struct {
-	indexer cache.Indexer
-}
-
-// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
-func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
-	return &webhookIdentityProviderLister{indexer: indexer}
-}
-
-// List lists all WebhookIdentityProviders in the indexer.
-func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
-	return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
-type WebhookIdentityProviderNamespaceLister interface {
-	// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
-	WebhookIdentityProviderNamespaceListerExpansion
-}
-
-// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
-// interface.
-type webhookIdentityProviderNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
-	if err != nil {
-		return nil, err
-	}
-	if !exists {
-		return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), nil
-}
diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go
index 44332c47e..d020267ec 100644
--- a/generated/1.18/client/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/openapi/zz_generated.openapi.go
@@ -17,77 +17,77 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                              schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                       schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":         schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":                   schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":                 schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":               schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                           schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                       schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                       schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":                     schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -152,7 +152,7 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
+				Description: "Configuration for configuring TLS on various authenticators.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"certificateAuthorityData": {
@@ -168,11 +168,11 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Description: "WebhookAuthenticator describes the configuration of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -196,14 +196,14 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
+							Description: "Spec for configuring the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
+							Description: "Status of the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus"),
 						},
 					},
 				},
@@ -211,15 +211,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec", "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
+				Description: "List of WebhookAuthenticator objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -247,7 +247,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator"),
 									},
 								},
 							},
@@ -258,15 +258,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookAuthenticator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
+				Description: "Spec for configuring a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"endpoint": {
@@ -291,11 +291,11 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(r
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
+				Description: "Status of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"conditions": {
@@ -310,7 +310,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
+							Description: "Represents the observations of the authenticator's current state.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba722..9ae6152e1 100644
--- a/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc
index 00984654e..25625544a 100644
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@@ -13,7 +13,7 @@
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
 === authentication.concierge.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 
 
 
@@ -24,7 +24,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -42,11 +42,11 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various identity providers.
+Configuration for configuring TLS on various authenticators.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -56,14 +56,14 @@ Configuration for configuring TLS on various identity providers.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticator"]
+==== WebhookAuthenticator 
 
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+WebhookAuthenticator describes the configuration of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorlist[$$WebhookAuthenticatorList$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -71,21 +71,21 @@ WebhookIdentityProvider describes the configuration of a Pinniped webhook identi
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec[$$WebhookAuthenticatorSpec$$]__ | Spec for configuring the authenticator.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus[$$WebhookAuthenticatorStatus$$]__ | Status of the authenticator.
 |===
 
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorspec"]
+==== WebhookAuthenticatorSpec 
 
-Spec for configuring a webhook identity provider.
+Spec for configuring a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
@@ -96,20 +96,20 @@ Spec for configuring a webhook identity provider.
 |===
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticatorstatus"]
+==== WebhookAuthenticatorStatus 
 
-Status of a webhook identity provider.
+Status of a webhook authenticator.
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookauthenticator[$$WebhookAuthenticator$$]
 ****
 
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of the authenticator's current state.
 |===
 
 
diff --git a/generated/1.19/apis/concierge/authentication/doc.go b/generated/1.19/apis/concierge/authentication/doc.go
index c85584632..78e81bd63 100644
--- a/generated/1.19/apis/concierge/authentication/doc.go
+++ b/generated/1.19/apis/concierge/authentication/doc.go
@@ -4,5 +4,5 @@
 // +k8s:deepcopy-gen=package
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package authentication is the internal version of the Pinniped identity provider API.
+// Package authentication is the internal version of the Pinniped concierge authentication API.
 package authentication
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
index 981b832f4..57c00e2b9 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
@@ -7,5 +7,5 @@
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
 package v1alpha1
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/register.go b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
index b372270dc..1a5163daa 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
@@ -30,8 +30,8 @@ func init() {
 // Adds the list of known types to the given scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&WebhookIdentityProvider{},
-		&WebhookIdentityProviderList{},
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
index 2f2098c91..f882f2d6c 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// Configuration for configuring TLS on various identity providers.
+// Configuration for configuring TLS on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
index 6e4763378..8124597ab 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
@@ -5,9 +5,9 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-// Status of a webhook identity provider.
-type WebhookIdentityProviderStatus struct {
-	// Represents the observations of an identity provider's current state.
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
@@ -15,8 +15,8 @@ type WebhookIdentityProviderStatus struct {
 	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }
 
-// Spec for configuring a webhook identity provider.
-type WebhookIdentityProviderSpec struct {
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
 	// Webhook server endpoint URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://`
@@ -27,27 +27,27 @@ type WebhookIdentityProviderSpec struct {
 	TLS *TLSSpec `json:"tls,omitempty"`
 }
 
-// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
+// +kubebuilder:resource:categories=all;authenticator;authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
-type WebhookIdentityProvider struct {
+type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec for configuring the identity provider.
-	Spec WebhookIdentityProviderSpec `json:"spec"`
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
 
-	// Status of the identity provider.
-	Status WebhookIdentityProviderStatus `json:"status,omitempty"`
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
 }
 
-// List of WebhookIdentityProvider objects.
+// List of WebhookAuthenticator objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type WebhookIdentityProviderList struct {
+type WebhookAuthenticatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 
-	Items []WebhookIdentityProvider `json:"items"`
+	Items []WebhookAuthenticator `json:"items"`
 }
diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
index cb0f46c85..a4e27af74 100644
--- a/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -54,18 +54,18 @@ func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
-func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProvider)
+	out := new(WebhookAuthenticator)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -73,13 +73,13 @@ func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]WebhookIdentityProvider, len(*in))
+		*out = make([]WebhookAuthenticator, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -87,18 +87,18 @@ func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
-func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderList)
+	out := new(WebhookAuthenticatorList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -106,7 +106,7 @@ func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
@@ -116,18 +116,18 @@ func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProvider
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
-func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderSpec)
+	out := new(WebhookAuthenticatorSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
@@ -139,12 +139,12 @@ func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProvid
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
-func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookIdentityProviderStatus)
+	out := new(WebhookAuthenticatorStatus)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index cdfa725e7..e37211272 100644
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -13,7 +13,7 @@ import (
 
 type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	WebhookIdentityProvidersGetter
+	WebhookAuthenticatorsGetter
 }
 
 // AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
@@ -21,8 +21,8 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
-	return newWebhookIdentityProviders(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c, namespace)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index f75f4480c..f1663bfe9 100644
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -15,8 +15,8 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
-	return &FakeWebhookIdentityProviders{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
new file mode 100644
index 000000000..0bc22bc84
--- /dev/null
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+	ns   string
+}
+
+var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
+
+var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookAuthenticator"}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
deleted file mode 100644
index 62fe34a86..000000000
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	"context"
-
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	testing "k8s.io/client-go/testing"
-)
-
-// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
-type FakeWebhookIdentityProviders struct {
-	Fake *FakeAuthenticationV1alpha1
-	ns   string
-}
-
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
-
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
-
-	if obj == nil {
-		return nil, err
-	}
-
-	label, _, _ := testing.ExtractFromListOptions(opts)
-	if label == nil {
-		label = labels.Everything()
-	}
-	list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
-	for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
-		if label.Matches(labels.Set(item.Labels)) {
-			list.Items = append(list.Items, item)
-		}
-	}
-	return list, err
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
-
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
-
-	return err
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts)
-
-	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
-	return err
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
-
-	if obj == nil {
-		return nil, err
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), err
-}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
index 69ebc739d..e1b1f2b40 100644
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -5,4 +5,4 @@
 
 package v1alpha1
 
-type WebhookIdentityProviderExpansion interface{}
+type WebhookAuthenticatorExpansion interface{}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..22289160a
--- /dev/null
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+	ns     string
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("webhookauthenticators").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 1b7c24052..000000000
--- a/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	"time"
-
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
-)
-
-// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
-// A group's client should implement this interface.
-type WebhookIdentityProvidersGetter interface {
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
-}
-
-// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
-type WebhookIdentityProviderInterface interface {
-	Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
-	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
-	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
-	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
-	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
-	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
-	WebhookIdentityProviderExpansion
-}
-
-// webhookIdentityProviders implements WebhookIdentityProviderInterface
-type webhookIdentityProviders struct {
-	client rest.Interface
-	ns     string
-}
-
-// newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
-	return &webhookIdentityProviders{
-		client: c.RESTClient(),
-		ns:     namespace,
-	}
-}
-
-// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
-func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		VersionedParams(&options, scheme.ParameterCodec).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
-func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	result = &v1alpha1.WebhookIdentityProviderList{}
-	err = c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
-func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-	var timeout time.Duration
-	if opts.TimeoutSeconds != nil {
-		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
-	}
-	opts.Watch = true
-	return c.client.Get().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Watch(ctx)
-}
-
-// Create takes the representation of a webhookIdentityProvider and creates it.  Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Post().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
-func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// UpdateStatus was generated because the type contains a Status member.
-// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Put().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(webhookIdentityProvider.Name).
-		SubResource("status").
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(webhookIdentityProvider).
-		Do(ctx).
-		Into(result)
-	return
-}
-
-// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
-func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// DeleteCollection deletes a collection of objects.
-func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	var timeout time.Duration
-	if listOpts.TimeoutSeconds != nil {
-		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
-	}
-	return c.client.Delete().
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		VersionedParams(&listOpts, scheme.ParameterCodec).
-		Timeout(timeout).
-		Body(&opts).
-		Do(ctx).
-		Error()
-}
-
-// Patch applies the patch and returns the patched webhookIdentityProvider.
-func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
-	result = &v1alpha1.WebhookIdentityProvider{}
-	err = c.client.Patch(pt).
-		Namespace(c.ns).
-		Resource("webhookidentityproviders").
-		Name(name).
-		SubResource(subresources...).
-		VersionedParams(&opts, scheme.ParameterCodec).
-		Body(data).
-		Do(ctx).
-		Into(result)
-	return
-}
diff --git a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
index bc3981a3d..aa6561886 100644
--- a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
@@ -11,8 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-	WebhookIdentityProviders() WebhookIdentityProviderInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
 }
 
 type version struct {
@@ -26,7 +26,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
-func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
-	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
diff --git a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..1a1e0b514
--- /dev/null
+++ b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
diff --git a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index 938349b54..000000000
--- a/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"context"
-	time "time"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
-	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/authentication/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderInformer provides access to a shared informer and lister for
-// WebhookIdentityProviders.
-type WebhookIdentityProviderInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() v1alpha1.WebhookIdentityProviderLister
-}
-
-type webhookIdentityProviderInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
-			},
-		},
-		&authenticationv1alpha1.WebhookIdentityProvider{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
-}
-
-func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
-	return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
-}
diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go
index 6568bab8b..16bc4b108 100644
--- a/generated/1.19/client/informers/externalversions/generic.go
+++ b/generated/1.19/client/informers/externalversions/generic.go
@@ -42,8 +42,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
 
 		// Group=config.pinniped.dev, Version=v1alpha1
 	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
diff --git a/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go b/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
index f0b280e1b..25e1ad662 100644
--- a/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
@@ -5,10 +5,10 @@
 
 package v1alpha1
 
-// WebhookIdentityProviderListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderLister.
-type WebhookIdentityProviderListerExpansion interface{}
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
 
-// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
-// WebhookIdentityProviderNamespaceLister.
-type WebhookIdentityProviderNamespaceListerExpansion interface{}
+// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorNamespaceLister.
+type WebhookAuthenticatorNamespaceListerExpansion interface{}
diff --git a/generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go b/generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go
new file mode 100644
index 000000000..23bbb71d5
--- /dev/null
+++ b/generated/1.19/client/listers/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,86 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorLister helps list WebhookAuthenticators.
+// All objects returned here must be treated as read-only.
+type WebhookAuthenticatorLister interface {
+	// List lists all WebhookAuthenticators in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	WebhookAuthenticatorListerExpansion
+}
+
+// webhookAuthenticatorLister implements the WebhookAuthenticatorLister interface.
+type webhookAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewWebhookAuthenticatorLister returns a new WebhookAuthenticatorLister.
+func NewWebhookAuthenticatorLister(indexer cache.Indexer) WebhookAuthenticatorLister {
+	return &webhookAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all WebhookAuthenticators in the indexer.
+func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
+func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
+	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
+// All objects returned here must be treated as read-only.
+type WebhookAuthenticatorNamespaceLister interface {
+	// List lists all WebhookAuthenticators in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
+	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
+	WebhookAuthenticatorNamespaceListerExpansion
+}
+
+// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
+// interface.
+type webhookAuthenticatorNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all WebhookAuthenticators in the indexer for a given namespace.
+func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
+func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("webhookauthenticator"), name)
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), nil
+}
diff --git a/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
deleted file mode 100644
index ea0780056..000000000
--- a/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
-// All objects returned here must be treated as read-only.
-type WebhookIdentityProviderLister interface {
-	// List lists all WebhookIdentityProviders in the indexer.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-	WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
-	WebhookIdentityProviderListerExpansion
-}
-
-// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
-type webhookIdentityProviderLister struct {
-	indexer cache.Indexer
-}
-
-// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
-func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
-	return &webhookIdentityProviderLister{indexer: indexer}
-}
-
-// List lists all WebhookIdentityProviders in the indexer.
-func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
-func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
-	return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
-// All objects returned here must be treated as read-only.
-type WebhookIdentityProviderNamespaceLister interface {
-	// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
-	// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-	// Objects returned here must be treated as read-only.
-	Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
-	WebhookIdentityProviderNamespaceListerExpansion
-}
-
-// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
-// interface.
-type webhookIdentityProviderNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookIdentityProviders in the indexer for a given namespace.
-func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
-func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
-	if err != nil {
-		return nil, err
-	}
-	if !exists {
-		return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
-	}
-	return obj.(*v1alpha1.WebhookIdentityProvider), nil
-}
diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go
index 24f3440ba..7411987de 100644
--- a/generated/1.19/client/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/openapi/zz_generated.openapi.go
@@ -17,78 +17,78 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                              schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                      schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                  schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                    schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator":       schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorList":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus": schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                   schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":              schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":          schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":        schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                       schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":         schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":                   schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":                 schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":               schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                           schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                       schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                       schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":                     schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                    schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                 schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                             schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                 schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                   schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                               schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                               schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                    schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                               schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                    schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                  schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                   schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                               schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                    schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                            schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                        schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                               schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                               schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                    schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                        schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                    schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                 schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                          schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                   schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                  schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                              schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                       schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                       schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                               schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                   schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                   schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                      schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                 schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                               schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                       schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                       schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                    schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                           schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                        schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                   schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                    schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                               schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                  schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                     schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                         schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                          schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                             schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -153,7 +153,7 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Configuration for configuring TLS on various identity providers.",
+				Description: "Configuration for configuring TLS on various authenticators.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"certificateAuthorityData": {
@@ -169,11 +169,11 @@ func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceC
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
+				Description: "WebhookAuthenticator describes the configuration of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -197,14 +197,14 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
+							Description: "Spec for configuring the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
+							Description: "Status of the authenticator.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus"),
 						},
 					},
 				},
@@ -212,15 +212,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref c
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorSpec", "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "List of WebhookIdentityProvider objects.",
+				Description: "List of WebhookAuthenticator objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -248,7 +248,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator"),
 									},
 								},
 							},
@@ -259,15 +259,15 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(r
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookAuthenticator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Spec for configuring a webhook identity provider.",
+				Description: "Spec for configuring a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"endpoint": {
@@ -292,11 +292,11 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(r
 	}
 }
 
-func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookAuthenticatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Status of a webhook identity provider.",
+				Description: "Status of a webhook authenticator.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"conditions": {
@@ -311,7 +311,7 @@ func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Represents the observations of an identity provider's current state.",
+							Description: "Represents the observations of the authenticator's current state.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
similarity index 89%
rename from generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index 5e7aba722..9ae6152e1 100644
--- a/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -6,21 +6,18 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
+    - authenticator
+    - authenticators
+    kind: WebhookAuthenticator
+    listKind: WebhookAuthenticatorList
+    plural: webhookauthenticators
+    singular: webhookauthenticator
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
@@ -30,8 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
+        description: WebhookAuthenticator describes the configuration of a webhook
+          authenticator.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -46,7 +43,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: Spec for configuring the identity provider.
+            description: Spec for configuring the authenticator.
             properties:
               endpoint:
                 description: Webhook server endpoint URL.
@@ -65,11 +62,11 @@ spec:
             - endpoint
             type: object
           status:
-            description: Status of the identity provider.
+            description: Status of the authenticator.
             properties:
               conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
+                description: Represents the observations of the authenticator's current
+                  state.
                 items:
                   description: Condition status of a resource (mirrored from the metav1.Condition
                     type added in Kubernetes 1.19). In a future API version we can
diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
deleted file mode 100644
index 5e7aba722..000000000
--- a/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ /dev/null
@@ -1,149 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
-  creationTimestamp: null
-  name: webhookidentityproviders.authentication.concierge.pinniped.dev
-spec:
-  group: authentication.concierge.pinniped.dev
-  names:
-    categories:
-    - all
-    - idp
-    - idps
-    kind: WebhookIdentityProvider
-    listKind: WebhookIdentityProviderList
-    plural: webhookidentityproviders
-    shortNames:
-    - webhookidp
-    - webhookidps
-    singular: webhookidentityprovider
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.endpoint
-      name: Endpoint
-      type: string
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: WebhookIdentityProvider describes the configuration of a Pinniped
-          webhook identity provider.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec for configuring the identity provider.
-            properties:
-              endpoint:
-                description: Webhook server endpoint URL.
-                minLength: 1
-                pattern: ^https://
-                type: string
-              tls:
-                description: TLS configuration.
-                properties:
-                  certificateAuthorityData:
-                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
-                      If omitted, a default set of system roots will be trusted.
-                    type: string
-                type: object
-            required:
-            - endpoint
-            type: object
-          status:
-            description: Status of the identity provider.
-            properties:
-              conditions:
-                description: Represents the observations of an identity provider's
-                  current state.
-                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-                x-kubernetes-list-map-keys:
-                - type
-                x-kubernetes-list-type: map
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index 8891632f3..7552f7436 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -170,7 +170,7 @@ k8s_resource(
         'pinniped-concierge:clusterrolebinding',
         'pinniped-concierge:serviceaccount',
         'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
-        'webhookidentityproviders.authentication.concierge.pinniped.dev:customresourcedefinition',
+        'webhookauthenticators.authentication.concierge.pinniped.dev:customresourcedefinition',
         'v1alpha1.login.concierge.pinniped.dev:apiservice',
     ],
 )
diff --git a/hack/update.sh b/hack/update.sh
index 6a3cb3833..027ed3546 100755
--- a/hack/update.sh
+++ b/hack/update.sh
@@ -13,7 +13,7 @@ xargs -n 1 -P 8 "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-vers
 # Copy each CRD yaml to the app which should cause it to be installed.
 cp "$ROOT"/generated/1.19/crds/*oidcproviderconfigs.yaml "$ROOT/deploy/supervisor"
 cp "$ROOT"/generated/1.19/crds/*credentialissuerconfigs.yaml "$ROOT/deploy/concierge"
-cp "$ROOT"/generated/1.19/crds/*webhookidentityproviders.yaml "$ROOT/deploy/concierge"
+cp "$ROOT"/generated/1.19/crds/*webhookauthenticators.yaml "$ROOT/deploy/concierge"
 
 # Make sure we didn't miss any new CRDs.
 crdCount=$(find "$ROOT"/generated/1.19/crds/ -maxdepth 1 -type f -name '*.yaml' | wc -l | tr -d ' ')
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index 58ae7a1a2..57cbf0d39 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -27,7 +27,7 @@ func TestExchangeToken(t *testing.T) {
 
 	testIDP := corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
+		Kind:     "WebhookAuthenticator",
 		Name:     "test-webhook",
 	}
 
@@ -107,7 +107,7 @@ func TestExchangeToken(t *testing.T) {
 					"token": "test-token",
 					"identityProvider": {
 						"apiGroup": "authentication.concierge.pinniped.dev",
-						"kind": "WebhookIdentityProvider",
+						"kind": "WebhookAuthenticator",
 						"name": "test-webhook"
 					}
 				  },
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go
index 24043bc89..8e2631d3b 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/identityprovider/idpcache/cache_test.go
@@ -77,7 +77,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		Spec: loginapi.TokenCredentialRequestSpec{
 			IdentityProvider: corev1.TypedLocalObjectReference{
 				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
-				Kind:     "WebhookIdentityProvider",
+				Kind:     "WebhookAuthenticator",
 				Name:     "test-name",
 			},
 			Token: "test-token",
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
index 48b663514..fcb69416e 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
@@ -19,7 +19,7 @@ import (
 )
 
 // New instantiates a new controllerlib.Controller which will garbage collect webhooks from the provided Cache.
-func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller {
+func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
 	return controllerlib.New(
 		controllerlib.Config{
 			Name: "webhookcachecleaner-controller",
@@ -39,7 +39,7 @@ func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProvider
 
 type controller struct {
 	cache       *idpcache.Cache
-	webhookIDPs idpinformers.WebhookIdentityProviderInformer
+	webhookIDPs idpinformers.WebhookAuthenticatorInformer
 	log         logr.Logger
 }
 
@@ -47,11 +47,11 @@ type controller struct {
 func (c *controller) Sync(_ controllerlib.Context) error {
 	webhooks, err := c.webhookIDPs.Lister().List(labels.Everything())
 	if err != nil {
-		return fmt.Errorf("failed to list WebhookIdentityProviders: %w", err)
+		return fmt.Errorf("failed to list WebhookAuthenticators: %w", err)
 	}
 
 	// Index the current webhooks by key.
-	webhooksByKey := map[controllerlib.Key]*auth1alpha1.WebhookIdentityProvider{}
+	webhooksByKey := map[controllerlib.Key]*auth1alpha1.WebhookAuthenticator{}
 	for _, webhook := range webhooks {
 		key := controllerlib.Key{Namespace: webhook.Namespace, Name: webhook.Name}
 		webhooksByKey[key] = webhook
@@ -59,7 +59,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 
 	// Delete any entries from the cache which are no longer in the cluster.
 	for _, key := range c.cache.Keys() {
-		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
+		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookAuthenticator" {
 			continue
 		}
 		if _, exists := webhooksByKey[controllerlib.Key{Namespace: key.Namespace, Name: key.Name}]; !exists {
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
index 28f8effac..d6c826354 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
@@ -25,13 +25,13 @@ func TestController(t *testing.T) {
 
 	testKey1 := idpcache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
-		Kind:      "WebhookIdentityProvider",
+		Kind:      "WebhookAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
 	testKey2 := idpcache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
-		Kind:      "WebhookIdentityProvider",
+		Kind:      "WebhookAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-two",
 	}
@@ -54,7 +54,7 @@ func TestController(t *testing.T) {
 			name:         "no change",
 			initialCache: map[idpcache.Key]idpcache.Value{testKey1: nil},
 			webhookIDPs: []runtime.Object{
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -67,13 +67,13 @@ func TestController(t *testing.T) {
 			name:         "IDPs not yet added",
 			initialCache: nil,
 			webhookIDPs: []runtime.Object{
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
 					},
 				},
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey2.Namespace,
 						Name:      testKey2.Name,
@@ -90,7 +90,7 @@ func TestController(t *testing.T) {
 				testKeyNonwebhook: nil,
 			},
 			webhookIDPs: []runtime.Object{
-				&authv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -116,7 +116,7 @@ func TestController(t *testing.T) {
 			}
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
index cf664bc40..55ba0c773 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
@@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider.
+// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookAuthenticator.
 package webhookcachefiller
 
 import (
@@ -28,7 +28,7 @@ import (
 )
 
 // New instantiates a new controllerlib.Controller which will populate the provided idpcache.Cache.
-func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller {
+func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
 	return controllerlib.New(
 		controllerlib.Config{
 			Name: "webhookcachefiller-controller",
@@ -48,19 +48,19 @@ func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProvider
 
 type controller struct {
 	cache       *idpcache.Cache
-	webhookIDPs idpinformers.WebhookIdentityProviderInformer
+	webhookIDPs idpinformers.WebhookAuthenticatorInformer
 	log         logr.Logger
 }
 
 // Sync implements controllerlib.Syncer.
 func (c *controller) Sync(ctx controllerlib.Context) error {
-	obj, err := c.webhookIDPs.Lister().WebhookIdentityProviders(ctx.Key.Namespace).Get(ctx.Key.Name)
+	obj, err := c.webhookIDPs.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name)
 	if err != nil && errors.IsNotFound(err) {
-		c.log.Info("Sync() found that the WebhookIdentityProvider does not exist yet or was deleted")
+		c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted")
 		return nil
 	}
 	if err != nil {
-		return fmt.Errorf("failed to get WebhookIdentityProvider %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err)
+		return fmt.Errorf("failed to get WebhookAuthenticator %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err)
 	}
 
 	webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, ioutil.TempFile, clientcmd.WriteToFile)
@@ -70,7 +70,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 
 	c.cache.Store(idpcache.Key{
 		APIGroup:  auth1alpha1.GroupName,
-		Kind:      "WebhookIdentityProvider",
+		Kind:      "WebhookAuthenticator",
 		Namespace: ctx.Key.Namespace,
 		Name:      ctx.Key.Name,
 	}, webhookAuthenticator)
@@ -81,7 +81,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle
 // used to validate TLS connections.
 func newWebhookAuthenticator(
-	spec *auth1alpha1.WebhookIdentityProviderSpec,
+	spec *auth1alpha1.WebhookAuthenticatorSpec,
 	tempfileFunc func(string, string) (*os.File, error),
 	marshalFunc func(clientcmdapi.Config, string) error,
 ) (*webhook.WebhookTokenAuthenticator, error) {
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
index 8172e7f48..79244c3f8 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
@@ -43,19 +43,19 @@ func TestController(t *testing.T) {
 			name:    "not found",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			wantLogs: []string{
-				`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookIdentityProvider does not exist yet or was deleted"`,
+				`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`,
 			},
 		},
 		{
 			name:    "invalid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&auth1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: auth1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "invalid url",
 					},
 				},
@@ -66,12 +66,12 @@ func TestController(t *testing.T) {
 			name:    "valid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&auth1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: auth1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://example.com",
 						TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},
 					},
@@ -93,7 +93,7 @@ func TestController(t *testing.T) {
 			cache := idpcache.New()
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
@@ -124,13 +124,13 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 
 	t.Run("marshal failure", func(t *testing.T) {
 		marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError)
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{}, ioutil.TempFile, marshalError)
 		require.Nil(t, res)
 		require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")
 	})
 
 	t.Run("invalid base64", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
 			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
 		}, ioutil.TempFile, clientcmd.WriteToFile)
@@ -139,7 +139,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 	})
 
 	t.Run("valid config with no TLS spec", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
 		}, ioutil.TempFile, clientcmd.WriteToFile)
 		require.NotNil(t, res)
@@ -154,7 +154,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 			_, err = w.Write([]byte(`{}`))
 			require.NoError(t, err)
 		})
-		spec := &auth1alpha1.WebhookIdentityProviderSpec{
+		spec := &auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: url,
 			TLS: &auth1alpha1.TLSSpec{
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index 228551e10..8a3d2acd6 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -232,7 +232,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachefiller.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -240,7 +240,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachecleaner.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index fdf240ce2..b71969145 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -29,7 +29,7 @@ func TestUnsuccessfulCredentialRequest(t *testing.T) {
 
 	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
+		Kind:     "WebhookAuthenticator",
 		Name:     "some-webhook-that-does-not-exist",
 	}))
 	require.NoError(t, err)
diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go
index 6facc8291..68ba3c26e 100644
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -106,13 +106,12 @@ func TestGetAPIResourceList(t *testing.T) {
 			resourceByVersion: map[string][]metav1.APIResource{
 				"authentication.concierge.pinniped.dev/v1alpha1": {
 					{
-						Name:         "webhookidentityproviders",
-						SingularName: "webhookidentityprovider",
+						Name:         "webhookauthenticators",
+						SingularName: "webhookauthenticator",
 						Namespaced:   true,
-						Kind:         "WebhookIdentityProvider",
+						Kind:         "WebhookAuthenticator",
 						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
-						ShortNames:   []string{"webhookidp", "webhookidps"},
-						Categories:   []string{"all", "idp", "idps"},
+						Categories:   []string{"all", "authenticator", "authenticators"},
 					},
 				},
 			},
diff --git a/test/library/client.go b/test/library/client.go
index 285968f9b..17485e17e 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -119,7 +119,7 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi
 	return config
 }
 
-// CreateTestWebhookIDP creates and returns a test WebhookIdentityProvider in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
+// CreateTestWebhookIDP creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
 // automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
 // descibes the test IDP within the test namespace.
 func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
@@ -127,12 +127,12 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	testEnv := IntegrationEnv(t)
 
 	client := NewPinnipedClientset(t)
-	webhooks := client.AuthenticationV1alpha1().WebhookIdentityProviders(testEnv.ConciergeNamespace)
+	webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators(testEnv.ConciergeNamespace)
 
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 
-	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookIdentityProvider{
+	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-webhook-",
 			Labels:       map[string]string{"pinniped.dev/test": ""},
@@ -140,21 +140,21 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 		},
 		Spec: testEnv.TestWebhook,
 	}, metav1.CreateOptions{})
-	require.NoError(t, err, "could not create test WebhookIdentityProvider")
-	t.Logf("created test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+	require.NoError(t, err, "could not create test WebhookAuthenticator")
+	t.Logf("created test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
 
 	t.Cleanup(func() {
 		t.Helper()
-		t.Logf("cleaning up test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+		t.Logf("cleaning up test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
 		deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{})
-		require.NoErrorf(t, err, "could not cleanup test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+		require.NoErrorf(t, err, "could not cleanup test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
 	})
 
 	return corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
+		Kind:     "WebhookAuthenticator",
 		Name:     idp.Name,
 	}
 }
diff --git a/test/library/env.go b/test/library/env.go
index da5afb340..8cba1c112 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -26,18 +26,18 @@ const (
 type TestEnv struct {
 	t *testing.T
 
-	ConciergeNamespace             string                                  `json:"conciergeNamespace"`
-	SupervisorNamespace            string                                  `json:"supervisorNamespace"`
-	ConciergeAppName               string                                  `json:"conciergeAppName"`
-	SupervisorAppName              string                                  `json:"supervisorAppName"`
-	SupervisorCustomLabels         map[string]string                       `json:"supervisorCustomLabels"`
-	ConciergeCustomLabels          map[string]string                       `json:"conciergeCustomLabels"`
-	Capabilities                   map[Capability]bool                     `json:"capabilities"`
-	TestWebhook                    auth1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
-	SupervisorHTTPAddress          string                                  `json:"supervisorHttpAddress"`
-	SupervisorHTTPSAddress         string                                  `json:"supervisorHttpsAddress"`
-	SupervisorHTTPSIngressAddress  string                                  `json:"supervisorHttpsIngressAddress"`
-	SupervisorHTTPSIngressCABundle string                                  `json:"supervisorHttpsIngressCABundle"`
+	ConciergeNamespace             string                               `json:"conciergeNamespace"`
+	SupervisorNamespace            string                               `json:"supervisorNamespace"`
+	ConciergeAppName               string                               `json:"conciergeAppName"`
+	SupervisorAppName              string                               `json:"supervisorAppName"`
+	SupervisorCustomLabels         map[string]string                    `json:"supervisorCustomLabels"`
+	ConciergeCustomLabels          map[string]string                    `json:"conciergeCustomLabels"`
+	Capabilities                   map[Capability]bool                  `json:"capabilities"`
+	TestWebhook                    auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
+	SupervisorHTTPAddress          string                               `json:"supervisorHttpAddress"`
+	SupervisorHTTPSAddress         string                               `json:"supervisorHttpsAddress"`
+	SupervisorHTTPSIngressAddress  string                               `json:"supervisorHttpsIngressAddress"`
+	SupervisorHTTPSIngressCABundle string                               `json:"supervisorHttpsIngressCABundle"`
 
 	TestUser struct {
 		Token            string   `json:"token"`

From f3a83882a4277b544046c1eae871822fc7a706f6 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 12:41:21 -0500
Subject: [PATCH 4/5] Rename the IdentityProvider field to Authenticator in
 TokenCredentialRequest.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 apis/concierge/login/types_token.go.tmpl                  | 4 ++--
 apis/concierge/login/v1alpha1/types_token.go.tmpl         | 4 ++--
 generated/1.17/README.adoc                                | 2 +-
 generated/1.17/apis/concierge/login/types_token.go        | 4 ++--
 .../1.17/apis/concierge/login/v1alpha1/types_token.go     | 4 ++--
 .../concierge/login/v1alpha1/zz_generated.conversion.go   | 4 ++--
 .../concierge/login/v1alpha1/zz_generated.deepcopy.go     | 2 +-
 .../1.17/apis/concierge/login/zz_generated.deepcopy.go    | 2 +-
 generated/1.17/client/openapi/zz_generated.openapi.go     | 6 +++---
 generated/1.18/README.adoc                                | 2 +-
 generated/1.18/apis/concierge/login/types_token.go        | 4 ++--
 .../1.18/apis/concierge/login/v1alpha1/types_token.go     | 4 ++--
 .../concierge/login/v1alpha1/zz_generated.conversion.go   | 4 ++--
 .../concierge/login/v1alpha1/zz_generated.deepcopy.go     | 2 +-
 .../1.18/apis/concierge/login/zz_generated.deepcopy.go    | 2 +-
 generated/1.18/client/openapi/zz_generated.openapi.go     | 6 +++---
 generated/1.19/README.adoc                                | 2 +-
 generated/1.19/apis/concierge/login/types_token.go        | 4 ++--
 .../1.19/apis/concierge/login/v1alpha1/types_token.go     | 4 ++--
 .../concierge/login/v1alpha1/zz_generated.conversion.go   | 4 ++--
 .../concierge/login/v1alpha1/zz_generated.deepcopy.go     | 2 +-
 .../1.19/apis/concierge/login/zz_generated.deepcopy.go    | 2 +-
 generated/1.19/client/openapi/zz_generated.openapi.go     | 6 +++---
 internal/client/client.go                                 | 4 ++--
 internal/client/client_test.go                            | 2 +-
 internal/controller/identityprovider/idpcache/cache.go    | 8 ++++----
 .../controller/identityprovider/idpcache/cache_test.go    | 8 ++++----
 test/integration/concierge_credentialrequest_test.go      | 4 ++--
 28 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/apis/concierge/login/types_token.go.tmpl b/apis/concierge/login/types_token.go.tmpl
index 91d36cfbf..a0555f85d 100644
--- a/apis/concierge/login/types_token.go.tmpl
+++ b/apis/concierge/login/types_token.go.tmpl
@@ -12,8 +12,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference
 }
 
 type TokenCredentialRequestStatus struct {
diff --git a/apis/concierge/login/v1alpha1/types_token.go.tmpl b/apis/concierge/login/v1alpha1/types_token.go.tmpl
index 9fba33694..cb5965a23 100644
--- a/apis/concierge/login/v1alpha1/types_token.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_token.go.tmpl
@@ -13,8 +13,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string `json:"token,omitempty"`
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
 }
 
 // TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc
index e004e05ee..23b14014b 100644
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -328,7 +328,7 @@ TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, exp
 |===
 | Field | Description
 | *`token`* __string__ | Bearer token supplied with the credential request.
-| *`identityProvider`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an identity provider which can fulfill this credential request.
+| *`authenticator`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an authenticator which can validate this credential request.
 |===
 
 
diff --git a/generated/1.17/apis/concierge/login/types_token.go b/generated/1.17/apis/concierge/login/types_token.go
index 91d36cfbf..a0555f85d 100644
--- a/generated/1.17/apis/concierge/login/types_token.go
+++ b/generated/1.17/apis/concierge/login/types_token.go
@@ -12,8 +12,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference
 }
 
 type TokenCredentialRequestStatus struct {
diff --git a/generated/1.17/apis/concierge/login/v1alpha1/types_token.go b/generated/1.17/apis/concierge/login/v1alpha1/types_token.go
index 9fba33694..cb5965a23 100644
--- a/generated/1.17/apis/concierge/login/v1alpha1/types_token.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/types_token.go
@@ -13,8 +13,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string `json:"token,omitempty"`
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
 }
 
 // TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
diff --git a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go
index 93defe45d..999cd6d3a 100644
--- a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@@ -157,7 +157,7 @@ func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequest
 
 func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
 	out.Token = in.Token
-	out.IdentityProvider = in.IdentityProvider
+	out.Authenticator = in.Authenticator
 	return nil
 }
 
@@ -168,7 +168,7 @@ func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequest
 
 func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
 	out.Token = in.Token
-	out.IdentityProvider = in.IdentityProvider
+	out.Authenticator = in.Authenticator
 	return nil
 }
 
diff --git a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
index 2001aa609..4160d6692 100644
--- a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@@ -92,7 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
 	*out = *in
-	in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
 	return
 }
 
diff --git a/generated/1.17/apis/concierge/login/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/login/zz_generated.deepcopy.go
index d92ad253c..f43661bc6 100644
--- a/generated/1.17/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/login/zz_generated.deepcopy.go
@@ -92,7 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
 	*out = *in
-	in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
 	return
 }
 
diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go
index 821f0ba8f..2aea64774 100644
--- a/generated/1.17/client/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/openapi/zz_generated.openapi.go
@@ -476,14 +476,14 @@ func schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref common.
 							Format:      "",
 						},
 					},
-					"identityProvider": {
+					"authenticator": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Reference to an identity provider which can fulfill this credential request.",
+							Description: "Reference to an authenticator which can validate this credential request.",
 							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
 						},
 					},
 				},
-				Required: []string{"identityProvider"},
+				Required: []string{"authenticator"},
 			},
 		},
 		Dependencies: []string{
diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc
index 3dc20e722..0361d2162 100644
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@@ -328,7 +328,7 @@ TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, exp
 |===
 | Field | Description
 | *`token`* __string__ | Bearer token supplied with the credential request.
-| *`identityProvider`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an identity provider which can fulfill this credential request.
+| *`authenticator`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an authenticator which can validate this credential request.
 |===
 
 
diff --git a/generated/1.18/apis/concierge/login/types_token.go b/generated/1.18/apis/concierge/login/types_token.go
index 91d36cfbf..a0555f85d 100644
--- a/generated/1.18/apis/concierge/login/types_token.go
+++ b/generated/1.18/apis/concierge/login/types_token.go
@@ -12,8 +12,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference
 }
 
 type TokenCredentialRequestStatus struct {
diff --git a/generated/1.18/apis/concierge/login/v1alpha1/types_token.go b/generated/1.18/apis/concierge/login/v1alpha1/types_token.go
index 9fba33694..cb5965a23 100644
--- a/generated/1.18/apis/concierge/login/v1alpha1/types_token.go
+++ b/generated/1.18/apis/concierge/login/v1alpha1/types_token.go
@@ -13,8 +13,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string `json:"token,omitempty"`
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
 }
 
 // TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
diff --git a/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.conversion.go
index bdb74e19f..c25c575d8 100644
--- a/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@@ -157,7 +157,7 @@ func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequest
 
 func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
 	out.Token = in.Token
-	out.IdentityProvider = in.IdentityProvider
+	out.Authenticator = in.Authenticator
 	return nil
 }
 
@@ -168,7 +168,7 @@ func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequest
 
 func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
 	out.Token = in.Token
-	out.IdentityProvider = in.IdentityProvider
+	out.Authenticator = in.Authenticator
 	return nil
 }
 
diff --git a/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
index 2001aa609..4160d6692 100644
--- a/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@@ -92,7 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
 	*out = *in
-	in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
 	return
 }
 
diff --git a/generated/1.18/apis/concierge/login/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/login/zz_generated.deepcopy.go
index d92ad253c..f43661bc6 100644
--- a/generated/1.18/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/login/zz_generated.deepcopy.go
@@ -92,7 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
 	*out = *in
-	in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
 	return
 }
 
diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go
index d020267ec..5dc7862aa 100644
--- a/generated/1.18/client/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/openapi/zz_generated.openapi.go
@@ -476,14 +476,14 @@ func schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref common.
 							Format:      "",
 						},
 					},
-					"identityProvider": {
+					"authenticator": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Reference to an identity provider which can fulfill this credential request.",
+							Description: "Reference to an authenticator which can validate this credential request.",
 							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
 						},
 					},
 				},
-				Required: []string{"identityProvider"},
+				Required: []string{"authenticator"},
 			},
 		},
 		Dependencies: []string{
diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc
index 25625544a..c33732fa5 100644
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@@ -328,7 +328,7 @@ TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, exp
 |===
 | Field | Description
 | *`token`* __string__ | Bearer token supplied with the credential request.
-| *`identityProvider`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an identity provider which can fulfill this credential request.
+| *`authenticator`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#typedlocalobjectreference-v1-core[$$TypedLocalObjectReference$$]__ | Reference to an authenticator which can validate this credential request.
 |===
 
 
diff --git a/generated/1.19/apis/concierge/login/types_token.go b/generated/1.19/apis/concierge/login/types_token.go
index 91d36cfbf..a0555f85d 100644
--- a/generated/1.19/apis/concierge/login/types_token.go
+++ b/generated/1.19/apis/concierge/login/types_token.go
@@ -12,8 +12,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference
 }
 
 type TokenCredentialRequestStatus struct {
diff --git a/generated/1.19/apis/concierge/login/v1alpha1/types_token.go b/generated/1.19/apis/concierge/login/v1alpha1/types_token.go
index 9fba33694..cb5965a23 100644
--- a/generated/1.19/apis/concierge/login/v1alpha1/types_token.go
+++ b/generated/1.19/apis/concierge/login/v1alpha1/types_token.go
@@ -13,8 +13,8 @@ type TokenCredentialRequestSpec struct {
 	// Bearer token supplied with the credential request.
 	Token string `json:"token,omitempty"`
 
-	// Reference to an identity provider which can fulfill this credential request.
-	IdentityProvider corev1.TypedLocalObjectReference `json:"identityProvider"`
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
 }
 
 // TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
diff --git a/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.conversion.go
index 6d295f18c..50a88d8ea 100644
--- a/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@@ -157,7 +157,7 @@ func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequest
 
 func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
 	out.Token = in.Token
-	out.IdentityProvider = in.IdentityProvider
+	out.Authenticator = in.Authenticator
 	return nil
 }
 
@@ -168,7 +168,7 @@ func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequest
 
 func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
 	out.Token = in.Token
-	out.IdentityProvider = in.IdentityProvider
+	out.Authenticator = in.Authenticator
 	return nil
 }
 
diff --git a/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
index 2001aa609..4160d6692 100644
--- a/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@@ -92,7 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
 	*out = *in
-	in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
 	return
 }
 
diff --git a/generated/1.19/apis/concierge/login/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/login/zz_generated.deepcopy.go
index d92ad253c..f43661bc6 100644
--- a/generated/1.19/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/login/zz_generated.deepcopy.go
@@ -92,7 +92,7 @@ func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
 	*out = *in
-	in.IdentityProvider.DeepCopyInto(&out.IdentityProvider)
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
 	return
 }
 
diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go
index 7411987de..ef20e195d 100644
--- a/generated/1.19/client/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/openapi/zz_generated.openapi.go
@@ -477,14 +477,14 @@ func schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref common.
 							Format:      "",
 						},
 					},
-					"identityProvider": {
+					"authenticator": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Reference to an identity provider which can fulfill this credential request.",
+							Description: "Reference to an authenticator which can validate this credential request.",
 							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
 						},
 					},
 				},
-				Required: []string{"identityProvider"},
+				Required: []string{"authenticator"},
 			},
 		},
 		Dependencies: []string{
diff --git a/internal/client/client.go b/internal/client/client.go
index 28e4c188d..b29849e88 100644
--- a/internal/client/client.go
+++ b/internal/client/client.go
@@ -34,8 +34,8 @@ func ExchangeToken(ctx context.Context, namespace string, idp corev1.TypedLocalO
 			Namespace: namespace,
 		},
 		Spec: v1alpha1.TokenCredentialRequestSpec{
-			Token:            token,
-			IdentityProvider: idp,
+			Token:         token,
+			Authenticator: idp,
 		},
 	}, metav1.CreateOptions{})
 	if err != nil {
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index 57cbf0d39..e30d4dd24 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -105,7 +105,7 @@ func TestExchangeToken(t *testing.T) {
 				  },
 				  "spec": {
 					"token": "test-token",
-					"identityProvider": {
+					"authenticator": {
 						"apiGroup": "authentication.concierge.pinniped.dev",
 						"kind": "WebhookAuthenticator",
 						"name": "test-webhook"
diff --git a/internal/controller/identityprovider/idpcache/cache.go b/internal/controller/identityprovider/idpcache/cache.go
index ee51ca6c0..dbf6954e8 100644
--- a/internal/controller/identityprovider/idpcache/cache.go
+++ b/internal/controller/identityprovider/idpcache/cache.go
@@ -84,11 +84,11 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log
 	// Map the incoming request to a cache key.
 	key := Key{
 		Namespace: req.Namespace,
-		Name:      req.Spec.IdentityProvider.Name,
-		Kind:      req.Spec.IdentityProvider.Kind,
+		Name:      req.Spec.Authenticator.Name,
+		Kind:      req.Spec.Authenticator.Kind,
 	}
-	if req.Spec.IdentityProvider.APIGroup != nil {
-		key.APIGroup = *req.Spec.IdentityProvider.APIGroup
+	if req.Spec.Authenticator.APIGroup != nil {
+		key.APIGroup = *req.Spec.Authenticator.APIGroup
 	}
 
 	val := c.Get(key)
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go
index 8e2631d3b..4b15b57b9 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/identityprovider/idpcache/cache_test.go
@@ -75,7 +75,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 			Namespace: "test-namespace",
 		},
 		Spec: loginapi.TokenCredentialRequestSpec{
-			IdentityProvider: corev1.TypedLocalObjectReference{
+			Authenticator: corev1.TypedLocalObjectReference{
 				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
 				Kind:     "WebhookAuthenticator",
 				Name:     "test-name",
@@ -85,10 +85,10 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		Status: loginapi.TokenCredentialRequestStatus{},
 	}
 	validRequestKey := Key{
-		APIGroup:  *validRequest.Spec.IdentityProvider.APIGroup,
-		Kind:      validRequest.Spec.IdentityProvider.Kind,
+		APIGroup:  *validRequest.Spec.Authenticator.APIGroup,
+		Kind:      validRequest.Spec.Authenticator.Kind,
 		Namespace: validRequest.Namespace,
-		Name:      validRequest.Spec.IdentityProvider.Name,
+		Name:      validRequest.Spec.Authenticator.Name,
 	}
 
 	mockCache := func(t *testing.T, res *authenticator.Response, authenticated bool, err error) *Cache {
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index b71969145..3467340a6 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -154,8 +154,8 @@ func makeRequest(ctx context.Context, t *testing.T, spec loginv1alpha1.TokenCred
 
 func validCredentialRequestSpecWithRealToken(t *testing.T, idp corev1.TypedLocalObjectReference) loginv1alpha1.TokenCredentialRequestSpec {
 	return loginv1alpha1.TokenCredentialRequestSpec{
-		Token:            library.IntegrationEnv(t).TestUser.Token,
-		IdentityProvider: idp,
+		Token:         library.IntegrationEnv(t).TestUser.Token,
+		Authenticator: idp,
 	}
 }
 

From 34da8c78777c7c21bc6312c8d673b766b5a28a04 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 14:02:21 -0500
Subject: [PATCH 5/5] Rename existing references to "IDP" and "Identity
 Provider".

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 cmd/pinniped/cmd/exchange_credential.go       |  32 +++---
 cmd/pinniped/cmd/exchange_credential_test.go  |  44 ++++----
 cmd/pinniped/cmd/get_kubeconfig.go            |  64 +++++------
 cmd/pinniped/cmd/get_kubeconfig_test.go       | 106 +++++++++---------
 doc/demo.md                                   |   2 +-
 internal/client/client.go                     |   4 +-
 internal/client/client_test.go                |  12 +-
 internal/concierge/server/server.go           |  10 +-
 .../authncache}/cache.go                      |  22 ++--
 .../authncache}/cache_test.go                 |  10 +-
 .../webhookcachecleaner.go                    |  26 ++---
 .../webhookcachecleaner_test.go               |  40 +++----
 .../webhookcachefiller/webhookcachefiller.go  |  30 ++---
 .../webhookcachefiller_test.go                |  14 +--
 .../controllermanager/prepare_controllers.go  |  18 +--
 test/integration/cli_test.go                  |  10 +-
 test/integration/client_test.go               |   4 +-
 .../concierge_credentialrequest_test.go       |   8 +-
 test/library/client.go                        |  18 +--
 19 files changed, 237 insertions(+), 237 deletions(-)
 rename internal/controller/{identityprovider/idpcache => authenticator/authncache}/cache.go (81%)
 rename internal/controller/{identityprovider/idpcache => authenticator/authncache}/cache_test.go (96%)
 rename internal/controller/{identityprovider => authenticator}/webhookcachecleaner/webhookcachecleaner.go (71%)
 rename internal/controller/{identityprovider => authenticator}/webhookcachecleaner/webhookcachecleaner_test.go (77%)
 rename internal/controller/{identityprovider => authenticator}/webhookcachefiller/webhookcachefiller.go (82%)
 rename internal/controller/{identityprovider => authenticator}/webhookcachefiller/webhookcachefiller_test.go (93%)

diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go
index 481165fb0..20c1d5e03 100644
--- a/cmd/pinniped/cmd/exchange_credential.go
+++ b/cmd/pinniped/cmd/exchange_credential.go
@@ -60,11 +60,11 @@ func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchange
 			Requires all of the following environment variables, which are
 			typically set in the kubeconfig:
 			  - PINNIPED_TOKEN: the token to send to Pinniped for exchange
-			  - PINNIPED_NAMESPACE: the namespace of the identity provider to authenticate
+			  - PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
 			    against
-			  - PINNIPED_IDP_TYPE: the type of identity provider to authenticate
+			  - PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
 			    against (e.g., "webhook")
-			  - PINNIPED_IDP_NAME: the name of the identity provider to authenticate
+			  - PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
 			    against
 			  - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
 				Pinniped's HTTPS endpoint
@@ -87,15 +87,15 @@ type envGetter func(string) (string, bool)
 type tokenExchanger func(
 	ctx context.Context,
 	namespace string,
-	idp corev1.TypedLocalObjectReference,
+	authenticator corev1.TypedLocalObjectReference,
 	token string,
 	caBundle string,
 	apiEndpoint string,
 ) (*clientauthenticationv1beta1.ExecCredential, error)
 
 const (
-	ErrMissingEnvVar  = constable.Error("failed to get credential: environment variable not set")
-	ErrInvalidIDPType = constable.Error("invalid IDP type")
+	ErrMissingEnvVar            = constable.Error("failed to get credential: environment variable not set")
+	ErrInvalidAuthenticatorType = constable.Error("invalid authenticator type")
 )
 
 func runExchangeCredential(stdout, _ io.Writer) {
@@ -115,14 +115,14 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 		return envVarNotSetError("PINNIPED_NAMESPACE")
 	}
 
-	idpType, varExists := envGetter("PINNIPED_IDP_TYPE")
+	authenticatorType, varExists := envGetter("PINNIPED_AUTHENTICATOR_TYPE")
 	if !varExists {
-		return envVarNotSetError("PINNIPED_IDP_TYPE")
+		return envVarNotSetError("PINNIPED_AUTHENTICATOR_TYPE")
 	}
 
-	idpName, varExists := envGetter("PINNIPED_IDP_NAME")
+	authenticatorName, varExists := envGetter("PINNIPED_AUTHENTICATOR_NAME")
 	if !varExists {
-		return envVarNotSetError("PINNIPED_IDP_NAME")
+		return envVarNotSetError("PINNIPED_AUTHENTICATOR_NAME")
 	}
 
 	token, varExists := envGetter("PINNIPED_TOKEN")
@@ -140,16 +140,16 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 		return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT")
 	}
 
-	idp := corev1.TypedLocalObjectReference{Name: idpName}
-	switch strings.ToLower(idpType) {
+	authenticator := corev1.TypedLocalObjectReference{Name: authenticatorName}
+	switch strings.ToLower(authenticatorType) {
 	case "webhook":
-		idp.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
-		idp.Kind = "WebhookAuthenticator"
+		authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
+		authenticator.Kind = "WebhookAuthenticator"
 	default:
-		return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidIDPType, idpType)
+		return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidAuthenticatorType, authenticatorType)
 	}
 
-	cred, err := tokenExchanger(ctx, namespace, idp, token, caBundle, apiEndpoint)
+	cred, err := tokenExchanger(ctx, namespace, authenticator, token, caBundle, apiEndpoint)
 	if err != nil {
 		return fmt.Errorf("failed to get credential: %w", err)
 	}
diff --git a/cmd/pinniped/cmd/exchange_credential_test.go b/cmd/pinniped/cmd/exchange_credential_test.go
index b074cfc07..9c9e1c3f6 100644
--- a/cmd/pinniped/cmd/exchange_credential_test.go
+++ b/cmd/pinniped/cmd/exchange_credential_test.go
@@ -43,11 +43,11 @@ var (
 		Requires all of the following environment variables, which are
 		typically set in the kubeconfig:
 		  - PINNIPED_TOKEN: the token to send to Pinniped for exchange
-		  - PINNIPED_NAMESPACE: the namespace of the identity provider to authenticate
+		  - PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
 		    against
-		  - PINNIPED_IDP_TYPE: the type of identity provider to authenticate
+		  - PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
 		    against (e.g., "webhook")
-		  - PINNIPED_IDP_NAME: the name of the identity provider to authenticate
+		  - PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
 		    against
 		  - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
 			Pinniped's HTTPS endpoint
@@ -142,12 +142,12 @@ func TestExchangeCredential(t *testing.T) {
 			r = require.New(t)
 			buffer = new(bytes.Buffer)
 			fakeEnv = map[string]string{
-				"PINNIPED_NAMESPACE":        "namespace from env",
-				"PINNIPED_IDP_TYPE":         "Webhook",
-				"PINNIPED_IDP_NAME":         "webhook name from env",
-				"PINNIPED_TOKEN":            "token from env",
-				"PINNIPED_CA_BUNDLE":        "ca bundle from env",
-				"PINNIPED_K8S_API_ENDPOINT": "k8s api from env",
+				"PINNIPED_NAMESPACE":          "namespace from env",
+				"PINNIPED_AUTHENTICATOR_TYPE": "Webhook",
+				"PINNIPED_AUTHENTICATOR_NAME": "webhook name from env",
+				"PINNIPED_TOKEN":              "token from env",
+				"PINNIPED_CA_BUNDLE":          "ca bundle from env",
+				"PINNIPED_K8S_API_ENDPOINT":   "k8s api from env",
 			}
 		})
 
@@ -158,16 +158,16 @@ func TestExchangeCredential(t *testing.T) {
 				r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_NAMESPACE")
 			})
 
-			it("returns an error when PINNIPED_IDP_TYPE is missing", func() {
-				delete(fakeEnv, "PINNIPED_IDP_TYPE")
+			it("returns an error when PINNIPED_AUTHENTICATOR_TYPE is missing", func() {
+				delete(fakeEnv, "PINNIPED_AUTHENTICATOR_TYPE")
 				err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
-				r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_IDP_TYPE")
+				r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_AUTHENTICATOR_TYPE")
 			})
 
-			it("returns an error when PINNIPED_IDP_NAME is missing", func() {
-				delete(fakeEnv, "PINNIPED_IDP_NAME")
+			it("returns an error when PINNIPED_AUTHENTICATOR_NAME is missing", func() {
+				delete(fakeEnv, "PINNIPED_AUTHENTICATOR_NAME")
 				err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
-				r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_IDP_NAME")
+				r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_AUTHENTICATOR_NAME")
 			})
 
 			it("returns an error when PINNIPED_TOKEN is missing", func() {
@@ -190,16 +190,16 @@ func TestExchangeCredential(t *testing.T) {
 		})
 
 		when("env vars are invalid", func() {
-			it("returns an error when PINNIPED_IDP_TYPE is missing", func() {
-				fakeEnv["PINNIPED_IDP_TYPE"] = "invalid"
+			it("returns an error when PINNIPED_AUTHENTICATOR_TYPE is missing", func() {
+				fakeEnv["PINNIPED_AUTHENTICATOR_TYPE"] = "invalid"
 				err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
-				r.EqualError(err, `invalid IDP type: "invalid", supported values are "webhook"`)
+				r.EqualError(err, `invalid authenticator type: "invalid", supported values are "webhook"`)
 			})
 		})
 
 		when("the token exchange fails", func() {
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace string, authenticator corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					return nil, fmt.Errorf("some error")
 				}
 			})
@@ -212,7 +212,7 @@ func TestExchangeCredential(t *testing.T) {
 
 		when("the JSON encoder fails", func() {
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace string, authenticator corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					return &clientauthenticationv1beta1.ExecCredential{
 						Status: &clientauthenticationv1beta1.ExecCredentialStatus{
 							Token: "some token",
@@ -229,7 +229,7 @@ func TestExchangeCredential(t *testing.T) {
 
 		when("the token exchange times out", func() {
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace string, authenticator corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					select {
 					case <-time.After(100 * time.Millisecond):
 						return &clientauthenticationv1beta1.ExecCredential{
@@ -253,7 +253,7 @@ func TestExchangeCredential(t *testing.T) {
 			var actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint string
 
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace string, authenticator corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint = namespace, token, caBundle, apiEndpoint
 					now := metav1.NewTime(time.Date(2020, 7, 29, 1, 2, 3, 0, time.UTC))
 					return &clientauthenticationv1beta1.ExecCredential{
diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go
index a0349eed8..ad5f9f131 100644
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@@ -33,12 +33,12 @@ func init() {
 }
 
 type getKubeConfigFlags struct {
-	token           string
-	kubeconfig      string
-	contextOverride string
-	namespace       string
-	idpName         string
-	idpType         string
+	token             string
+	kubeconfig        string
+	contextOverride   string
+	namespace         string
+	authenticatorName string
+	authenticatorType string
 }
 
 type getKubeConfigCommand struct {
@@ -88,8 +88,8 @@ func (c *getKubeConfigCommand) Command() *cobra.Command {
 	cmd.Flags().StringVar(&c.flags.kubeconfig, "kubeconfig", c.flags.kubeconfig, "Path to the kubeconfig file")
 	cmd.Flags().StringVar(&c.flags.contextOverride, "kubeconfig-context", c.flags.contextOverride, "Kubeconfig context override")
 	cmd.Flags().StringVar(&c.flags.namespace, "pinniped-namespace", c.flags.namespace, "Namespace in which Pinniped was installed")
-	cmd.Flags().StringVar(&c.flags.idpType, "idp-type", c.flags.idpType, "Identity provider type (e.g., 'webhook')")
-	cmd.Flags().StringVar(&c.flags.idpName, "idp-name", c.flags.idpType, "Identity provider name")
+	cmd.Flags().StringVar(&c.flags.authenticatorType, "authenticator-type", c.flags.authenticatorType, "Authenticator type (e.g., 'webhook')")
+	cmd.Flags().StringVar(&c.flags.authenticatorName, "authenticator-name", c.flags.authenticatorType, "Authenticator name")
 	mustMarkRequired(cmd, "token")
 	return cmd
 }
@@ -116,9 +116,9 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	idpType, idpName := c.flags.idpType, c.flags.idpName
-	if idpType == "" || idpName == "" {
-		idpType, idpName, err = getDefaultIDP(clientset, c.flags.namespace)
+	authenticatorType, authenticatorName := c.flags.authenticatorType, c.flags.authenticatorName
+	if authenticatorType == "" || authenticatorName == "" {
+		authenticatorType, authenticatorName, err = getDefaultAuthenticator(clientset, c.flags.namespace)
 		if err != nil {
 			return err
 		}
@@ -143,7 +143,7 @@ func (c *getKubeConfigCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, c.flags.token, c.flags.namespace, idpType, idpName)
+	config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, c.flags.token, c.flags.namespace, authenticatorType, authenticatorName)
 
 	err = writeConfigAsYAML(cmd.OutOrStdout(), config)
 	if err != nil {
@@ -168,22 +168,22 @@ func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuer
 	return nil
 }
 
-type noIDPError struct{ Namespace string }
+type noAuthenticatorError struct{ Namespace string }
 
-func (e noIDPError) Error() string {
-	return fmt.Sprintf(`no identity providers were found in namespace %q`, e.Namespace)
+func (e noAuthenticatorError) Error() string {
+	return fmt.Sprintf(`no authenticators were found in namespace %q`, e.Namespace)
 }
 
-type indeterminateIDPError struct{ Namespace string }
+type indeterminateAuthenticatorError struct{ Namespace string }
 
-func (e indeterminateIDPError) Error() string {
+func (e indeterminateAuthenticatorError) Error() string {
 	return fmt.Sprintf(
-		`multiple identity providers were found in namespace %q, so --pinniped-idp-name/--pinniped-idp-type must be specified`,
+		`multiple authenticators were found in namespace %q, so --authenticator-name/--authenticator-type must be specified`,
 		e.Namespace,
 	)
 }
 
-func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (string, string, error) {
+func getDefaultAuthenticator(clientset pinnipedclientset.Interface, namespace string) (string, string, error) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
@@ -192,19 +192,19 @@ func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (str
 		return "", "", err
 	}
 
-	type ref struct{ idpType, idpName string }
-	idps := make([]ref, 0, len(webhooks.Items))
+	type ref struct{ authenticatorType, authenticatorName string }
+	authenticators := make([]ref, 0, len(webhooks.Items))
 	for _, webhook := range webhooks.Items {
-		idps = append(idps, ref{idpType: "webhook", idpName: webhook.Name})
+		authenticators = append(authenticators, ref{authenticatorType: "webhook", authenticatorName: webhook.Name})
 	}
 
-	if len(idps) == 0 {
-		return "", "", noIDPError{namespace}
+	if len(authenticators) == 0 {
+		return "", "", noAuthenticatorError{namespace}
 	}
-	if len(idps) > 1 {
-		return "", "", indeterminateIDPError{namespace}
+	if len(authenticators) > 1 {
+		return "", "", indeterminateAuthenticatorError{namespace}
 	}
-	return idps[0].idpType, idps[0].idpName, nil
+	return authenticators[0].authenticatorType, authenticators[0].authenticatorName, nil
 }
 
 func fetchPinnipedCredentialIssuerConfig(clientset pinnipedclientset.Interface, pinnipedInstallationNamespace string) (*configv1alpha1.CredentialIssuerConfig, error) {
@@ -277,7 +277,7 @@ func copyCurrentClusterFromExistingKubeConfig(currentKubeConfig clientcmdapi.Con
 	return v1Cluster, nil
 }
 
-func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string, namespace string, idpType string, idpName string) v1.Config {
+func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string, namespace string, authenticatorType string, authenticatorName string) v1.Config {
 	clusterName := "pinniped-cluster"
 	userName := "pinniped-user"
 
@@ -324,12 +324,12 @@ func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token st
 								Value: token,
 							},
 							{
-								Name:  "PINNIPED_IDP_TYPE",
-								Value: idpType,
+								Name:  "PINNIPED_AUTHENTICATOR_TYPE",
+								Value: authenticatorType,
 							},
 							{
-								Name:  "PINNIPED_IDP_NAME",
-								Value: idpName,
+								Name:  "PINNIPED_AUTHENTICATOR_NAME",
+								Value: authenticatorName,
 							},
 						},
 						APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go
index 430791730..6bdd262f6 100644
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@@ -30,9 +30,9 @@ var (
 		  get-kubeconfig [flags]
 
 		Flags:
+			  --authenticator-name string   Authenticator name
+			  --authenticator-type string   Authenticator type (e.g., 'webhook')
 		  -h, --help                        help for get-kubeconfig
-			  --idp-name string             Identity provider name
-			  --idp-type string             Identity provider type (e.g., 'webhook')
 			  --kubeconfig string           Path to the kubeconfig file
 			  --kubeconfig-context string   Kubeconfig context override
 			  --pinniped-namespace string   Namespace in which Pinniped was installed (default "pinniped")
@@ -61,9 +61,9 @@ var (
 		  get-kubeconfig [flags]
 
 		Flags:
+			  --authenticator-name string   Authenticator name
+			  --authenticator-type string   Authenticator type (e.g., 'webhook')
 		  -h, --help                        help for get-kubeconfig
-			  --idp-name string             Identity provider name
-			  --idp-type string             Identity provider type (e.g., 'webhook')
 			  --kubeconfig string           Path to the kubeconfig file
 			  --kubeconfig-context string   Kubeconfig context override
 			  --pinniped-namespace string   Namespace in which Pinniped was installed (default "pinniped")
@@ -116,15 +116,15 @@ func TestNewGetKubeConfigCmd(t *testing.T) {
 }
 
 type expectedKubeconfigYAML struct {
-	clusterCAData    string
-	clusterServer    string
-	command          string
-	token            string
-	pinnipedEndpoint string
-	pinnipedCABundle string
-	namespace        string
-	idpType          string
-	idpName          string
+	clusterCAData     string
+	clusterServer     string
+	command           string
+	token             string
+	pinnipedEndpoint  string
+	pinnipedCABundle  string
+	namespace         string
+	authenticatorType string
+	authenticatorName string
 }
 
 func (e expectedKubeconfigYAML) String() string {
@@ -160,14 +160,14 @@ func (e expectedKubeconfigYAML) String() string {
 			    value: %s
 			  - name: PINNIPED_TOKEN
 				value: %s
-			  - name: PINNIPED_IDP_TYPE
+			  - name: PINNIPED_AUTHENTICATOR_TYPE
 				value: %s
-			  - name: PINNIPED_IDP_NAME
+			  - name: PINNIPED_AUTHENTICATOR_NAME
 				value: %s
 			  installHint: |-
 				The Pinniped CLI is required to authenticate to the current cluster.
 				For more information, please visit https://pinniped.dev
-		`, e.clusterCAData, e.clusterServer, e.command, e.pinnipedEndpoint, e.pinnipedCABundle, e.namespace, e.token, e.idpType, e.idpName)
+		`, e.clusterCAData, e.clusterServer, e.command, e.pinnipedEndpoint, e.pinnipedCABundle, e.namespace, e.token, e.authenticatorType, e.authenticatorName)
 }
 
 func newCredentialIssuerConfig(name, namespace, server, certificateAuthorityData string) *configv1alpha1.CredentialIssuerConfig {
@@ -224,36 +224,36 @@ func TestRun(t *testing.T) {
 			wantError: "some error configuring clientset",
 		},
 		{
-			name: "fail to get IDPs",
+			name: "fail to get authenticators",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cmd.flags.idpName = ""
-				cmd.flags.idpType = ""
+				cmd.flags.authenticatorName = ""
+				cmd.flags.authenticatorType = ""
 				clientset := pinnipedfake.NewSimpleClientset()
 				clientset.PrependReactor("*", "*", func(_ coretesting.Action) (bool, runtime.Object, error) {
-					return true, nil, fmt.Errorf("some error getting IDPs")
+					return true, nil, fmt.Errorf("some error getting authenticators")
 				})
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return clientset, nil
 				}
 			},
-			wantError: "some error getting IDPs",
+			wantError: "some error getting authenticators",
 		},
 		{
-			name: "zero IDPs",
+			name: "zero authenticators",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cmd.flags.idpName = ""
-				cmd.flags.idpType = ""
+				cmd.flags.authenticatorName = ""
+				cmd.flags.authenticatorType = ""
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(), nil
 				}
 			},
-			wantError: `no identity providers were found in namespace "test-namespace"`,
+			wantError: `no authenticators were found in namespace "test-namespace"`,
 		},
 		{
-			name: "multiple IDPs",
+			name: "multiple authenticators",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cmd.flags.idpName = ""
-				cmd.flags.idpType = ""
+				cmd.flags.authenticatorName = ""
+				cmd.flags.authenticatorType = ""
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
 						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
@@ -261,7 +261,7 @@ func TestRun(t *testing.T) {
 					), nil
 				}
 			},
-			wantError: `multiple identity providers were found in namespace "test-namespace", so --pinniped-idp-name/--pinniped-idp-type must be specified`,
+			wantError: `multiple authenticators were found in namespace "test-namespace", so --authenticator-name/--authenticator-type must be specified`,
 		},
 		{
 			name: "fail to get CredentialIssuerConfigs",
@@ -330,41 +330,41 @@ func TestRun(t *testing.T) {
 				}
 			},
 			wantStdout: expectedKubeconfigYAML{
-				clusterCAData:    "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
-				clusterServer:    "https://fake-server-url-value",
-				command:          "/path/to/pinniped",
-				token:            "test-token",
-				pinnipedEndpoint: "https://fake-server-url-value",
-				pinnipedCABundle: "fake-certificate-authority-data-value",
-				namespace:        "test-namespace",
-				idpType:          "test-idp-type",
-				idpName:          "test-idp-name",
+				clusterCAData:     "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
+				clusterServer:     "https://fake-server-url-value",
+				command:           "/path/to/pinniped",
+				token:             "test-token",
+				pinnipedEndpoint:  "https://fake-server-url-value",
+				pinnipedCABundle:  "fake-certificate-authority-data-value",
+				namespace:         "test-namespace",
+				authenticatorType: "test-authenticator-type",
+				authenticatorName: "test-authenticator-name",
 			}.String(),
 		},
 		{
-			name: "success using local CA data and discovered IDP",
+			name: "success using local CA data and discovered authenticator",
 			mocks: func(cmd *getKubeConfigCommand) {
-				cmd.flags.idpName = ""
-				cmd.flags.idpType = ""
+				cmd.flags.authenticatorName = ""
+				cmd.flags.authenticatorType = ""
 
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
+						&authv1alpha.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-authenticator"}},
 						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
 			},
 			wantStderr: `WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.`,
 			wantStdout: expectedKubeconfigYAML{
-				clusterCAData:    "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
-				clusterServer:    "https://fake-server-url-value",
-				command:          "/path/to/pinniped",
-				token:            "test-token",
-				pinnipedEndpoint: "https://fake-server-url-value",
-				pinnipedCABundle: "fake-certificate-authority-data-value",
-				namespace:        "test-namespace",
-				idpType:          "webhook",
-				idpName:          "discovered-idp",
+				clusterCAData:     "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
+				clusterServer:     "https://fake-server-url-value",
+				command:           "/path/to/pinniped",
+				token:             "test-token",
+				pinnipedEndpoint:  "https://fake-server-url-value",
+				pinnipedCABundle:  "fake-certificate-authority-data-value",
+				namespace:         "test-namespace",
+				authenticatorType: "webhook",
+				authenticatorName: "discovered-authenticator",
 			}.String(),
 		},
 	}
@@ -377,8 +377,8 @@ func TestRun(t *testing.T) {
 			c := newGetKubeConfigCommand()
 			c.flags.token = "test-token"
 			c.flags.namespace = "test-namespace"
-			c.flags.idpName = "test-idp-name"
-			c.flags.idpType = "test-idp-type"
+			c.flags.authenticatorName = "test-authenticator-name"
+			c.flags.authenticatorType = "test-authenticator-type"
 			c.getPathToSelf = func() (string, error) { return "/path/to/pinniped", nil }
 			c.flags.kubeconfig = "./testdata/kubeconfig.yaml"
 			tt.mocks(c)
diff --git a/doc/demo.md b/doc/demo.md
index 4d6fcafed..1da8e392b 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -143,7 +143,7 @@ as the identity provider.
    allow you to authenticate as the user that you created above.
 
    ```bash
-   pinniped get-kubeconfig --token "pinny-the-seal:password123" --idp-type webhook --idp-name local-user-authenticator > /tmp/pinniped-kubeconfig
+   pinniped get-kubeconfig --token "pinny-the-seal:password123" --authenticator-type webhook --authenticator-name local-user-authenticator > /tmp/pinniped-kubeconfig
    ```
 
    If you are using MacOS, you may get an error dialog that says
diff --git a/internal/client/client.go b/internal/client/client.go
index b29849e88..435b59271 100644
--- a/internal/client/client.go
+++ b/internal/client/client.go
@@ -23,7 +23,7 @@ import (
 var ErrLoginFailed = errors.New("login failed")
 
 // ExchangeToken exchanges an opaque token using the Pinniped TokenCredentialRequest API, returning a client-go ExecCredential valid on the target cluster.
-func ExchangeToken(ctx context.Context, namespace string, idp corev1.TypedLocalObjectReference, token string, caBundle string, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+func ExchangeToken(ctx context.Context, namespace string, authenticator corev1.TypedLocalObjectReference, token string, caBundle string, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 	client, err := getClient(apiEndpoint, caBundle)
 	if err != nil {
 		return nil, fmt.Errorf("could not get API client: %w", err)
@@ -35,7 +35,7 @@ func ExchangeToken(ctx context.Context, namespace string, idp corev1.TypedLocalO
 		},
 		Spec: v1alpha1.TokenCredentialRequestSpec{
 			Token:         token,
-			Authenticator: idp,
+			Authenticator: authenticator,
 		},
 	}, metav1.CreateOptions{})
 	if err != nil {
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index e30d4dd24..7a0e47cfa 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -25,7 +25,7 @@ func TestExchangeToken(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	testIDP := corev1.TypedLocalObjectReference{
+	testAuthenticator := corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookAuthenticator",
 		Name:     "test-webhook",
@@ -33,7 +33,7 @@ func TestExchangeToken(t *testing.T) {
 
 	t.Run("invalid configuration", func(t *testing.T) {
 		t.Parallel()
-		got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", "", "")
+		got, err := ExchangeToken(ctx, "test-namespace", testAuthenticator, "", "", "")
 		require.EqualError(t, err, "could not get API client: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable")
 		require.Nil(t, got)
 	})
@@ -46,7 +46,7 @@ func TestExchangeToken(t *testing.T) {
 			_, _ = w.Write([]byte("some server error"))
 		})
 
-		got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", caBundle, endpoint)
+		got, err := ExchangeToken(ctx, "test-namespace", testAuthenticator, "", caBundle, endpoint)
 		require.EqualError(t, err, `could not login: an error on the server ("some server error") has prevented the request from succeeding (post tokencredentialrequests.login.concierge.pinniped.dev)`)
 		require.Nil(t, got)
 	})
@@ -63,7 +63,7 @@ func TestExchangeToken(t *testing.T) {
 			})
 		})
 
-		got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", caBundle, endpoint)
+		got, err := ExchangeToken(ctx, "test-namespace", testAuthenticator, "", caBundle, endpoint)
 		require.EqualError(t, err, `login failed: some login failure`)
 		require.Nil(t, got)
 	})
@@ -78,7 +78,7 @@ func TestExchangeToken(t *testing.T) {
 			})
 		})
 
-		got, err := ExchangeToken(ctx, "test-namespace", testIDP, "", caBundle, endpoint)
+		got, err := ExchangeToken(ctx, "test-namespace", testAuthenticator, "", caBundle, endpoint)
 		require.EqualError(t, err, `login failed: unknown`)
 		require.Nil(t, got)
 	})
@@ -129,7 +129,7 @@ func TestExchangeToken(t *testing.T) {
 			})
 		})
 
-		got, err := ExchangeToken(ctx, "test-namespace", testIDP, "test-token", caBundle, endpoint)
+		got, err := ExchangeToken(ctx, "test-namespace", testAuthenticator, "test-token", caBundle, endpoint)
 		require.NoError(t, err)
 		require.Equal(t, &clientauthenticationv1beta1.ExecCredential{
 			TypeMeta: metav1.TypeMeta{
diff --git a/internal/concierge/server/server.go b/internal/concierge/server/server.go
index d474dcf8d..b3667b4df 100644
--- a/internal/concierge/server/server.go
+++ b/internal/concierge/server/server.go
@@ -18,7 +18,7 @@ import (
 	"go.pinniped.dev/internal/certauthority/dynamiccertauthority"
 	"go.pinniped.dev/internal/concierge/apiserver"
 	"go.pinniped.dev/internal/config/concierge"
-	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
+	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllermanager"
 	"go.pinniped.dev/internal/downward"
 	"go.pinniped.dev/internal/dynamiccert"
@@ -104,8 +104,8 @@ func (a *App) runServer(ctx context.Context) error {
 	}
 	serverInstallationNamespace := podInfo.Namespace
 
-	// Initialize the cache of active identity providers.
-	idpCache := idpcache.New()
+	// Initialize the cache of active authenticators.
+	authenticators := authncache.New()
 
 	// This cert provider will provide certs to the API server and will
 	// be mutated by a controller to keep the certs up to date with what
@@ -131,7 +131,7 @@ func (a *App) runServer(ctx context.Context) error {
 			DynamicSigningCertProvider:  dynamicSigningCertProvider,
 			ServingCertDuration:         time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds) * time.Second,
 			ServingCertRenewBefore:      time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds) * time.Second,
-			IDPCache:                    idpCache,
+			AuthenticatorCache:          authenticators,
 		},
 	)
 	if err != nil {
@@ -141,7 +141,7 @@ func (a *App) runServer(ctx context.Context) error {
 	// Get the aggregated API server config.
 	aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
 		dynamicServingCertProvider,
-		idpCache,
+		authenticators,
 		dynamiccertauthority.New(dynamicSigningCertProvider),
 		startControllersFunc,
 	)
diff --git a/internal/controller/identityprovider/idpcache/cache.go b/internal/controller/authenticator/authncache/cache.go
similarity index 81%
rename from internal/controller/identityprovider/idpcache/cache.go
rename to internal/controller/authenticator/authncache/cache.go
index dbf6954e8..00de2e1ef 100644
--- a/internal/controller/identityprovider/idpcache/cache.go
+++ b/internal/controller/authenticator/authncache/cache.go
@@ -1,8 +1,8 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package idpcache implements a cache of active identity providers.
-package idpcache
+// Package authncache implements a cache of active authenticators.
+package authncache
 
 import (
 	"context"
@@ -17,12 +17,12 @@ import (
 )
 
 var (
-	// ErrNoSuchIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the requested IDP is not configured.
-	ErrNoSuchIDP = fmt.Errorf("no such identity provider")
+	// ErrNoSuchAuthenticator is returned by Cache.AuthenticateTokenCredentialRequest() when the requested authenticator is not configured.
+	ErrNoSuchAuthenticator = fmt.Errorf("no such authenticator")
 )
 
-// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers
-// loaded from IDP resources.
+// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of authenticators
+// loaded from authenticator resources.
 type Cache struct {
 	cache sync.Map
 }
@@ -43,7 +43,7 @@ func New() *Cache {
 	return &Cache{}
 }
 
-// Get an identity provider by key.
+// Get an authenticator by key.
 func (c *Cache) Get(key Key) Value {
 	res, _ := c.cache.Load(key)
 	if res == nil {
@@ -52,12 +52,12 @@ func (c *Cache) Get(key Key) Value {
 	return res.(Value)
 }
 
-// Store an identity provider into the cache.
+// Store an authenticator into the cache.
 func (c *Cache) Store(key Key, value Value) {
 	c.cache.Store(key, value)
 }
 
-// Delete an identity provider from the cache.
+// Delete an authenticator from the cache.
 func (c *Cache) Delete(key Key) {
 	c.cache.Delete(key)
 }
@@ -93,14 +93,14 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log
 
 	val := c.Get(key)
 	if val == nil {
-		return nil, ErrNoSuchIDP
+		return nil, ErrNoSuchAuthenticator
 	}
 
 	// The incoming context could have an audience. Since we do not want to handle audiences right now, do not pass it
 	// through directly to the authentication webhook.
 	ctx = valuelessContext{ctx}
 
-	// Call the selected IDP.
+	// Call the selected authenticator.
 	resp, authenticated, err := val.AuthenticateToken(ctx, req.Spec.Token)
 	if err != nil {
 		return nil, err
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/authenticator/authncache/cache_test.go
similarity index 96%
rename from internal/controller/identityprovider/idpcache/cache_test.go
rename to internal/controller/authenticator/authncache/cache_test.go
index 4b15b57b9..bd38d5c34 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/authenticator/authncache/cache_test.go
@@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package idpcache
+package authncache
 
 import (
 	"context"
@@ -31,13 +31,13 @@ func TestCache(t *testing.T) {
 	cache := New()
 	require.NotNil(t, cache)
 
-	key1 := Key{Namespace: "foo", Name: "idp-one"}
+	key1 := Key{Namespace: "foo", Name: "authenticator-one"}
 	mockToken1 := mocktokenauthenticator.NewMockToken(ctrl)
 	cache.Store(key1, mockToken1)
 	require.Equal(t, mockToken1, cache.Get(key1))
 	require.Equal(t, 1, len(cache.Keys()))
 
-	key2 := Key{Namespace: "foo", Name: "idp-two"}
+	key2 := Key{Namespace: "foo", Name: "authenticator-two"}
 	mockToken2 := mocktokenauthenticator.NewMockToken(ctrl)
 	cache.Store(key2, mockToken2)
 	require.Equal(t, mockToken2, cache.Get(key2))
@@ -101,10 +101,10 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		return c
 	}
 
-	t.Run("no such IDP", func(t *testing.T) {
+	t.Run("no such authenticator", func(t *testing.T) {
 		c := New()
 		res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
-		require.EqualError(t, err, "no such identity provider")
+		require.EqualError(t, err, "no such authenticator")
 		require.Nil(t, res)
 	})
 
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/authenticator/webhookcachecleaner/webhookcachecleaner.go
similarity index 71%
rename from internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
rename to internal/controller/authenticator/webhookcachecleaner/webhookcachecleaner.go
index fcb69416e..c867c1aa7 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
+++ b/internal/controller/authenticator/webhookcachecleaner/webhookcachecleaner.go
@@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package webhookcachecleaner implements a controller for garbage collectting webhook IDPs from an IDP cache.
+// Package webhookcachecleaner implements a controller for garbage collecting webhook authenticators from an authenticator cache.
 package webhookcachecleaner
 
 import (
@@ -12,25 +12,25 @@ import (
 	"k8s.io/klog/v2"
 
 	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
+	authinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
-	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
+	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllerlib"
 )
 
 // New instantiates a new controllerlib.Controller which will garbage collect webhooks from the provided Cache.
-func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
+func New(cache *authncache.Cache, webhooks authinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
 	return controllerlib.New(
 		controllerlib.Config{
 			Name: "webhookcachecleaner-controller",
 			Syncer: &controller{
-				cache:       cache,
-				webhookIDPs: webhookIDPs,
-				log:         log.WithName("webhookcachecleaner-controller"),
+				cache:    cache,
+				webhooks: webhooks,
+				log:      log.WithName("webhookcachecleaner-controller"),
 			},
 		},
 		controllerlib.WithInformer(
-			webhookIDPs,
+			webhooks,
 			pinnipedcontroller.MatchAnythingFilter(),
 			controllerlib.InformerOption{},
 		),
@@ -38,14 +38,14 @@ func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInf
 }
 
 type controller struct {
-	cache       *idpcache.Cache
-	webhookIDPs idpinformers.WebhookAuthenticatorInformer
-	log         logr.Logger
+	cache    *authncache.Cache
+	webhooks authinformers.WebhookAuthenticatorInformer
+	log      logr.Logger
 }
 
 // Sync implements controllerlib.Syncer.
 func (c *controller) Sync(_ controllerlib.Context) error {
-	webhooks, err := c.webhookIDPs.Lister().List(labels.Everything())
+	webhooks, err := c.webhooks.Lister().List(labels.Everything())
 	if err != nil {
 		return fmt.Errorf("failed to list WebhookAuthenticators: %w", err)
 	}
@@ -63,7 +63,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 			continue
 		}
 		if _, exists := webhooksByKey[controllerlib.Key{Namespace: key.Namespace, Name: key.Name}]; !exists {
-			c.log.WithValues("idp", klog.KRef(key.Namespace, key.Name)).Info("deleting webhook IDP from cache")
+			c.log.WithValues("webhook", klog.KRef(key.Namespace, key.Name)).Info("deleting webhook authenticator from cache")
 			c.cache.Delete(key)
 		}
 	}
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/authenticator/webhookcachecleaner/webhookcachecleaner_test.go
similarity index 77%
rename from internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
rename to internal/controller/authenticator/webhookcachecleaner/webhookcachecleaner_test.go
index d6c826354..4301dd29b 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
+++ b/internal/controller/authenticator/webhookcachecleaner/webhookcachecleaner_test.go
@@ -15,7 +15,7 @@ import (
 	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
-	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
+	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/testutil/testlogger"
 )
@@ -23,37 +23,37 @@ import (
 func TestController(t *testing.T) {
 	t.Parallel()
 
-	testKey1 := idpcache.Key{
+	testKey1 := authncache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "WebhookAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
-	testKey2 := idpcache.Key{
+	testKey2 := authncache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "WebhookAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-two",
 	}
-	testKeyNonwebhook := idpcache.Key{
+	testKeyNonwebhook := authncache.Key{
 		APIGroup:  "authentication.concierge.pinniped.dev",
-		Kind:      "SomeOtherIdentityProvider",
+		Kind:      "SomeOtherAuthenticator",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
 
 	tests := []struct {
 		name          string
-		webhookIDPs   []runtime.Object
-		initialCache  map[idpcache.Key]idpcache.Value
+		webhooks      []runtime.Object
+		initialCache  map[authncache.Key]authncache.Value
 		wantErr       string
 		wantLogs      []string
-		wantCacheKeys []idpcache.Key
+		wantCacheKeys []authncache.Key
 	}{
 		{
 			name:         "no change",
-			initialCache: map[idpcache.Key]idpcache.Value{testKey1: nil},
-			webhookIDPs: []runtime.Object{
+			initialCache: map[authncache.Key]authncache.Value{testKey1: nil},
+			webhooks: []runtime.Object{
 				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
@@ -61,12 +61,12 @@ func TestController(t *testing.T) {
 					},
 				},
 			},
-			wantCacheKeys: []idpcache.Key{testKey1},
+			wantCacheKeys: []authncache.Key{testKey1},
 		},
 		{
-			name:         "IDPs not yet added",
+			name:         "authenticators not yet added",
 			initialCache: nil,
-			webhookIDPs: []runtime.Object{
+			webhooks: []runtime.Object{
 				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
@@ -80,16 +80,16 @@ func TestController(t *testing.T) {
 					},
 				},
 			},
-			wantCacheKeys: []idpcache.Key{},
+			wantCacheKeys: []authncache.Key{},
 		},
 		{
 			name: "successful cleanup",
-			initialCache: map[idpcache.Key]idpcache.Value{
+			initialCache: map[authncache.Key]authncache.Value{
 				testKey1:          nil,
 				testKey2:          nil,
 				testKeyNonwebhook: nil,
 			},
-			webhookIDPs: []runtime.Object{
+			webhooks: []runtime.Object{
 				&authv1alpha.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
@@ -98,9 +98,9 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantLogs: []string{
-				`webhookcachecleaner-controller "level"=0 "msg"="deleting webhook IDP from cache" "idp"={"name":"test-name-two","namespace":"test-namespace"}`,
+				`webhookcachecleaner-controller "level"=0 "msg"="deleting webhook authenticator from cache" "webhook"={"name":"test-name-two","namespace":"test-namespace"}`,
 			},
-			wantCacheKeys: []idpcache.Key{testKey1, testKeyNonwebhook},
+			wantCacheKeys: []authncache.Key{testKey1, testKeyNonwebhook},
 		},
 	}
 	for _, tt := range tests {
@@ -108,9 +108,9 @@ func TestController(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...)
+			fakeClient := pinnipedfake.NewSimpleClientset(tt.webhooks...)
 			informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0)
-			cache := idpcache.New()
+			cache := authncache.New()
 			for k, v := range tt.initialCache {
 				cache.Store(k, v)
 			}
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
similarity index 82%
rename from internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
rename to internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
index 55ba0c773..863f3f8c7 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookAuthenticator.
+// Package webhookcachefiller implements a controller for filling an authncache.Cache with each added/updated WebhookAuthenticator.
 package webhookcachefiller
 
 import (
@@ -21,25 +21,25 @@ import (
 	"k8s.io/klog/v2"
 
 	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
-	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
+	authinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
-	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
+	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllerlib"
 )
 
-// New instantiates a new controllerlib.Controller which will populate the provided idpcache.Cache.
-func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
+// New instantiates a new controllerlib.Controller which will populate the provided authncache.Cache.
+func New(cache *authncache.Cache, webhooks authinformers.WebhookAuthenticatorInformer, log logr.Logger) controllerlib.Controller {
 	return controllerlib.New(
 		controllerlib.Config{
 			Name: "webhookcachefiller-controller",
 			Syncer: &controller{
-				cache:       cache,
-				webhookIDPs: webhookIDPs,
-				log:         log.WithName("webhookcachefiller-controller"),
+				cache:    cache,
+				webhooks: webhooks,
+				log:      log.WithName("webhookcachefiller-controller"),
 			},
 		},
 		controllerlib.WithInformer(
-			webhookIDPs,
+			webhooks,
 			pinnipedcontroller.MatchAnythingFilter(),
 			controllerlib.InformerOption{},
 		),
@@ -47,14 +47,14 @@ func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookAuthenticatorInf
 }
 
 type controller struct {
-	cache       *idpcache.Cache
-	webhookIDPs idpinformers.WebhookAuthenticatorInformer
-	log         logr.Logger
+	cache    *authncache.Cache
+	webhooks authinformers.WebhookAuthenticatorInformer
+	log      logr.Logger
 }
 
 // Sync implements controllerlib.Syncer.
 func (c *controller) Sync(ctx controllerlib.Context) error {
-	obj, err := c.webhookIDPs.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name)
+	obj, err := c.webhooks.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name)
 	if err != nil && errors.IsNotFound(err) {
 		c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted")
 		return nil
@@ -68,13 +68,13 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 		return fmt.Errorf("failed to build webhook config: %w", err)
 	}
 
-	c.cache.Store(idpcache.Key{
+	c.cache.Store(authncache.Key{
 		APIGroup:  auth1alpha1.GroupName,
 		Kind:      "WebhookAuthenticator",
 		Namespace: ctx.Key.Namespace,
 		Name:      ctx.Key.Name,
 	}, webhookAuthenticator)
-	c.log.WithValues("idp", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook IDP")
+	c.log.WithValues("webhook", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook authenticator")
 	return nil
 }
 
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
similarity index 93%
rename from internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
rename to internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
index 79244c3f8..d70a88fdd 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
@@ -22,7 +22,7 @@ import (
 	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
-	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
+	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/testlogger"
@@ -34,7 +34,7 @@ func TestController(t *testing.T) {
 	tests := []struct {
 		name             string
 		syncKey          controllerlib.Key
-		webhookIDPs      []runtime.Object
+		webhooks         []runtime.Object
 		wantErr          string
 		wantLogs         []string
 		wantCacheEntries int
@@ -49,7 +49,7 @@ func TestController(t *testing.T) {
 		{
 			name:    "invalid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
-			webhookIDPs: []runtime.Object{
+			webhooks: []runtime.Object{
 				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
@@ -65,7 +65,7 @@ func TestController(t *testing.T) {
 		{
 			name:    "valid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
-			webhookIDPs: []runtime.Object{
+			webhooks: []runtime.Object{
 				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
@@ -78,7 +78,7 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantLogs: []string{
-				`webhookcachefiller-controller "level"=0 "msg"="added new webhook IDP" "endpoint"="https://example.com" "idp"={"name":"test-name","namespace":"test-namespace"}`,
+				`webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name","namespace":"test-namespace"}`,
 			},
 			wantCacheEntries: 1,
 		},
@@ -88,9 +88,9 @@ func TestController(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...)
+			fakeClient := pinnipedfake.NewSimpleClientset(tt.webhooks...)
 			informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0)
-			cache := idpcache.New()
+			cache := authncache.New()
 			testLog := testlogger.New(t)
 
 			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog)
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index 8a3d2acd6..8b3b85f5a 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -24,9 +24,9 @@ import (
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/config/concierge"
 	"go.pinniped.dev/internal/controller/apicerts"
-	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
-	"go.pinniped.dev/internal/controller/identityprovider/webhookcachecleaner"
-	"go.pinniped.dev/internal/controller/identityprovider/webhookcachefiller"
+	"go.pinniped.dev/internal/controller/authenticator/authncache"
+	"go.pinniped.dev/internal/controller/authenticator/webhookcachecleaner"
+	"go.pinniped.dev/internal/controller/authenticator/webhookcachefiller"
 	"go.pinniped.dev/internal/controller/issuerconfig"
 	"go.pinniped.dev/internal/controller/kubecertagent"
 	"go.pinniped.dev/internal/controllerlib"
@@ -70,8 +70,8 @@ type Config struct {
 	// certificate.
 	ServingCertRenewBefore time.Duration
 
-	// IDPCache is a cache of authenticators shared amongst various IDP-related controllers.
-	IDPCache *idpcache.Cache
+	// AuthenticatorCache is a cache of authenticators shared amongst various authenticated-related controllers.
+	AuthenticatorCache *authncache.Cache
 
 	// Labels are labels that should be added to any resources created by the controllers.
 	Labels map[string]string
@@ -227,11 +227,11 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 			singletonWorker,
 		).
 
-		// The cache filler controllers are responsible for keep an in-memory representation of active
-		// IDPs up to date.
+		// The cache filler/cleaner controllers are responsible for keep an in-memory representation of active
+		// authenticators up to date.
 		WithController(
 			webhookcachefiller.New(
-				c.IDPCache,
+				c.AuthenticatorCache,
 				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
@@ -239,7 +239,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		).
 		WithController(
 			webhookcachecleaner.New(
-				c.IDPCache,
+				c.AuthenticatorCache,
 				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go
index 35d2fd965..93d8fb198 100644
--- a/test/integration/cli_test.go
+++ b/test/integration/cli_test.go
@@ -38,13 +38,13 @@ func TestCLIGetKubeconfig(t *testing.T) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 4*time.Minute)
 	defer cancelFunc()
 
-	idp := library.CreateTestWebhookIDP(ctx, t)
+	authenticator := library.CreateTestWebhookAuthenticator(ctx, t)
 
 	// Build pinniped CLI.
 	pinnipedExe := buildPinnipedCLI(t)
 
 	// Run pinniped CLI to get kubeconfig.
-	kubeConfigYAML := runPinnipedCLIGetKubeconfig(t, pinnipedExe, env.TestUser.Token, env.ConciergeNamespace, "webhook", idp.Name)
+	kubeConfigYAML := runPinnipedCLIGetKubeconfig(t, pinnipedExe, env.TestUser.Token, env.ConciergeNamespace, "webhook", authenticator.Name)
 
 	// In addition to the client-go based testing below, also try the kubeconfig
 	// with kubectl to validate that it works.
@@ -91,7 +91,7 @@ func buildPinnipedCLI(t *testing.T) string {
 	return pinnipedExe
 }
 
-func runPinnipedCLIGetKubeconfig(t *testing.T, pinnipedExe, token, namespaceName, idpType, idpName string) string {
+func runPinnipedCLIGetKubeconfig(t *testing.T, pinnipedExe, token, namespaceName, authenticatorType, authenticatorName string) string {
 	t.Helper()
 
 	output, err := exec.Command(
@@ -99,8 +99,8 @@ func runPinnipedCLIGetKubeconfig(t *testing.T, pinnipedExe, token, namespaceName
 		"get-kubeconfig",
 		"--token", token,
 		"--pinniped-namespace", namespaceName,
-		"--idp-type", idpType,
-		"--idp-name", idpName,
+		"--authenticator-type", authenticatorType,
+		"--authenticator-name", authenticatorName,
 	).CombinedOutput()
 	require.NoError(t, err, string(output))
 
diff --git a/test/integration/client_test.go b/test/integration/client_test.go
index a5dba407b..6e4701204 100644
--- a/test/integration/client_test.go
+++ b/test/integration/client_test.go
@@ -60,7 +60,7 @@ func TestClient(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
-	idp := library.CreateTestWebhookIDP(ctx, t)
+	webhook := library.CreateTestWebhookAuthenticator(ctx, t)
 
 	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
 	invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
@@ -72,7 +72,7 @@ func TestClient(t *testing.T) {
 
 	var resp *clientauthenticationv1beta1.ExecCredential
 	assert.Eventually(t, func() bool {
-		resp, err = client.ExchangeToken(ctx, env.ConciergeNamespace, idp, env.TestUser.Token, string(clientConfig.CAData), clientConfig.Host)
+		resp, err = client.ExchangeToken(ctx, env.ConciergeNamespace, webhook, env.TestUser.Token, string(clientConfig.CAData), clientConfig.Host)
 		return err == nil
 	}, 10*time.Second, 500*time.Millisecond)
 	require.NoError(t, err)
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index 3467340a6..869f272c9 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -44,7 +44,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 6*time.Minute)
 	defer cancel()
 
-	testWebhook := library.CreateTestWebhookIDP(ctx, t)
+	testWebhook := library.CreateTestWebhookAuthenticator(ctx, t)
 
 	var response *loginv1alpha1.TokenCredentialRequest
 	successfulResponse := func() bool {
@@ -125,7 +125,7 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()
 
-	testWebhook := library.CreateTestWebhookIDP(ctx, t)
+	testWebhook := library.CreateTestWebhookAuthenticator(ctx, t)
 
 	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
 
@@ -152,10 +152,10 @@ func makeRequest(ctx context.Context, t *testing.T, spec loginv1alpha1.TokenCred
 	}, metav1.CreateOptions{})
 }
 
-func validCredentialRequestSpecWithRealToken(t *testing.T, idp corev1.TypedLocalObjectReference) loginv1alpha1.TokenCredentialRequestSpec {
+func validCredentialRequestSpecWithRealToken(t *testing.T, authenticator corev1.TypedLocalObjectReference) loginv1alpha1.TokenCredentialRequestSpec {
 	return loginv1alpha1.TokenCredentialRequestSpec{
 		Token:         library.IntegrationEnv(t).TestUser.Token,
-		Authenticator: idp,
+		Authenticator: authenticator,
 	}
 }
 
diff --git a/test/library/client.go b/test/library/client.go
index 17485e17e..c7cb1356f 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -119,10 +119,10 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi
 	return config
 }
 
-// CreateTestWebhookIDP creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
+// CreateTestWebhookAuthenticator creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
 // automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
-// descibes the test IDP within the test namespace.
-func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
+// describes the test webhook authenticator within the test namespace.
+func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
 	t.Helper()
 	testEnv := IntegrationEnv(t)
 
@@ -132,7 +132,7 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 
-	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
+	webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-webhook-",
 			Labels:       map[string]string{"pinniped.dev/test": ""},
@@ -141,21 +141,21 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 		Spec: testEnv.TestWebhook,
 	}, metav1.CreateOptions{})
 	require.NoError(t, err, "could not create test WebhookAuthenticator")
-	t.Logf("created test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
+	t.Logf("created test WebhookAuthenticator %s/%s", webhook.Namespace, webhook.Name)
 
 	t.Cleanup(func() {
 		t.Helper()
-		t.Logf("cleaning up test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
+		t.Logf("cleaning up test WebhookAuthenticator %s/%s", webhook.Namespace, webhook.Name)
 		deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
-		err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{})
-		require.NoErrorf(t, err, "could not cleanup test WebhookAuthenticator %s/%s", idp.Namespace, idp.Name)
+		err := webhooks.Delete(deleteCtx, webhook.Name, metav1.DeleteOptions{})
+		require.NoErrorf(t, err, "could not cleanup test WebhookAuthenticator %s/%s", webhook.Namespace, webhook.Name)
 	})
 
 	return corev1.TypedLocalObjectReference{
 		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookAuthenticator",
-		Name:     idp.Name,
+		Name:     webhook.Name,
 	}
 }