Enforce more imports

- k8s.io/apimachinery/pkg/apis/meta/v1 - k8s.io/api/core/v1 - github.com/coreos/go-oidc/v3/oidc - github.com/ory/fosite/handler/oauth2 - go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
2026-02-14 18:10:17 +00:00 · 2024-05-11 22:17:37 -05:00
parent 875b0739aa
commit e9252a9ee3
43 changed files with 496 additions and 481 deletions
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -100,3 +100,16 @@ linters-settings:
      alias: utilerrors
    - pkg: k8s.io/apimachinery/pkg/api/errors
      alias: apierrors
+    - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+      alias: metav1
+    # k8s.io libs
+    - pkg: k8s.io/api/core/v1
+      alias: corev1
+    # OAuth2/OIDC/Fosite libs
+    - pkg: github.com/coreos/go-oidc/v3/oidc
+      alias: coreosoidc
+    - pkg: github.com/ory/fosite/handler/oauth2
+      alias: fositeoauth2
+    # Generated Pinniped libs
+    - pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
+      alias: authenticationv1alpha1
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -25,7 +25,7 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/utils/strings/slices"

-	conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
@@ -477,7 +477,7 @@ func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log plog.M

 func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log plog.MinLogger) error {
 	switch auth := authenticator.(type) {
-	case *conciergev1alpha1.WebhookAuthenticator:
+	case *authenticationv1alpha1.WebhookAuthenticator:
 		// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
 		// them to point at the discovered WebhookAuthenticator.
 		if flags.concierge.authenticatorType == "" && flags.concierge.authenticatorName == "" {
@@ -485,7 +485,7 @@ func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconf
 			flags.concierge.authenticatorType = "webhook"
 			flags.concierge.authenticatorName = auth.Name
 		}
-	case *conciergev1alpha1.JWTAuthenticator:
+	case *authenticationv1alpha1.JWTAuthenticator:
 		// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
 		// them to point at the discovered JWTAuthenticator.
 		if flags.concierge.authenticatorType == "" && flags.concierge.authenticatorName == "" {
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@@ -20,7 +20,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/utils/ptr"

-	conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	fakeconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
@@ -64,12 +64,12 @@ func TestGetKubeconfig(t *testing.T) {
 	}

 	jwtAuthenticator := func(issuerCABundle string, issuerURL string) runtime.Object {
-		return &conciergev1alpha1.JWTAuthenticator{
+		return &authenticationv1alpha1.JWTAuthenticator{
 			ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
-			Spec: conciergev1alpha1.JWTAuthenticatorSpec{
+			Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 				Issuer:   issuerURL,
 				Audience: "test-audience",
-				TLS: &conciergev1alpha1.TLSSpec{
+				TLS: &authenticationv1alpha1.TLSSpec{
 					CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)),
 				},
 			},
@@ -445,10 +445,10 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					&configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}},
-					&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}},
-					&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}},
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}},
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}},
+					&authenticationv1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}},
+					&authenticationv1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -485,7 +485,7 @@ func TestGetKubeconfig(t *testing.T) {
 							}},
 						},
 					},
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -546,7 +546,7 @@ func TestGetKubeconfig(t *testing.T) {
 							},
 						},
 					},
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -571,7 +571,7 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -615,12 +615,12 @@ func TestGetKubeconfig(t *testing.T) {
 							}},
 						},
 					},
-					&conciergev1alpha1.JWTAuthenticator{
+					&authenticationv1alpha1.JWTAuthenticator{
 						ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
-						Spec: conciergev1alpha1.JWTAuthenticatorSpec{
+						Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 							Issuer:   issuerURL,
 							Audience: "some-test-audience",
-							TLS: &conciergev1alpha1.TLSSpec{
+							TLS: &authenticationv1alpha1.TLSSpec{
 								CertificateAuthorityData: "invalid-base64",
 							},
 						},
@@ -653,12 +653,12 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.JWTAuthenticator{
+					&authenticationv1alpha1.JWTAuthenticator{
 						ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
-						Spec: conciergev1alpha1.JWTAuthenticatorSpec{
+						Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 							Issuer:   issuerURL,
 							Audience: "some-test-audience.pinniped.dev-invalid-substring",
-							TLS: &conciergev1alpha1.TLSSpec{
+							TLS: &authenticationv1alpha1.TLSSpec{
 								CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)),
 							},
 						},
@@ -758,7 +758,7 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -1008,9 +1008,9 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.JWTAuthenticator{
+					&authenticationv1alpha1.JWTAuthenticator{
 						ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
-						Spec: conciergev1alpha1.JWTAuthenticatorSpec{
+						Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 							Issuer:   issuerURL,
 							Audience: "test-audience",
 						},
@@ -1047,9 +1047,9 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.JWTAuthenticator{
+					&authenticationv1alpha1.JWTAuthenticator{
 						ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
-						Spec: conciergev1alpha1.JWTAuthenticatorSpec{
+						Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 							Issuer:   issuerURL,
 							Audience: "test-audience",
 						},
@@ -1397,7 +1397,7 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -1461,7 +1461,7 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -1615,7 +1615,7 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
@@ -3145,7 +3145,7 @@ func TestGetKubeconfig(t *testing.T) {
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
 				return []runtime.Object{
 					credentialIssuer(),
-					&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
+					&authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 				}
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
--- a/internal/controller/authenticator/authenticator.go
+++ b/internal/controller/authenticator/authenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package authenticator contains helper code for dealing with *Authenticator CRDs.
@@ -11,7 +11,7 @@ import (

 	"k8s.io/client-go/util/cert"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 )

 // Closer is a type that can be closed idempotently.
@@ -25,7 +25,7 @@ type Closer interface {
 // CABundle returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a
 // nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
 // encoded, an error will be returned.
-func CABundle(spec *auth1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
+func CABundle(spec *authenticationv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
 	if spec == nil || len(spec.CertificateAuthorityData) == 0 {
 		return nil, nil, nil
 	}
--- a/internal/controller/authenticator/authncache/cache_test.go
+++ b/internal/controller/authenticator/authncache/cache_test.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"

-	authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	loginapi "go.pinniped.dev/generated/latest/apis/concierge/login"
 	"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
 )
@@ -75,7 +75,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		},
 		Spec: loginapi.TokenCredentialRequestSpec{
 			Authenticator: corev1.TypedLocalObjectReference{
-				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
+				APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
 				Kind:     "WebhookAuthenticator",
 				Name:     "test-name",
 			},
--- a/internal/controller/authenticator/cachecleaner/cachecleaner.go
+++ b/internal/controller/authenticator/cachecleaner/cachecleaner.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package cachecleaner implements a controller for garbage collecting authenticators from an authenticator cache.
@@ -11,7 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/klog/v2"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/authenticator"
@@ -74,7 +74,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 		key := authncache.Key{
 			Name:     webhook.Name,
 			Kind:     "WebhookAuthenticator",
-			APIGroup: auth1alpha1.SchemeGroupVersion.Group,
+			APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group,
 		}
 		authenticatorSet[key] = true
 	}
@@ -82,14 +82,14 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 		key := authncache.Key{
 			Name:     jwtAuthenticator.Name,
 			Kind:     "JWTAuthenticator",
-			APIGroup: auth1alpha1.SchemeGroupVersion.Group,
+			APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group,
 		}
 		authenticatorSet[key] = true
 	}

 	// Delete any entries from the cache which are no longer in the cluster.
 	for _, key := range c.cache.Keys() {
-		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || (key.Kind != "WebhookAuthenticator" && key.Kind != "JWTAuthenticator") {
+		if key.APIGroup != authenticationv1alpha1.SchemeGroupVersion.Group || (key.Kind != "WebhookAuthenticator" && key.Kind != "JWTAuthenticator") {
 			continue
 		}
 		if _, exists := authenticatorSet[key]; !exists {
--- a/internal/controller/authenticator/cachecleaner/cachecleaner_test.go
+++ b/internal/controller/authenticator/cachecleaner/cachecleaner_test.go
@@ -12,7 +12,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/authentication/authenticator"

-	authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
 	controllerAuthenticator "go.pinniped.dev/internal/controller/authenticator"
@@ -65,12 +65,12 @@ func TestController(t *testing.T) {
 				cache.Store(testJWTAuthenticatorKey1, nil)
 			},
 			objects: []runtime.Object{
-				&authv1alpha.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testWebhookKey1.Name,
 					},
 				},
-				&authv1alpha.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testJWTAuthenticatorKey1.Name,
 					},
@@ -81,22 +81,22 @@ func TestController(t *testing.T) {
 		{
 			name: "authenticators not yet added",
 			objects: []runtime.Object{
-				&authv1alpha.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testWebhookKey1.Name,
 					},
 				},
-				&authv1alpha.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testWebhookKey2.Name,
 					},
 				},
-				&authv1alpha.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testJWTAuthenticatorKey1.Name,
 					},
 				},
-				&authv1alpha.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testJWTAuthenticatorKey2.Name,
 					},
@@ -114,12 +114,12 @@ func TestController(t *testing.T) {
 				cache.Store(testKeyUnknownType, nil)
 			},
 			objects: []runtime.Object{
-				&authv1alpha.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testWebhookKey1.Name,
 					},
 				},
-				&authv1alpha.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testJWTAuthenticatorKey1.Name,
 					},
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
@@ -29,7 +29,7 @@ import (
 	"k8s.io/utils/clock"
 	"k8s.io/utils/ptr"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1"
@@ -103,7 +103,7 @@ type tokenAuthenticatorCloser interface {

 type cachedJWTAuthenticator struct {
 	authenticator.Token
-	spec   *auth1alpha1.JWTAuthenticatorSpec
+	spec   *authenticationv1alpha1.JWTAuthenticatorSpec
 	cancel context.CancelFunc
 }

@@ -161,7 +161,7 @@ func (c *jwtCacheFillerController) Sync(ctx controllerlib.Context) error {
 	}

 	cacheKey := authncache.Key{
-		APIGroup: auth1alpha1.GroupName,
+		APIGroup: authenticationv1alpha1.GroupName,
 		Kind:     "JWTAuthenticator",
 		Name:     ctx.Key.Name,
 	}
@@ -245,7 +245,7 @@ func (c *jwtCacheFillerController) extractValueAsJWTAuthenticator(value authncac
 	return jwtAuthenticator
 }

-func (c *jwtCacheFillerController) validateTLS(tlsSpec *auth1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []*metav1.Condition, bool) {
+func (c *jwtCacheFillerController) validateTLS(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []*metav1.Condition, bool) {
 	rootCAs, _, err := pinnipedauthenticator.CABundle(tlsSpec)
 	if err != nil {
 		msg := fmt.Sprintf("%s: %s", "invalid TLS configuration", err.Error())
@@ -504,7 +504,7 @@ func (c *jwtCacheFillerController) validateJWKSFetch(ctx context.Context, jwksUR
 }

 // newCachedJWTAuthenticator creates a jwt authenticator from the provided spec.
-func (c *jwtCacheFillerController) newCachedJWTAuthenticator(client *http.Client, spec *auth1alpha1.JWTAuthenticatorSpec, keySet *coreosoidc.RemoteKeySet, conditions []*metav1.Condition, prereqOk bool) (*cachedJWTAuthenticator, []*metav1.Condition, error) {
+func (c *jwtCacheFillerController) newCachedJWTAuthenticator(client *http.Client, spec *authenticationv1alpha1.JWTAuthenticatorSpec, keySet *coreosoidc.RemoteKeySet, conditions []*metav1.Condition, prereqOk bool) (*cachedJWTAuthenticator, []*metav1.Condition, error) {
 	if !prereqOk {
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeAuthenticatorValid,
@@ -580,13 +580,13 @@ func (c *jwtCacheFillerController) newCachedJWTAuthenticator(client *http.Client

 func (c *jwtCacheFillerController) updateStatus(
 	ctx context.Context,
-	original *auth1alpha1.JWTAuthenticator,
+	original *authenticationv1alpha1.JWTAuthenticator,
 	conditions []*metav1.Condition,
 ) error {
 	updated := original.DeepCopy()

 	if conditionsutil.HadErrorCondition(conditions) {
-		updated.Status.Phase = auth1alpha1.JWTAuthenticatorPhaseError
+		updated.Status.Phase = authenticationv1alpha1.JWTAuthenticatorPhaseError
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionFalse,
@@ -594,7 +594,7 @@ func (c *jwtCacheFillerController) updateStatus(
 			Message: "the JWTAuthenticator is not ready: see other conditions for details",
 		})
 	} else {
-		updated.Status.Phase = auth1alpha1.JWTAuthenticatorPhaseReady
+		updated.Status.Phase = authenticationv1alpha1.JWTAuthenticatorPhaseReady
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionTrue,
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
@@ -33,7 +33,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
 	"go.pinniped.dev/internal/controller/authenticator/authncache"
@@ -216,72 +216,72 @@ func TestController(t *testing.T) {
 	timeInThePast := time.Date(1111, time.January, 1, 1, 1, 1, 111111, time.Local)
 	frozenTimeInThePast := metav1.NewTime(timeInThePast)

-	someJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	someJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   goodIssuer,
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 	}
-	someJWTAuthenticatorSpecWithUsernameClaim := &auth1alpha1.JWTAuthenticatorSpec{
+	someJWTAuthenticatorSpecWithUsernameClaim := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   goodIssuer,
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
-		Claims: auth1alpha1.JWTTokenClaims{
+		Claims: authenticationv1alpha1.JWTTokenClaims{
 			Username: "my-custom-username-claim",
 		},
 	}
-	someJWTAuthenticatorSpecWithGroupsClaim := &auth1alpha1.JWTAuthenticatorSpec{
+	someJWTAuthenticatorSpecWithGroupsClaim := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   goodIssuer,
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
-		Claims: auth1alpha1.JWTTokenClaims{
+		Claims: authenticationv1alpha1.JWTTokenClaims{
 			Groups: customGroupsClaim,
 		},
 	}
-	otherJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	otherJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   someOtherIssuer,
 		Audience: goodAudience,
 		// Some random generated cert
 		// Issuer: C=US, O=Pivotal
 		// No SAN provided
-		TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"},
+		TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"},
 	}
-	missingTLSJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	missingTLSJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   goodIssuer,
 		Audience: goodAudience,
 	}
-	invalidTLSJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	invalidTLSJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   someOtherIssuer,
 		Audience: goodAudience,
-		TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"},
+		TLS:      &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"},
 	}

-	invalidIssuerJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	invalidIssuerJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   "https://.café   .com/café/café/café/coffee",
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 	}
-	invalidIssuerSchemeJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	invalidIssuerSchemeJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   "http://.café.com/café/café/café/coffee",
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 	}

-	validIssuerURLButDoesNotExistJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	validIssuerURLButDoesNotExistJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   goodIssuer + "/foo/bar/baz/shizzle",
 		Audience: goodAudience,
 	}
-	badIssuerJWKSURIJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	badIssuerJWKSURIJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   badIssuerInvalidJWKSURI,
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(badOIDCIssuerServerInvalidJWKSURI.TLS),
 	}
-	badIssuerJWKSURISchemeJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	badIssuerJWKSURISchemeJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   badIssuerInvalidJWKSURIScheme,
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(badOIDCIssuerServerInvalidJWKSURIScheme.TLS),
 	}

-	jwksFetchShouldFailJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
+	jwksFetchShouldFailJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   jwksFetchShouldFailServer.URL,
 		Audience: goodAudience,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(jwksFetchShouldFailServer.TLS),
@@ -617,12 +617,12 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid and unchanged JWTAuthenticator: loop will preserve existing status conditions",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -649,13 +649,13 @@ func TestController(t *testing.T) {
 			name:    "Sync: changed JWTAuthenticator: loop will update timestamps only on relevant statuses",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:       "test-name",
 						Generation: 1234,
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 1233),
 							[]metav1.Condition{
@@ -684,13 +684,13 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:       "test-name",
 						Generation: 1234,
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 1234),
 							[]metav1.Condition{
@@ -714,7 +714,7 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid JWTAuthenticator with CA: loop will complete successfully and update status conditions.",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -732,12 +732,12 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -756,7 +756,7 @@ func TestController(t *testing.T) {
 			name:    "Sync: JWTAuthenticator with custom username claim: loop will complete successfully and update status conditions.",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -774,12 +774,12 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpecWithUsernameClaim,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -799,7 +799,7 @@ func TestController(t *testing.T) {
 			name:    "Sync: JWTAuthenticator with custom groups claim: loop will complete successfully and update status conditions.",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -817,12 +817,12 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpecWithGroupsClaim,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -845,7 +845,7 @@ func TestController(t *testing.T) {
 					authncache.Key{
 						Name:     "test-name",
 						Kind:     "JWTAuthenticator",
-						APIGroup: auth1alpha1.SchemeGroupVersion.Group,
+						APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group,
 					},
 					newCacheValue(t, *otherJWTAuthenticatorSpec, wantClose),
 				)
@@ -853,7 +853,7 @@ func TestController(t *testing.T) {
 			wantClose: true,
 			syncKey:   controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -871,12 +871,12 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -898,7 +898,7 @@ func TestController(t *testing.T) {
 					authncache.Key{
 						Name:     "test-name",
 						Kind:     "JWTAuthenticator",
-						APIGroup: auth1alpha1.SchemeGroupVersion.Group,
+						APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group,
 					},
 					newCacheValue(t, *someJWTAuthenticatorSpec, wantClose),
 				)
@@ -906,7 +906,7 @@ func TestController(t *testing.T) {
 			wantClose: false,
 			syncKey:   controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -939,14 +939,14 @@ func TestController(t *testing.T) {
 					authncache.Key{
 						Name:     "test-name",
 						Kind:     "JWTAuthenticator",
-						APIGroup: auth1alpha1.SchemeGroupVersion.Group,
+						APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group,
 					},
 					struct{ authenticator.Token }{},
 				)
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -970,12 +970,12 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -994,7 +994,7 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid JWTAuthenticator without CA: loop will fail to cache the authenticator, will write failed and unknown status conditions, and will enqueue resync",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1002,12 +1002,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *missingTLSJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1038,7 +1038,7 @@ func TestController(t *testing.T) {
 			name:    "validateTLS: JWTAuthenticator with invalid CA: loop will fail, will write failed and unknown status conditions, but will not enqueue a resync due to user config error",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1046,12 +1046,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *invalidTLSJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(someOtherIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1077,7 +1077,7 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateIssuer: parsing error (spec.issuer URL is invalid): loop will fail sync, will write failed and unknown status conditions, but will not enqueue a resync due to user config error",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1086,12 +1086,12 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *invalidIssuerJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1116,7 +1116,7 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateIssuer: parsing error (spec.issuer URL has invalid scheme, requires https): loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1125,12 +1125,12 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *invalidIssuerSchemeJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1155,11 +1155,11 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateIssuer: issuer cannot include fragment: loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://www.example.com/foo/bar/#do-not-include-fragment",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
@@ -1168,16 +1168,16 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://www.example.com/foo/bar/#do-not-include-fragment",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 					},
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1202,11 +1202,11 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateIssuer: issuer cannot include query params: loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://www.example.com/foo/bar/?query-params=not-allowed",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
@@ -1215,16 +1215,16 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://www.example.com/foo/bar/?query-params=not-allowed",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 					},
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1249,11 +1249,11 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateIssuer: issuer cannot include .well-known in path: loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://www.example.com/foo/bar/.well-known/openid-configuration",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
@@ -1262,16 +1262,16 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://www.example.com/foo/bar/.well-known/openid-configuration",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 					},
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1296,7 +1296,7 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateProviderDiscovery: could not perform oidc discovery on provider issuer: loop will fail sync, will write failed and unknown conditions, and will enqueue new sync",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1305,12 +1305,12 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *validIssuerURLButDoesNotExistJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1337,11 +1337,11 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateProviderDiscovery: excessively long errors truncated: loop will fail sync, will write failed and unknown conditions, and will enqueue new sync",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   goodIssuer + "/path/to/not/found",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
@@ -1350,16 +1350,16 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.JWTAuthenticatorSpec{
+					Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 						Issuer:   goodIssuer + "/path/to/not/found",
 						Audience: goodAudience,
 						TLS:      conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS),
 					},
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1392,7 +1392,7 @@ func TestController(t *testing.T) {
 		{
 			name: "validateProviderJWKSURL: could not parse provider jwks_uri: loop will fail sync, will write failed and unknown conditions, and will enqueue new sync",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1401,12 +1401,12 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *badIssuerJWKSURIJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1431,7 +1431,7 @@ func TestController(t *testing.T) {
 		}, {
 			name: "validateProviderJWKSURL: invalid scheme, requires 'https': loop will fail sync, will write failed and unknown conditions, and will enqueue new sync",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1440,12 +1440,12 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *badIssuerJWKSURISchemeJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1473,7 +1473,7 @@ func TestController(t *testing.T) {
 		{
 			name: "validateJWKSFetch: could not fetch keys: loop will fail sync, will write failed and unknown status conditions, and will enqueue a resync",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -1482,12 +1482,12 @@ func TestController(t *testing.T) {
 			},
 			syncKey: controllerlib.Key{Name: "test-name"},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *jwksFetchShouldFailJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1512,12 +1512,12 @@ func TestController(t *testing.T) {
 		{
 			name: "updateStatus: called with matching original and updated conditions: will not make request to update conditions",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -1545,12 +1545,12 @@ func TestController(t *testing.T) {
 		{
 			name: "updateStatus: called with different original and updated conditions: will make request to update conditions",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1573,12 +1573,12 @@ func TestController(t *testing.T) {
 				},
 			}},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -1595,12 +1595,12 @@ func TestController(t *testing.T) {
 		{
 			name: "updateStatus: when update request fails: error will enqueue a resync",
 			jwtAuthenticators: []runtime.Object{
-				&auth1alpha1.JWTAuthenticator{
+				&authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1625,12 +1625,12 @@ func TestController(t *testing.T) {
 				// This captures that there was an attempt to update to Ready, allHappyConditions,
 				// but the wantSyncLoopErr indicates that there is a failure, so the JWTAuthenticator
 				// remains with a bad phase and at least 1 sad condition
-				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
-					Status: auth1alpha1.JWTAuthenticatorStatus{
+					Status: authenticationv1alpha1.JWTAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -1742,7 +1742,7 @@ func TestController(t *testing.T) {

 			// We expected the cache to have an entry, so pull that entry from the cache and test it.
 			expectedCacheKey := authncache.Key{
-				APIGroup: auth1alpha1.GroupName,
+				APIGroup: authenticationv1alpha1.GroupName,
 				Kind:     "JWTAuthenticator",
 				Name:     syncCtx.Key.Name,
 			}
@@ -2083,7 +2083,7 @@ func createJWT(
 	return jwt
 }

-func newCacheValue(t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec, wantClose bool) authncache.Value {
+func newCacheValue(t *testing.T, spec authenticationv1alpha1.JWTAuthenticatorSpec, wantClose bool) authncache.Value {
 	t.Helper()
 	wasClosed := false

--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -24,7 +24,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
@@ -126,7 +126,7 @@ func (c *webhookCacheFillerController) Sync(ctx controllerlib.Context) error {

 	if !conditionsutil.HadErrorCondition(conditions) {
 		c.cache.Store(authncache.Key{
-			APIGroup: auth1alpha1.GroupName,
+			APIGroup: authenticationv1alpha1.GroupName,
 			Kind:     "WebhookAuthenticator",
 			Name:     ctx.Key.Name,
 		}, webhookAuthenticator)
@@ -264,7 +264,7 @@ func (c *webhookCacheFillerController) validateConnection(certPool *x509.CertPoo
 	return conditions, nil
 }

-func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *auth1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) {
+func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) {
 	rootCAs, pemBytes, err := pinnipedauthenticator.CABundle(tlsSpec)
 	if err != nil {
 		msg := fmt.Sprintf("%s: %s", "invalid TLS configuration", err.Error())
@@ -337,13 +337,13 @@ func (c *webhookCacheFillerController) validateEndpoint(endpoint string, conditi

 func (c *webhookCacheFillerController) updateStatus(
 	ctx context.Context,
-	original *auth1alpha1.WebhookAuthenticator,
+	original *authenticationv1alpha1.WebhookAuthenticator,
 	conditions []*metav1.Condition,
 ) error {
 	updated := original.DeepCopy()

 	if conditionsutil.HadErrorCondition(conditions) {
-		updated.Status.Phase = auth1alpha1.WebhookAuthenticatorPhaseError
+		updated.Status.Phase = authenticationv1alpha1.WebhookAuthenticatorPhaseError
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionFalse,
@@ -351,7 +351,7 @@ func (c *webhookCacheFillerController) updateStatus(
 			Message: "the WebhookAuthenticator is not ready: see other conditions for details",
 		})
 	} else {
-		updated.Status.Phase = auth1alpha1.WebhookAuthenticatorPhaseReady
+		updated.Status.Phase = authenticationv1alpha1.WebhookAuthenticatorPhaseReady
 		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
 			Status:  metav1.ConditionTrue,
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
@@ -28,7 +28,7 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 	"k8s.io/utils/ptr"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
 	"go.pinniped.dev/internal/certauthority"
@@ -139,34 +139,34 @@ func TestController(t *testing.T) {
 	timeInThePast := time.Date(1111, time.January, 1, 1, 1, 1, 111111, time.Local)
 	frozenTimeInThePast := metav1.NewTime(timeInThePast)

-	goodWebhookAuthenticatorSpecWithCA := auth1alpha1.WebhookAuthenticatorSpec{
+	goodWebhookAuthenticatorSpecWithCA := authenticationv1alpha1.WebhookAuthenticatorSpec{
 		Endpoint: goodWebhookDefaultServingCertEndpoint,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(hostGoodDefaultServingCertServer.TLS),
 	}
-	localWithExampleDotComWeebhookAuthenticatorSpec := auth1alpha1.WebhookAuthenticatorSpec{
+	localWithExampleDotComWeebhookAuthenticatorSpec := authenticationv1alpha1.WebhookAuthenticatorSpec{
 		// CA for example.com, TLS serving cert for example.com, but endpoint is still localhost
 		Endpoint: hostLocalWithExampleDotComCertServer.URL,
-		TLS: &auth1alpha1.TLSSpec{
+		TLS: &authenticationv1alpha1.TLSSpec{
 			// CA Bundle for example.com
 			CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForExampleDotCom.Bundle()),
 		},
 	}
-	goodWebhookAuthenticatorSpecWithoutCA := auth1alpha1.WebhookAuthenticatorSpec{
+	goodWebhookAuthenticatorSpecWithoutCA := authenticationv1alpha1.WebhookAuthenticatorSpec{
 		Endpoint: goodWebhookDefaultServingCertEndpoint,
-		TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},
+		TLS:      &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: ""},
 	}
-	goodWebhookAuthenticatorSpecWith404Endpoint := auth1alpha1.WebhookAuthenticatorSpec{
+	goodWebhookAuthenticatorSpecWith404Endpoint := authenticationv1alpha1.WebhookAuthenticatorSpec{
 		Endpoint: goodWebhookDefaultServingCertEndpointBut404,
 		TLS:      conciergetestutil.TLSSpecFromTLSConfig(hostGoodDefaultServingCertServer.TLS),
 	}
-	badWebhookAuthenticatorSpecInvalidTLS := auth1alpha1.WebhookAuthenticatorSpec{
+	badWebhookAuthenticatorSpecInvalidTLS := authenticationv1alpha1.WebhookAuthenticatorSpec{
 		Endpoint: goodWebhookDefaultServingCertEndpoint,
-		TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"},
+		TLS:      &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"},
 	}

-	badWebhookAuthenticatorSpecGoodEndpointButUnknownCA := auth1alpha1.WebhookAuthenticatorSpec{
+	badWebhookAuthenticatorSpecGoodEndpointButUnknownCA := authenticationv1alpha1.WebhookAuthenticatorSpec{
 		Endpoint: goodWebhookDefaultServingCertEndpoint,
-		TLS: &auth1alpha1.TLSSpec{
+		TLS: &authenticationv1alpha1.TLSSpec{
 			CertificateAuthorityData: base64.StdEncoding.EncodeToString(pemServerCertForUnknownServer),
 		},
 	}
@@ -392,12 +392,12 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid and unchanged WebhookAuthenticator: loop will preserve existing status conditions",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -427,13 +427,13 @@ func TestController(t *testing.T) {
 			name:    "Sync: changed WebhookAuthenticator: loop will update timestamps only on relevant statuses",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:       "test-name",
 						Generation: 1234,
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 1233),
 							[]metav1.Condition{
@@ -458,13 +458,13 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:       "test-name",
 						Generation: 1234,
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 1234),
 							[]metav1.Condition{
@@ -487,7 +487,7 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid WebhookAuthenticator with CA: will complete sync loop successfully with success conditions and ready phase",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -507,12 +507,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -530,14 +530,14 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid WebhookAuthenticator with IPV6 and CA: will complete sync loop successfully with success conditions and ready phase",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: func() auth1alpha1.WebhookAuthenticatorSpec {
+					Spec: func() authenticationv1alpha1.WebhookAuthenticatorSpec {
 						ipv6 := goodWebhookAuthenticatorSpecWithCA.DeepCopy()
 						ipv6.Endpoint = hostLocalIPv6Server.URL
-						ipv6.TLS = ptr.To(auth1alpha1.TLSSpec{
+						ipv6.TLS = ptr.To(authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(ipv6CA),
 						})
 						return *ipv6
@@ -557,19 +557,19 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: func() auth1alpha1.WebhookAuthenticatorSpec {
+					Spec: func() authenticationv1alpha1.WebhookAuthenticatorSpec {
 						ipv6 := goodWebhookAuthenticatorSpecWithCA.DeepCopy()
 						ipv6.Endpoint = hostLocalIPv6Server.URL
-						ipv6.TLS = ptr.To(auth1alpha1.TLSSpec{
+						ipv6.TLS = ptr.To(authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(ipv6CA),
 						})
 						return *ipv6
 					}(),
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(hostLocalIPv6Server.URL, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -587,7 +587,7 @@ func TestController(t *testing.T) {
 			name:    "Sync: valid WebhookAuthenticator without CA: loop will fail to cache the authenticator, will write failed and unknown status conditions, and will enqueue resync",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -595,12 +595,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithoutCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -627,7 +627,7 @@ func TestController(t *testing.T) {
 			name:    "validateTLS: WebhookAuthenticator with invalid CA will fail sync loop and will report failed and unknown conditions and Error phase, but will not enqueue a resync due to user config error",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -635,12 +635,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: badWebhookAuthenticatorSpecInvalidTLS,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -666,24 +666,24 @@ func TestController(t *testing.T) {
 			name:    "validateEndpoint: parsing error (spec.endpoint URL is invalid) will fail sync loop and will report failed and unknown conditions and Error phase, but will not enqueue a resync due to user config error",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: badEndpointInvalidURL,
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: badEndpointInvalidURL,
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -710,24 +710,24 @@ func TestController(t *testing.T) {
 			name:    "validateEndpoint: parsing error (spec.endpoint URL has invalid scheme, requires https) will fail sync loop, will write failed and unknown status conditions, but will not enqueue a resync due to user config error",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: badEndpointNoHTTPS,
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: badEndpointNoHTTPS,
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -754,30 +754,30 @@ func TestController(t *testing.T) {
 			name:    "validateEndpoint: should error if endpoint cannot be parsed",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://[0:0:0:0:0:0:0:1]:69999/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://[0:0:0:0:0:0:0:1]:69999/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess("https://[0:0:0:0:0:0:0:1]:69999/some/fake/path", frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -803,7 +803,7 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: CA does not validate serving certificate for host, the dialer will error, will fail sync loop, will write failed and unknown status conditions, but will not enqueue a resync due to user config error",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -812,12 +812,12 @@ func TestController(t *testing.T) {
 			},
 			wantSyncLoopErr: testutil.WantExactErrorString("cannot dial server: tls: failed to verify certificate: x509: certificate signed by unknown authority"),
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: badWebhookAuthenticatorSpecGoodEndpointButUnknownCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -845,7 +845,7 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: 404 endpoint on a valid server will still validate server certificate, will complete sync loop successfully with success conditions and ready phase",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
@@ -865,12 +865,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWith404Endpoint,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpointBut404, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -888,18 +888,18 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: localhost hostname instead of 127.0.0.1 should still dial correctly as dialer should handle hostnames as well as IPv4",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: fmt.Sprintf("https://localhost:%s", localhostURL.Port()),
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							// CA Bundle for validating the server's certs
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAsHostname.Bundle()),
 						},
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(fmt.Sprintf("https://localhost:%s", localhostURL.Port()), frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -929,30 +929,30 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: IPv6 address with port: should call dialer func with correct arguments",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://[0:0:0:0:0:0:0:1]:4242/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://[0:0:0:0:0:0:0:1]:4242/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess("https://[0:0:0:0:0:0:0:1]:4242/some/fake/path", frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -978,30 +978,30 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: IPv6 address without port: should call dialer func with correct arguments",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://[0:0:0:0:0:0:0:1]/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://[0:0:0:0:0:0:0:1]/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess("https://[0:0:0:0:0:0:0:1]/some/fake/path", frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1027,17 +1027,17 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: localhost as IP address 127.0.0.1 should still dial correctly as dialer should handle hostnames as well as IPv4 and IPv6 addresses",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: hostAs127001WebhookServer.URL,
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(hostAs127001WebhookServer.URL, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -1067,24 +1067,24 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: CA for example.com, serving cert for example.com, but endpoint 127.0.0.1 will fail to validate certificate and will fail sync loop and will report failed and unknown conditions and Error phase, but will not enqueue a resync due to user config error",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: localWithExampleDotComWeebhookAuthenticatorSpec,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(hostLocalWithExampleDotComCertServer.URL, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: localWithExampleDotComWeebhookAuthenticatorSpec,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(hostLocalWithExampleDotComCertServer.URL, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1110,30 +1110,30 @@ func TestController(t *testing.T) {
 			name:    "validateConnection: IPv6 address without port or brackets: should succeed since IPv6 brackets are optional without port",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://0:0:0:0:0:0:0:1/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
-					Spec: auth1alpha1.WebhookAuthenticatorSpec{
+					Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://0:0:0:0:0:0:0:1/some/fake/path",
-						TLS: &auth1alpha1.TLSSpec{
+						TLS: &authenticationv1alpha1.TLSSpec{
 							CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()),
 						},
 					},
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess("https://0:0:0:0:0:0:0:1/some/fake/path", frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1159,12 +1159,12 @@ func TestController(t *testing.T) {
 			name:    "updateStatus: called with matching original and updated conditions: will not make request to update conditions",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -1194,12 +1194,12 @@ func TestController(t *testing.T) {
 			name:    "updateStatus: called with different original and updated conditions: will make request to update conditions",
 			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1223,12 +1223,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
@@ -1255,12 +1255,12 @@ func TestController(t *testing.T) {
 				)
 			},
 			webhooks: []runtime.Object{
-				&auth1alpha1.WebhookAuthenticator{
+				&authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
@@ -1284,12 +1284,12 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantActions: func() []coretesting.Action {
-				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{
+				updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-name",
 					},
 					Spec: goodWebhookAuthenticatorSpecWithCA,
-					Status: auth1alpha1.WebhookAuthenticatorStatus{
+					Status: authenticationv1alpha1.WebhookAuthenticatorStatus{
 						Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 						Phase:      "Ready",
 					},
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package activedirectoryupstreamwatcher implements a controller which watches ActiveDirectoryIdentityProviders.
@@ -20,7 +20,7 @@ import (
 	corev1informers "k8s.io/client-go/informers/core/v1"

 	"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
-	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/conditionsutil"
@@ -232,7 +232,7 @@ type activeDirectoryWatcherController struct {
 	cache                                   UpstreamActiveDirectoryIdentityProviderICache
 	validatedSettingsCache                  upstreamwatchers.ValidatedSettingsCacheI
 	ldapDialer                              upstreamldap.LDAPDialer
-	client                                  supervisorclientset.Interface
+	client                                  pinnipedsupervisorclientset.Interface
 	activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer
 	secretInformer                          corev1informers.SecretInformer
 }
@@ -240,7 +240,7 @@ type activeDirectoryWatcherController struct {
 // New instantiates a new controllerlib.Controller which will populate the provided UpstreamActiveDirectoryIdentityProviderICache.
 func New(
 	idpCache UpstreamActiveDirectoryIdentityProviderICache,
-	client supervisorclientset.Interface,
+	client pinnipedsupervisorclientset.Interface,
 	activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer,
 	secretInformer corev1informers.SecretInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
@@ -263,7 +263,7 @@ func newInternal(
 	idpCache UpstreamActiveDirectoryIdentityProviderICache,
 	validatedSettingsCache upstreamwatchers.ValidatedSettingsCacheI,
 	ldapDialer upstreamldap.LDAPDialer,
-	client supervisorclientset.Interface,
+	client pinnipedsupervisorclientset.Interface,
 	activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer,
 	secretInformer corev1informers.SecretInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
--- a/internal/controller/supervisorconfig/federation_domain_watcher.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher.go
@@ -22,7 +22,7 @@ import (
 	"k8s.io/utils/clock"

 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1"
 	idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1"
 	"go.pinniped.dev/internal/celtransformer"
@@ -82,7 +82,7 @@ type federationDomainWatcherController struct {
 	federationDomainsSetter FederationDomainsSetter
 	apiGroup                string
 	clock                   clock.Clock
-	client                  supervisorclientset.Interface
+	client                  pinnipedsupervisorclientset.Interface

 	federationDomainInformer                configinformers.FederationDomainInformer
 	oidcIdentityProviderInformer            idpinformers.OIDCIdentityProviderInformer
@@ -99,7 +99,7 @@ func NewFederationDomainWatcherController(
 	federationDomainsSetter FederationDomainsSetter,
 	apiGroupSuffix string,
 	clock clock.Clock,
-	client supervisorclientset.Interface,
+	client pinnipedsupervisorclientset.Interface,
 	federationDomainInformer configinformers.FederationDomainInformer,
 	oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer,
 	ldapIdentityProviderInformer idpinformers.LDAPIdentityProviderInformer,
--- a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go
+++ b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/klog/v2"

 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controllerlib"
@@ -28,7 +28,7 @@ type federationDomainSecretsController struct {
 	secretHelper             SecretHelper
 	secretRefFunc            func(domain *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference
 	kubeClient               kubernetes.Interface
-	pinnipedClient           supervisorclientset.Interface
+	pinnipedClient           pinnipedsupervisorclientset.Interface
 	federationDomainInformer configinformers.FederationDomainInformer
 	secretInformer           corev1informers.SecretInformer
 }
@@ -40,7 +40,7 @@ func NewFederationDomainSecretsController(
 	secretHelper SecretHelper,
 	secretRefFunc func(domain *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference,
 	kubeClient kubernetes.Interface,
-	pinnipedClient supervisorclientset.Interface,
+	pinnipedClient pinnipedsupervisorclientset.Interface,
 	secretInformer corev1informers.SecretInformer,
 	federationDomainInformer configinformers.FederationDomainInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
--- a/internal/controller/supervisorconfig/jwks_writer.go
+++ b/internal/controller/supervisorconfig/jwks_writer.go
@@ -23,7 +23,7 @@ import (
 	"k8s.io/klog/v2"

 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/supervisorconfig/generator"
@@ -60,7 +60,7 @@ func generateECKey(r io.Reader) (interface{}, error) {
 // secrets, both via a cache and via the API.
 type jwksWriterController struct {
 	jwksSecretLabels         map[string]string
-	pinnipedClient           supervisorclientset.Interface
+	pinnipedClient           pinnipedsupervisorclientset.Interface
 	kubeClient               kubernetes.Interface
 	federationDomainInformer configinformers.FederationDomainInformer
 	secretInformer           corev1informers.SecretInformer
@@ -71,7 +71,7 @@ type jwksWriterController struct {
 func NewJWKSWriterController(
 	jwksSecretLabels map[string]string,
 	kubeClient kubernetes.Interface,
-	pinnipedClient supervisorclientset.Interface,
+	pinnipedClient pinnipedsupervisorclientset.Interface,
 	secretInformer corev1informers.SecretInformer,
 	federationDomainInformer configinformers.FederationDomainInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
--- a/internal/federationdomain/clientregistry/clientregistry_test.go
+++ b/internal/federationdomain/clientregistry/clientregistry_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"
 	"time"

-	"github.com/coreos/go-oidc/v3/oidc"
+	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/ory/fosite"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -294,7 +294,7 @@ func requireEqualsPinnipedCLI(t *testing.T, c *Client) {
 	require.Equal(t, []string{"http://127.0.0.1/callback"}, c.GetRedirectURIs())
 	require.Equal(t, fosite.Arguments{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange"}, c.GetGrantTypes())
 	require.Equal(t, fosite.Arguments{"code"}, c.GetResponseTypes())
-	require.Equal(t, fosite.Arguments{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "username", "groups"}, c.GetScopes())
+	require.Equal(t, fosite.Arguments{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "username", "groups"}, c.GetScopes())
 	require.True(t, c.IsPublic())
 	require.Nil(t, c.GetAudience())
 	require.Nil(t, c.GetRequestURIs())
--- a/internal/federationdomain/endpoints/tokenexchange/token_exchange.go
+++ b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package tokenexchange
@@ -9,7 +9,7 @@ import (
 	"strings"

 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
 	"github.com/pkg/errors"

@@ -30,16 +30,16 @@ type stsParams struct {
 func HandlerFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
 	return &tokenExchangeHandler{
 		idTokenStrategy:     strategy.(openid.OpenIDConnectTokenStrategy),
-		accessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
-		accessTokenStorage:  storage.(oauth2.AccessTokenStorage),
+		accessTokenStrategy: strategy.(fositeoauth2.AccessTokenStrategy),
+		accessTokenStorage:  storage.(fositeoauth2.AccessTokenStorage),
 		fositeConfig:        config,
 	}
 }

 type tokenExchangeHandler struct {
 	idTokenStrategy     openid.OpenIDConnectTokenStrategy
-	accessTokenStrategy oauth2.AccessTokenStrategy
-	accessTokenStorage  oauth2.AccessTokenStorage
+	accessTokenStrategy fositeoauth2.AccessTokenStrategy
+	accessTokenStorage  fositeoauth2.AccessTokenStorage
 	fositeConfig        fosite.Configurator
 }

--- a/internal/federationdomain/storage/kube_storage.go
+++ b/internal/federationdomain/storage/kube_storage.go
@@ -8,7 +8,7 @@ import (
 	"time"

 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
 	fositepkce "github.com/ory/fosite/handler/pkce"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -27,7 +27,7 @@ import (

 type KubeStorage struct {
 	clientManager            fosite.ClientManager
-	authorizationCodeStorage oauth2.AuthorizeCodeStorage
+	authorizationCodeStorage fositeoauth2.AuthorizeCodeStorage
 	pkceStorage              fositepkce.PKCERequestStorage
 	oidcStorage              openid.OpenIDConnectRequestStorage
 	accessTokenStorage       accesstoken.RevocationStorage
--- a/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
+++ b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package strategy
@@ -9,7 +9,7 @@ import (

 	"github.com/ory/fosite"
 	"github.com/ory/fosite/compose"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	errorsx "github.com/pkg/errors"

 	"go.pinniped.dev/internal/federationdomain/storage"
@@ -44,7 +44,7 @@ type DynamicOauth2HMACStrategy struct {
 	keyFunc      func() []byte
 }

-var _ oauth2.CoreStrategy = &DynamicOauth2HMACStrategy{}
+var _ fositeoauth2.CoreStrategy = &DynamicOauth2HMACStrategy{}

 func NewDynamicOauth2HMACStrategy(
 	fositeConfig *fosite.Config,
@@ -156,6 +156,6 @@ func (s *DynamicOauth2HMACStrategy) ValidateAuthorizeCode(
 	return s.delegate().ValidateAuthorizeCode(ctx, requester, replacePrefix(token, pinAuthcodePrefix, oryAuthcodePrefix))
 }

-func (s *DynamicOauth2HMACStrategy) delegate() *oauth2.HMACSHAStrategy {
+func (s *DynamicOauth2HMACStrategy) delegate() *fositeoauth2.HMACSHAStrategy {
 	return compose.NewOAuth2HMACStrategy(storage.NewDynamicGlobalSecretConfig(s.fositeConfig, s.keyFunc))
 }
--- a/internal/fositestorage/accesstoken/accesstoken.go
+++ b/internal/fositestorage/accesstoken/accesstoken.go
@@ -9,7 +9,7 @@ import (
 	"time"

 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -39,7 +39,7 @@ const (
 )

 type RevocationStorage interface {
-	oauth2.AccessTokenStorage
+	fositeoauth2.AccessTokenStorage
 	RevokeAccessToken(ctx context.Context, requestID string) error
 }

--- a/internal/fositestorage/authorizationcode/authorizationcode.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode.go
@@ -10,7 +10,7 @@ import (
 	"time"

 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -39,7 +39,7 @@ const (
 	authorizeCodeStorageVersion = "7"
 )

-var _ oauth2.AuthorizeCodeStorage = &authorizeCodeStorage{}
+var _ fositeoauth2.AuthorizeCodeStorage = &authorizeCodeStorage{}

 type authorizeCodeStorage struct {
 	storage  crud.Storage
@@ -52,7 +52,7 @@ type Session struct {
 	Version string          `json:"version"`
 }

-func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime timeouts.StorageLifetime) oauth2.AuthorizeCodeStorage {
+func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime timeouts.StorageLifetime) fositeoauth2.AuthorizeCodeStorage {
 	return &authorizeCodeStorage{storage: crud.New(TypeLabelValue, secrets, clock), lifetime: sessionStorageLifetime}
 }

--- a/internal/fositestorage/authorizationcode/authorizationcode_test.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go
@@ -18,7 +18,7 @@ import (
 	"github.com/go-jose/go-jose/v3"
 	fuzz "github.com/google/gofuzz"
 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
 	"github.com/ory/fosite/token/jwt"
 	"github.com/pkg/errors"
@@ -276,7 +276,7 @@ func TestCreateWithWrongRequesterDataTypes(t *testing.T) {
 	require.EqualError(t, err, "requester's client must be of type clientregistry.Client")
 }

-func makeTestSubject(lifetimeFunc timeouts.StorageLifetime) (context.Context, *fake.Clientset, corev1client.SecretInterface, oauth2.AuthorizeCodeStorage) {
+func makeTestSubject(lifetimeFunc timeouts.StorageLifetime) (context.Context, *fake.Clientset, corev1client.SecretInterface, fositeoauth2.AuthorizeCodeStorage) {
 	client := fake.NewSimpleClientset()
 	secrets := client.CoreV1().Secrets(namespace)
 	return context.Background(),
--- a/internal/fositestorage/refreshtoken/refreshtoken.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken.go
@@ -9,7 +9,7 @@ import (
 	"time"

 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -39,7 +39,7 @@ const (
 )

 type RevocationStorage interface {
-	oauth2.RefreshTokenStorage
+	fositeoauth2.RefreshTokenStorage
 	RevokeRefreshToken(ctx context.Context, requestID string) error
 	RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error
 }
--- a/internal/fositestoragei/fosite_storage_interface.go
+++ b/internal/fositestoragei/fosite_storage_interface.go
@@ -1,11 +1,11 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package fositestoragei

 import (
 	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/oauth2"
+	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
 	"github.com/ory/fosite/handler/pkce"
 )
@@ -14,8 +14,8 @@ import (
 // Not having this interface makes it a pain to avoid cyclical test dependencies, so we'll define it.
 type AllFositeStorage interface {
 	fosite.ClientManager
-	oauth2.CoreStorage
-	oauth2.TokenRevocationStorage
+	fositeoauth2.CoreStorage
+	fositeoauth2.TokenRevocationStorage
 	openid.OpenIDConnectRequestStorage
 	pkce.PKCERequestStorage
 }
--- a/internal/groupsuffix/groupsuffix_test.go
+++ b/internal/groupsuffix/groupsuffix_test.go
@@ -14,7 +14,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"

-	authv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	"go.pinniped.dev/internal/kubeclient"
@@ -154,11 +154,11 @@ func TestMiddlware(t *testing.T) {
 	)
 	tokenCredentialRequestWithPinnipedAuthenticator := with(
 		tokenCredentialRequest,
-		authenticatorAPIGroup(authv1alpha1.SchemeGroupVersion.Group),
+		authenticatorAPIGroup(authenticationv1alpha1.SchemeGroupVersion.Group),
 	)
 	tokenCredentialRequestWithCustomAPIGroupAuthenticator := with(
 		tokenCredentialRequest,
-		authenticatorAPIGroup(replaceGV(t, authv1alpha1.SchemeGroupVersion, newSuffix).Group),
+		authenticatorAPIGroup(replaceGV(t, authenticationv1alpha1.SchemeGroupVersion, newSuffix).Group),
 	)
 	tokenCredentialRequestWithNewGroup := with(
 		tokenCredentialRequest,
@@ -166,11 +166,11 @@ func TestMiddlware(t *testing.T) {
 	)
 	tokenCredentialRequestWithNewGroupAndPinnipedAuthenticator := with(
 		tokenCredentialRequestWithNewGroup,
-		authenticatorAPIGroup(authv1alpha1.SchemeGroupVersion.Group),
+		authenticatorAPIGroup(authenticationv1alpha1.SchemeGroupVersion.Group),
 	)
 	tokenCredentialRequestWithNewGroupAndCustomAPIGroupAuthenticator := with(
 		tokenCredentialRequestWithNewGroup,
-		authenticatorAPIGroup(replaceGV(t, authv1alpha1.SchemeGroupVersion, newSuffix).Group),
+		authenticatorAPIGroup(replaceGV(t, authenticationv1alpha1.SchemeGroupVersion, newSuffix).Group),
 	)

 	tests := []struct {
--- a/internal/supervisor/server/server.go
+++ b/internal/supervisor/server/server.go
@@ -39,7 +39,7 @@ import (
 	"k8s.io/utils/clock"

 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi"
@@ -141,7 +141,7 @@ func prepareControllers(
 	secretCache *secret.Cache,
 	supervisorDeployment *appsv1.Deployment,
 	kubeClient kubernetes.Interface,
-	pinnipedClient supervisorclientset.Interface,
+	pinnipedClient pinnipedsupervisorclientset.Interface,
 	aggregatorClient aggregatorclient.Interface,
 	kubeInformers k8sinformers.SharedInformerFactory,
 	pinnipedInformers supervisorinformers.SharedInformerFactory,
--- a/internal/testutil/assertions.go
+++ b/internal/testutil/assertions.go
@@ -12,7 +12,7 @@ import (
 	"time"

 	"github.com/stretchr/testify/require"
-	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -49,7 +49,7 @@ func RequireEqualContentType(t *testing.T, actual string, expected string) {

 func RequireNumberOfSecretsMatchingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) {
 	t.Helper()
-	storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{
+	storedAuthcodeSecrets, err := secrets.List(context.Background(), metav1.ListOptions{
 		LabelSelector: labelSet.String(),
 	})
 	require.NoError(t, err)
@@ -66,7 +66,7 @@ func RequireNumberOfSecretsExcludingLabelSelector(t *testing.T, secrets v1.Secre
 		selector = selector.Add(*requirement)
 	}

-	storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{
+	storedAuthcodeSecrets, err := secrets.List(context.Background(), metav1.ListOptions{
 		LabelSelector: selector.String(),
 	})
 	require.NoError(t, err)
--- a/internal/testutil/conciergetestutil/tlstestutil.go
+++ b/internal/testutil/conciergetestutil/tlstestutil.go
@@ -8,10 +8,10 @@ import (
 	"encoding/base64"
 	"encoding/pem"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 )

-func TLSSpecFromTLSConfig(tls *tls.Config) *auth1alpha1.TLSSpec {
+func TLSSpecFromTLSConfig(tls *tls.Config) *authenticationv1alpha1.TLSSpec {
 	pemData := make([]byte, 0)
 	for _, certificate := range tls.Certificates {
 		// this is the public part of the certificate, the private is the certificate.PrivateKey
@@ -22,7 +22,7 @@ func TLSSpecFromTLSConfig(tls *tls.Config) *auth1alpha1.TLSSpec {
 			})...)
 		}
 	}
-	return &auth1alpha1.TLSSpec{
+	return &authenticationv1alpha1.TLSSpec{
 		CertificateAuthorityData: base64.StdEncoding.EncodeToString(pemData),
 	}
 }
--- a/internal/testutil/kube_server_compatibility.go
+++ b/internal/testutil/kube_server_compatibility.go
@@ -10,7 +10,7 @@ import (

 	"github.com/stretchr/testify/require"
 	certificatesv1 "k8s.io/api/certificates/v1"
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/discovery"
 )

@@ -66,7 +66,7 @@ func CheckServiceAccountExtraFieldsAccountingForChangesInK8s1_30[M ~map[string]V
 	t *testing.T,
 	discoveryClient discovery.DiscoveryInterface,
 	actualExtras M,
-	expectedPodValues *v1.Pod,
+	expectedPodValues *corev1.Pod,
 ) {
 	t.Helper()

--- a/internal/upstreamoidc/upstreamoidc_test.go
+++ b/internal/upstreamoidc/upstreamoidc_test.go
@@ -16,7 +16,7 @@ import (
 	"time"
 	"unsafe"

-	"github.com/coreos/go-oidc/v3/oidc"
+	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/go-jose/go-jose/v3"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
@@ -108,7 +108,7 @@ func TestProviderConfig(t *testing.T) {
 			wantToken             oidctypes.Token

 			rawClaims          []byte
-			userInfo           *oidc.UserInfo
+			userInfo           *coreosoidc.UserInfo
 			userInfoErr        error
 			wantUserInfoCalled bool
 		}{
@@ -204,7 +204,7 @@ func TestProviderConfig(t *testing.T) {
 				name:        "user info sub error",
 				returnIDTok: validIDToken,
 				wantErr:     "could not fetch user info claims: userinfo 'sub' claim (test-user-2) did not match id_token 'sub' claim (test-user)",
-				userInfo:    &oidc.UserInfo{Subject: "test-user-2"},
+				userInfo:    &coreosoidc.UserInfo{Subject: "test-user-2"},
 			},
 			{
 				name:        "user info is not json",
@@ -746,7 +746,7 @@ func TestProviderConfig(t *testing.T) {
 			nonce            nonce.Nonce
 			requireIDToken   bool
 			requireUserInfo  bool
-			userInfo         *oidc.UserInfo
+			userInfo         *coreosoidc.UserInfo
 			rawClaims        []byte
 			userInfoErr      error
 			wantErr          string
@@ -1127,7 +1127,7 @@ func TestProviderConfig(t *testing.T) {
 			wantToken   oidctypes.Token

 			rawClaims          []byte
-			userInfo           *oidc.UserInfo
+			userInfo           *coreosoidc.UserInfo
 			userInfoErr        error
 			wantUserInfoCalled bool
 		}{
@@ -1260,7 +1260,7 @@ func TestProviderConfig(t *testing.T) {
 				authCode:    "valid",
 				returnIDTok: validIDToken,
 				wantErr:     "could not fetch user info claims: userinfo 'sub' claim (test-user-2) did not match id_token 'sub' claim (test-user)",
-				userInfo:    &oidc.UserInfo{Subject: "test-user-2"},
+				userInfo:    &coreosoidc.UserInfo{Subject: "test-user-2"},
 			},
 			{
 				name:        "user info is not json",
@@ -1407,8 +1407,8 @@ func TestProviderConfig(t *testing.T) {
 	})
 }

-// mockVerifier returns an *oidc.IDTokenVerifier that validates any correctly serialized JWT without doing much else.
-func mockVerifier() *oidc.IDTokenVerifier {
+// mockVerifier returns an *coreosoidc.IDTokenVerifier that validates any correctly serialized JWT without doing much else.
+func mockVerifier() *coreosoidc.IDTokenVerifier {
 	mockKeySet := mockkeyset.NewMockKeySet(gomock.NewController(nil))
 	mockKeySet.EXPECT().VerifySignature(gomock.Any(), gomock.Any()).
 		AnyTimes().
@@ -1420,7 +1420,7 @@ func mockVerifier() *oidc.IDTokenVerifier {
 			return jws.UnsafePayloadWithoutVerification(), nil
 		})

-	return oidc.NewVerifier("", mockKeySet, &oidc.Config{
+	return coreosoidc.NewVerifier("", mockKeySet, &coreosoidc.Config{
 		SkipIssuerCheck:   true,
 		SkipExpiryCheck:   true,
 		SkipClientIDCheck: true,
@@ -1430,17 +1430,19 @@ func mockVerifier() *oidc.IDTokenVerifier {
 type mockProvider struct {
 	called      bool
 	rawClaims   []byte
-	userInfo    *oidc.UserInfo
+	userInfo    *coreosoidc.UserInfo
 	userInfoErr error
 }

-func (m *mockProvider) Verifier(_ *oidc.Config) *oidc.IDTokenVerifier { return mockVerifier() }
+func (m *mockProvider) Verifier(_ *coreosoidc.Config) *coreosoidc.IDTokenVerifier {
+	return mockVerifier()
+}

 func (m *mockProvider) Claims(v interface{}) error {
 	return json.Unmarshal(m.rawClaims, v)
 }

-func (m *mockProvider) UserInfo(_ context.Context, tokenSource oauth2.TokenSource) (*oidc.UserInfo, error) {
+func (m *mockProvider) UserInfo(_ context.Context, tokenSource oauth2.TokenSource) (*coreosoidc.UserInfo, error) {
 	m.called = true

 	token, err := tokenSource.Token()
@@ -1454,8 +1456,8 @@ func (m *mockProvider) UserInfo(_ context.Context, tokenSource oauth2.TokenSourc
 	return m.userInfo, m.userInfoErr
 }

-func forceUserInfoWithClaims(subject string, claims string) *oidc.UserInfo {
-	userInfo := &oidc.UserInfo{Subject: subject}
+func forceUserInfoWithClaims(subject string, claims string) *coreosoidc.UserInfo {
+	userInfo := &coreosoidc.UserInfo{Subject: subject}

 	// this is some dark magic to set a private field
 	claimsField := reflect.ValueOf(userInfo).Elem().FieldByName("claims")
--- a/pkg/conciergeclient/conciergeclient.go
+++ b/pkg/conciergeclient/conciergeclient.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package conciergeclient provides login helpers for the Pinniped concierge.
@@ -18,7 +18,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	"go.pinniped.dev/internal/constable"
@@ -49,10 +49,10 @@ func WithAuthenticator(authType, authName string) Option {
 		authenticator := corev1.TypedLocalObjectReference{Name: authName}
 		switch strings.ToLower(authType) {
 		case "webhook":
-			authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
+			authenticator.APIGroup = &authenticationv1alpha1.SchemeGroupVersion.Group
 			authenticator.Kind = "WebhookAuthenticator"
 		case "jwt":
-			authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
+			authenticator.APIGroup = &authenticationv1alpha1.SchemeGroupVersion.Group
 			authenticator.Kind = "JWTAuthenticator"
 		default:
 			return fmt.Errorf(`invalid authenticator type: %q, supported values are "webhook" and "jwt"`, authType)
--- a/pkg/oidcclient/nonce/nonce_test.go
+++ b/pkg/oidcclient/nonce/nonce_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package nonce
@@ -9,7 +9,7 @@ import (
 	"net/url"
 	"testing"

-	"github.com/coreos/go-oidc/v3/oidc"
+	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 )
@@ -25,10 +25,10 @@ func TestNonce(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, n.String(), authCodeURL.Query().Get("nonce"))

-	require.Error(t, n.Validate(&oidc.IDToken{}))
-	require.NoError(t, n.Validate(&oidc.IDToken{Nonce: string(n)}))
+	require.Error(t, n.Validate(&coreosoidc.IDToken{}))
+	require.NoError(t, n.Validate(&coreosoidc.IDToken{Nonce: string(n)}))

-	err = n.Validate(&oidc.IDToken{Nonce: string(n) + "x"})
+	err = n.Validate(&coreosoidc.IDToken{Nonce: string(n) + "x"})
 	require.Error(t, err)
 	require.True(t, errors.As(err, &InvalidNonceError{}))
 	require.Contains(t, err.Error(), string(n)+"x")
--- a/test/integration/cli_test.go
+++ b/test/integration/cli_test.go
@@ -26,7 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"

-	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
 	conciergescheme "go.pinniped.dev/internal/concierge/scheme"
 	"go.pinniped.dev/pkg/oidcclient"
@@ -43,7 +43,7 @@ func TestCLIGetKubeconfigStaticToken_Parallel(t *testing.T) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancelFunc()

-	authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)
+	authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)

 	// Build pinniped CLI.
 	pinnipedExe := testlib.PinnipedCLIPath(t)
--- a/test/integration/concierge_api_serving_certs_test.go
+++ b/test/integration/concierge_api_serving_certs_test.go
@@ -12,7 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"

-	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/test/testlib"
@@ -83,7 +83,7 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) {

 			// Create a testWebhook so we have a legitimate authenticator to pass to the
 			// TokenCredentialRequest API.
-			testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)
+			testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)

 			// Get the initial auto-generated version of the Secret.
 			secret, err := kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
--- a/test/integration/concierge_client_test.go
+++ b/test/integration/concierge_client_test.go
@@ -11,7 +11,7 @@ import (

 	"github.com/stretchr/testify/require"

-	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/pkg/conciergeclient"
 	"go.pinniped.dev/test/testlib"
@@ -59,7 +59,7 @@ func TestClient(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()

-	webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)
+	webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)

 	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
 	invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey)
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -17,7 +17,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/test/testlib"
 )
@@ -33,7 +33,7 @@ func TestUnsuccessfulCredentialRequest_Parallel(t *testing.T) {
 		loginv1alpha1.TokenCredentialRequestSpec{
 			Token: env.TestUser.Token,
 			Authenticator: corev1.TypedLocalObjectReference{
-				APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
+				APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
 				Kind:     "WebhookAuthenticator",
 				Name:     "some-webhook-that-does-not-exist",
 			},
@@ -62,7 +62,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) {
 		{
 			name: "webhook",
 			authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
-				return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
+				return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
 			},
 			token: func(t *testing.T) (string, string, []string) {
 				return testlib.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups
@@ -73,7 +73,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) {
 			authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
 				authenticator := testlib.CreateTestJWTAuthenticatorForCLIUpstream(ctx, t)
 				return corev1.TypedLocalObjectReference{
-					APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
+					APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
 					Kind:     "JWTAuthenticator",
 					Name:     authenticator.Name,
 				}
@@ -148,7 +148,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
 	// TokenCredentialRequest API.
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
+	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)

 	response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
 		loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},
@@ -169,7 +169,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t *
 	// TokenCredentialRequest API.
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
+	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)

 	response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
 		loginv1alpha1.TokenCredentialRequestSpec{Token: "", Authenticator: testWebhook},
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@@ -61,7 +61,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/ptr"

-	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
@@ -121,7 +121,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 	// Create a WebhookAuthenticator and prepare a TokenCredentialRequestSpec using the authenticator for use later.
 	credentialRequestSpecWithWorkingCredentials := loginv1alpha1.TokenCredentialRequestSpec{
 		Token:         env.TestUser.Token,
-		Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady),
+		Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady),
 	}

 	// The address of the ClusterIP service that points at the impersonation proxy's port (used when there is no load balancer).
--- a/test/integration/concierge_jwtauthenticator_status_test.go
+++ b/test/integration/concierge_jwtauthenticator_status_test.go
@@ -14,7 +14,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/test/testlib"
 )

@@ -31,13 +31,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
 			name: "valid spec with no errors and all good status conditions and phase will result in a jwt authenticator that is ready",
 			run: func(t *testing.T) {
 				caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle))
-				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
+				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.SupervisorUpstreamOIDC.Issuer,
 					Audience: "some-fake-audience",
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: caBundleString,
 					},
-				}, v1alpha1.JWTAuthenticatorPhaseReady)
+				}, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 				testlib.WaitForJWTAuthenticatorStatusConditions(
 					ctx, t,
@@ -49,13 +49,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
 			name: "valid spec with invalid CA in TLS config will result in a jwt authenticator that is not ready",
 			run: func(t *testing.T) {
 				caBundleString := "invalid base64-encoded data"
-				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
+				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.SupervisorUpstreamOIDC.Issuer,
 					Audience: "some-fake-audience",
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: caBundleString,
 					},
-				}, v1alpha1.JWTAuthenticatorPhaseError)
+				}, authenticationv1alpha1.JWTAuthenticatorPhaseError)

 				testlib.WaitForJWTAuthenticatorStatusConditions(
 					ctx, t,
@@ -102,16 +102,16 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
 			name: "valid spec with valid CA in TLS config but does not match issuer server will result in a jwt authenticator that is not ready",
 			run: func(t *testing.T) {
 				caBundleString := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
-				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
+				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.SupervisorUpstreamOIDC.Issuer,
 					Audience: "some-fake-audience",
 					// Some random generated cert
 					// Issuer: C=US, O=Pivotal
 					// No SAN provided
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: caBundleString,
 					},
-				}, v1alpha1.JWTAuthenticatorPhaseError)
+				}, authenticationv1alpha1.JWTAuthenticatorPhaseError)

 				testlib.WaitForJWTAuthenticatorStatusConditions(
 					ctx, t,
@@ -159,13 +159,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
 			run: func(t *testing.T) {
 				caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle))
 				fakeIssuerURL := "https://127.0.0.1:443/some-fake-issuer"
-				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
+				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   fakeIssuerURL,
 					Audience: "some-fake-audience",
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: caBundleString,
 					},
-				}, v1alpha1.JWTAuthenticatorPhaseError)
+				}, authenticationv1alpha1.JWTAuthenticatorPhaseError)

 				testlib.WaitForJWTAuthenticatorStatusConditions(
 					ctx, t,
@@ -223,14 +223,14 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 	objectMeta := testlib.ObjectMetaWithRandomName(t, "jwt-authenticator")
 	tests := []struct {
 		name             string
-		jwtAuthenticator *v1alpha1.JWTAuthenticator
+		jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator
 		wantErr          string
 	}{
 		{
 			name: "issuer can not be empty string",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: objectMeta,
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   "",
 					Audience: "fake-audience",
 				},
@@ -240,9 +240,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "audience can not be empty string",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: objectMeta,
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   "https://example.com",
 					Audience: "",
 				},
@@ -252,9 +252,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "issuer must be https",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: objectMeta,
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   "http://www.example.com",
 					Audience: "foo",
 				},
@@ -264,9 +264,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "minimum valid authenticator",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.CLIUpstreamOIDC.Issuer,
 					Audience: "foo",
 				},
@@ -274,23 +274,23 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "valid authenticator can have empty claims block",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.CLIUpstreamOIDC.Issuer,
 					Audience: "foo",
-					Claims:   v1alpha1.JWTTokenClaims{},
+					Claims:   authenticationv1alpha1.JWTTokenClaims{},
 				},
 			},
 		},
 		{
 			name: "valid authenticator can have empty group claim and empty username claim",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.CLIUpstreamOIDC.Issuer,
 					Audience: "foo",
-					Claims: v1alpha1.JWTTokenClaims{
+					Claims: authenticationv1alpha1.JWTTokenClaims{
 						Groups:   "",
 						Username: "",
 					},
@@ -299,31 +299,31 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "valid authenticator can have empty TLS block",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.CLIUpstreamOIDC.Issuer,
 					Audience: "foo",
-					Claims: v1alpha1.JWTTokenClaims{
+					Claims: authenticationv1alpha1.JWTTokenClaims{
 						Groups:   "",
 						Username: "",
 					},
-					TLS: &v1alpha1.TLSSpec{},
+					TLS: &authenticationv1alpha1.TLSSpec{},
 				},
 			},
 		},
 		{
 			name: "valid authenticator can have empty TLS CertificateAuthorityData",
-			jwtAuthenticator: &v1alpha1.JWTAuthenticator{
+			jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.JWTAuthenticatorSpec{
+				Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.CLIUpstreamOIDC.Issuer,
 					Audience: "foo",
-					Claims: v1alpha1.JWTTokenClaims{
+					Claims: authenticationv1alpha1.JWTTokenClaims{
 						Groups:   "",
 						Username: "",
 					},
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: "pretend-this-is-a-certificate",
 					},
 				},
--- a/test/integration/concierge_webhookauthenticator_status_test.go
+++ b/test/integration/concierge_webhookauthenticator_status_test.go
@@ -12,7 +12,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/test/testlib"
 )

@@ -25,30 +25,30 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {

 	tests := []struct {
 		name            string
-		spec            func() *v1alpha1.WebhookAuthenticatorSpec
-		initialPhase    v1alpha1.WebhookAuthenticatorPhase
+		spec            func() *authenticationv1alpha1.WebhookAuthenticatorSpec
+		initialPhase    authenticationv1alpha1.WebhookAuthenticatorPhase
 		finalConditions []metav1.Condition
 		run             func(t *testing.T)
 	}{
 		{
 			name: "Basic test to see if the WebhookAuthenticator wakes up or not.",
-			spec: func() *v1alpha1.WebhookAuthenticatorSpec {
+			spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
 				return &testlib.IntegrationEnv(t).TestWebhook
 			},
-			initialPhase:    v1alpha1.WebhookAuthenticatorPhaseReady,
+			initialPhase:    authenticationv1alpha1.WebhookAuthenticatorPhaseReady,
 			finalConditions: allSuccessfulWebhookAuthenticatorConditions(),
 		},
 		{
 			name: "valid spec with invalid CA in TLS config will result in a WebhookAuthenticator that is not ready",
-			spec: func() *v1alpha1.WebhookAuthenticatorSpec {
+			spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
 				caBundleString := "invalid base64-encoded data"
 				webhookSpec := testEnv.TestWebhook.DeepCopy()
-				webhookSpec.TLS = &v1alpha1.TLSSpec{
+				webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
 					CertificateAuthorityData: caBundleString,
 				}
 				return webhookSpec
 			},
-			initialPhase: v1alpha1.WebhookAuthenticatorPhaseError,
+			initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
 			finalConditions: replaceSomeConditions(
 				allSuccessfulWebhookAuthenticatorConditions(),
 				[]metav1.Condition{
@@ -78,14 +78,14 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
 		},
 		{
 			name: "valid spec with valid CA in TLS config but does not match issuer server will result in a WebhookAuthenticator that is not ready",
-			spec: func() *v1alpha1.WebhookAuthenticatorSpec {
+			spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
 				webhookSpec := testEnv.TestWebhook.DeepCopy()
-				webhookSpec.TLS = &v1alpha1.TLSSpec{
+				webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
 					CertificateAuthorityData: caBundleSomePivotalCA,
 				}
 				return webhookSpec
 			},
-			initialPhase: v1alpha1.WebhookAuthenticatorPhaseError,
+			initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
 			finalConditions: replaceSomeConditions(
 				allSuccessfulWebhookAuthenticatorConditions(),
 				[]metav1.Condition{
@@ -110,15 +110,15 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
 		},
 		{
 			name: "invalid with unresponsive endpoint will result in a WebhookAuthenticator that is not ready",
-			spec: func() *v1alpha1.WebhookAuthenticatorSpec {
+			spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
 				webhookSpec := testEnv.TestWebhook.DeepCopy()
-				webhookSpec.TLS = &v1alpha1.TLSSpec{
+				webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
 					CertificateAuthorityData: caBundleSomePivotalCA,
 				}
 				webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
 				return webhookSpec
 			},
-			initialPhase: v1alpha1.WebhookAuthenticatorPhaseError,
+			initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
 			finalConditions: replaceSomeConditions(
 				allSuccessfulWebhookAuthenticatorConditions(),
 				[]metav1.Condition{
@@ -171,14 +171,14 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
 	objectMeta := testlib.ObjectMetaWithRandomName(t, "webhook-authenticator")
 	tests := []struct {
 		name                 string
-		webhookAuthenticator *v1alpha1.WebhookAuthenticator
+		webhookAuthenticator *authenticationv1alpha1.WebhookAuthenticator
 		wantErr              string
 	}{
 		{
 			name: "endpoint can not be empty string",
-			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+			webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
 				ObjectMeta: objectMeta,
-				Spec: v1alpha1.WebhookAuthenticatorSpec{
+				Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 					Endpoint: "",
 				},
 			},
@@ -187,9 +187,9 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "endpoint must be https",
-			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+			webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
 				ObjectMeta: objectMeta,
-				Spec: v1alpha1.WebhookAuthenticatorSpec{
+				Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 					Endpoint: "http://www.example.com",
 				},
 			},
@@ -198,30 +198,30 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "minimum valid authenticator",
-			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+			webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "webhook"),
-				Spec: v1alpha1.WebhookAuthenticatorSpec{
+				Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 					Endpoint: "https://localhost/webhook-isnt-actually-here",
 				},
 			},
 		},
 		{
 			name: "valid authenticator can have empty TLS block",
-			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+			webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "webhook"),
-				Spec: v1alpha1.WebhookAuthenticatorSpec{
+				Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 					Endpoint: "https://localhost/webhook-isnt-actually-here",
-					TLS:      &v1alpha1.TLSSpec{},
+					TLS:      &authenticationv1alpha1.TLSSpec{},
 				},
 			},
 		},
 		{
 			name: "valid authenticator can have empty TLS CertificateAuthorityData",
-			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+			webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.WebhookAuthenticatorSpec{
+				Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 					Endpoint: "https://localhost/webhook-isnt-actually-here",
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: "",
 					},
 				},
@@ -230,11 +230,11 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		{
 			// since the CRD validations do not assess fitness of the value provided
 			name: "valid authenticator can have TLS CertificateAuthorityData string that is an invalid certificate",
-			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+			webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
-				Spec: v1alpha1.WebhookAuthenticatorSpec{
+				Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
 					Endpoint: "https://localhost/webhook-isnt-actually-here",
-					TLS: &v1alpha1.TLSSpec{
+					TLS: &authenticationv1alpha1.TLSSpec{
 						CertificateAuthorityData: "pretend-this-is-a-certificate",
 					},
 				},
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@@ -34,7 +34,7 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/utils/ptr"

-	authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
@@ -115,11 +115,11 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 	// Create a JWTAuthenticator that will validate the tokens from the downstream issuer.
 	// If the FederationDomain is not Ready, the JWTAuthenticator cannot be ready, either.
 	clusterAudience := "test-cluster-" + testlib.RandHex(t, 8)
-	authenticator := testlib.CreateTestJWTAuthenticator(topSetupCtx, t, authv1alpha.JWTAuthenticatorSpec{
+	authenticator := testlib.CreateTestJWTAuthenticator(topSetupCtx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   federationDomain.Spec.Issuer,
 		Audience: clusterAudience,
-		TLS:      &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64},
-	}, authv1alpha.JWTAuthenticatorPhaseError)
+		TLS:      &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64},
+	}, authenticationv1alpha1.JWTAuthenticatorPhaseError)

 	// Add an OIDC upstream IDP and try using it to authenticate during kubectl commands.
 	t.Run("with Supervisor OIDC upstream IDP and browser flow with with form_post automatic authcode delivery to CLI", func(t *testing.T) {
@@ -164,7 +164,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -250,7 +250,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -338,7 +338,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -462,7 +462,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -593,7 +593,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -666,7 +666,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -730,7 +730,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -789,7 +789,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -852,7 +852,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -923,7 +923,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -982,7 +982,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -1055,7 +1055,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -1110,7 +1110,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -1165,7 +1165,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -1242,7 +1242,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		// Having one IDP should put the FederationDomain into a ready state.
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
 		testlib.CreateTestClusterRoleBinding(t,
@@ -1276,7 +1276,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		// Having a second IDP should put the FederationDomain back into an error state until we tell it which one to use.
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseError)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Update the FederationDomain to use the two IDPs.
 		federationDomainsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().FederationDomains(env.SupervisorNamespace)
@@ -1371,7 +1371,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {

 		// The FederationDomain should be valid after the above update.
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/test-sessions.yaml"
@@ -1505,7 +1505,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 		}, 20*time.Second, 250*time.Millisecond)
 		// The FederationDomain should be valid after the above update.
 		testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Log out so we can try fresh logins again.
 		require.NoError(t, os.Remove(credentialCachePath))
--- a/test/integration/supervisor_warnings_test.go
+++ b/test/integration/supervisor_warnings_test.go
@@ -24,7 +24,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"

-	authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
@@ -93,11 +93,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 	// Create a JWTAuthenticator that will validate the tokens from the downstream issuer.
 	// if the FederationDomain is not Ready, the JWTAuthenticator cannot be ready, either.
 	clusterAudience := "test-cluster-" + testlib.RandHex(t, 8)
-	authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authv1alpha.JWTAuthenticatorSpec{
+	authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   downstream.Spec.Issuer,
 		Audience: clusterAudience,
-		TLS:      &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64},
-	}, authv1alpha.JWTAuthenticatorPhaseError)
+		TLS:      &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64},
+	}, authenticationv1alpha1.JWTAuthenticatorPhaseError)

 	const (
 		yellowColor = "\u001b[33;1m"
@@ -111,7 +111,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {

 		createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
 		testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
@@ -259,7 +259,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 		sAMAccountName := expectedUsername + "@" + env.SupervisorUpstreamActiveDirectory.Domain
 		createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, sAMAccountName, env)
 		testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
@@ -421,7 +421,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 			},
 		}, idpv1alpha1.PhaseReady)
 		testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady)
-		testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
+		testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)

 		// Use a specific session cache for this test.
 		sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
--- a/test/testlib/client.go
+++ b/test/testlib/client.go
@@ -27,7 +27,7 @@ import (
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 	"k8s.io/utils/ptr"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
@@ -174,8 +174,8 @@ func NewKubeclient(t *testing.T, config *rest.Config) *kubeclient.Client {
 func CreateTestWebhookAuthenticator(
 	ctx context.Context,
 	t *testing.T,
-	webhookSpec *auth1alpha1.WebhookAuthenticatorSpec,
-	expectedStatus auth1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference {
+	webhookSpec *authenticationv1alpha1.WebhookAuthenticatorSpec,
+	expectedStatus authenticationv1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference {
 	t.Helper()

 	client := NewConciergeClientset(t)
@@ -184,7 +184,7 @@ func CreateTestWebhookAuthenticator(
 	createContext, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()

-	webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
+	webhook, err := webhooks.Create(createContext, &authenticationv1alpha1.WebhookAuthenticator{
 		ObjectMeta: testObjectMeta(t, "webhook"),
 		Spec:       *webhookSpec,
 	}, metav1.CreateOptions{})
@@ -205,7 +205,7 @@ func CreateTestWebhookAuthenticator(
 	}

 	return corev1.TypedLocalObjectReference{
-		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookAuthenticator",
 		Name:     webhook.Name,
 	}
@@ -215,7 +215,7 @@ func WaitForWebhookAuthenticatorStatusPhase(
 	ctx context.Context,
 	t *testing.T,
 	webhookName string,
-	expectPhase auth1alpha1.WebhookAuthenticatorPhase) {
+	expectPhase authenticationv1alpha1.WebhookAuthenticatorPhase) {
 	t.Helper()
 	webhookAuthenticatorClientSet := NewConciergeClientset(t).AuthenticationV1alpha1().WebhookAuthenticators()

@@ -256,25 +256,25 @@ func WaitForWebhookAuthenticatorStatusConditions(ctx context.Context, t *testing
 // deleted at the end of the current test's lifetime.
 //
 // CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC.
-func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) *auth1alpha1.JWTAuthenticator {
+func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) *authenticationv1alpha1.JWTAuthenticator {
 	t.Helper()
 	testEnv := IntegrationEnv(t)
-	spec := auth1alpha1.JWTAuthenticatorSpec{
+	spec := authenticationv1alpha1.JWTAuthenticatorSpec{
 		Issuer:   testEnv.CLIUpstreamOIDC.Issuer,
 		Audience: testEnv.CLIUpstreamOIDC.ClientID,
 		// The default UsernameClaim is "username" but the upstreams that we use for
 		// integration tests won't necessarily have that claim, so use "sub" here.
-		Claims: auth1alpha1.JWTTokenClaims{Username: "sub"},
+		Claims: authenticationv1alpha1.JWTTokenClaims{Username: "sub"},
 	}
 	// If the test upstream does not have a CA bundle specified, then don't configure one in the
 	// JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root
 	// CA store.
 	if testEnv.CLIUpstreamOIDC.CABundle != "" {
-		spec.TLS = &auth1alpha1.TLSSpec{
+		spec.TLS = &authenticationv1alpha1.TLSSpec{
 			CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLIUpstreamOIDC.CABundle)),
 		}
 	}
-	authenticator := CreateTestJWTAuthenticator(ctx, t, spec, auth1alpha1.JWTAuthenticatorPhaseReady)
+	authenticator := CreateTestJWTAuthenticator(ctx, t, spec, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
 	return authenticator
 }

@@ -283,8 +283,8 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T)
 func CreateTestJWTAuthenticator(
 	ctx context.Context,
 	t *testing.T,
-	spec auth1alpha1.JWTAuthenticatorSpec,
-	expectedStatus auth1alpha1.JWTAuthenticatorPhase) *auth1alpha1.JWTAuthenticator {
+	spec authenticationv1alpha1.JWTAuthenticatorSpec,
+	expectedStatus authenticationv1alpha1.JWTAuthenticatorPhase) *authenticationv1alpha1.JWTAuthenticator {
 	t.Helper()

 	client := NewConciergeClientset(t)
@@ -293,7 +293,7 @@ func CreateTestJWTAuthenticator(
 	createContext, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()

-	jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &auth1alpha1.JWTAuthenticator{
+	jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &authenticationv1alpha1.JWTAuthenticator{
 		ObjectMeta: testObjectMeta(t, "jwt-authenticator"),
 		Spec:       spec,
 	}, metav1.CreateOptions{})
@@ -314,7 +314,7 @@ func CreateTestJWTAuthenticator(
 	return jwtAuthenticator
 }

-func WaitForJWTAuthenticatorStatusPhase(ctx context.Context, t *testing.T, jwtAuthenticatorName string, expectPhase auth1alpha1.JWTAuthenticatorPhase) {
+func WaitForJWTAuthenticatorStatusPhase(ctx context.Context, t *testing.T, jwtAuthenticatorName string, expectPhase authenticationv1alpha1.JWTAuthenticatorPhase) {
 	t.Helper()
 	jwtAuthenticatorClientSet := NewConciergeClientset(t).AuthenticationV1alpha1().JWTAuthenticators()

--- a/test/testlib/env.go
+++ b/test/testlib/env.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package testlib
@@ -14,7 +14,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/yaml"

-	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 )

 type Capability string
@@ -39,22 +39,22 @@ type TestEnv struct {

 	skipPodRestartAssertions bool

-	ToolsNamespace                 string                               `json:"toolsNamespace"`
-	ConciergeNamespace             string                               `json:"conciergeNamespace"`
-	SupervisorNamespace            string                               `json:"supervisorNamespace"`
-	ConciergeAppName               string                               `json:"conciergeAppName"`
-	SupervisorAppName              string                               `json:"supervisorAppName"`
-	SupervisorCustomLabels         map[string]string                    `json:"supervisorCustomLabels"`
-	ConciergeCustomLabels          map[string]string                    `json:"conciergeCustomLabels"`
-	KubernetesDistribution         KubeDistro                           `json:"kubernetesDistribution"`
-	Capabilities                   map[Capability]bool                  `json:"capabilities"`
-	TestWebhook                    auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
-	SupervisorHTTPSAddress         string                               `json:"supervisorHttpsAddress"`
-	SupervisorHTTPSIngressAddress  string                               `json:"supervisorHttpsIngressAddress"`
-	SupervisorHTTPSIngressCABundle string                               `json:"supervisorHttpsIngressCABundle"`
-	Proxy                          string                               `json:"proxy"`
-	APIGroupSuffix                 string                               `json:"apiGroupSuffix"`
-	ShellContainerImage            string                               `json:"shellContainer"`
+	ToolsNamespace                 string                                          `json:"toolsNamespace"`
+	ConciergeNamespace             string                                          `json:"conciergeNamespace"`
+	SupervisorNamespace            string                                          `json:"supervisorNamespace"`
+	ConciergeAppName               string                                          `json:"conciergeAppName"`
+	SupervisorAppName              string                                          `json:"supervisorAppName"`
+	SupervisorCustomLabels         map[string]string                               `json:"supervisorCustomLabels"`
+	ConciergeCustomLabels          map[string]string                               `json:"conciergeCustomLabels"`
+	KubernetesDistribution         KubeDistro                                      `json:"kubernetesDistribution"`
+	Capabilities                   map[Capability]bool                             `json:"capabilities"`
+	TestWebhook                    authenticationv1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
+	SupervisorHTTPSAddress         string                                          `json:"supervisorHttpsAddress"`
+	SupervisorHTTPSIngressAddress  string                                          `json:"supervisorHttpsIngressAddress"`
+	SupervisorHTTPSIngressCABundle string                                          `json:"supervisorHttpsIngressCABundle"`
+	Proxy                          string                                          `json:"proxy"`
+	APIGroupSuffix                 string                                          `json:"apiGroupSuffix"`
+	ShellContainerImage            string                                          `json:"shellContainer"`

 	TestUser struct {
 		Token            string   `json:"token"`
@@ -227,7 +227,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
 	result.TestWebhook.Endpoint = needEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
 	result.SupervisorNamespace = needEnv(t, "PINNIPED_TEST_SUPERVISOR_NAMESPACE")
 	result.SupervisorAppName = needEnv(t, "PINNIPED_TEST_SUPERVISOR_APP_NAME")
-	result.TestWebhook.TLS = &auth1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
+	result.TestWebhook.TLS = &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}

 	result.SupervisorHTTPSIngressAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_INGRESS_ADDRESS")
 	result.SupervisorHTTPSAddress = needEnv(t, "PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS")