proof of concept for changing session lifetime for GitHub PATs

2026-04-15 07:06:45 +00:00 · 2024-11-15 13:03:03 -08:00
1958 changed files with 16177 additions and 87243 deletions
--- a/.github/ISSUE_TEMPLATE/release_checklist.md
+++ b/.github/ISSUE_TEMPLATE/release_checklist.md
@@ -14,7 +14,7 @@ assignees: ''
 - [ ] Ensure that Pinniped's dependencies have been upgraded, to the extent desired by the team (refer to the diff output from the latest run of the [all-golang-deps-updated](https://ci.pinniped.dev/teams/main/pipelines/security-scan/jobs/all-golang-deps-updated/) CI job)
  - [ ] If you are updating golang in Pinniped, be sure to update golang in CI as well.  Do a search-and-replace to update the version number everywhere in the pinniped `ci` branch.
  - [ ] If the Fosite library is being updated and the format of the content of the Supervisor's storage Secrets are changed, or if any change to our own code changes the format of the content of the Supervisor's session storage Secrets, then be sure to update the `accessTokenStorageVersion`, `authorizeCodeStorageVersion`, `oidcStorageVersion`, `pkceStorageVersion`, `refreshTokenStorageVersion`, variables in files such as `internal/fositestorage/accesstoken/accesstoken.go`.  Failing tests should signal the need to update these values.
-  - [ ] For go.mod direct dependencies that are v2 or above, such as `github.com/google/go-github/vXX`, check to see if there is a new major version available. Try using `hack/update-go-mod/update-majors.sh`.
+  - [ ] For go.mod direct dependencies that are v2 or above, such as `github.com/google/go-github/vXX`, check to see if there is a new major version available.
  - [ ] Evaluate all `replace` directives in the `go.mod` file. Are they up to date versions? Can any `replace` directives be removed?
 - [ ] Ensure that Pinniped's codegen is up-to-date with the latest Kubernetes releases by making sure this [file](https://github.com/vmware-tanzu/pinniped/blob/main/hack/lib/kube-versions.txt) is updated compared to the latest releases listed [here for active branches](https://kubernetes.io/releases/) and [here for non-active branches](https://kubernetes.io/releases/patch-releases/#non-active-branch-history)
 - [ ] Ensure that the `k8s-code-generator` CI job definitions are up-to-date with the latest Go, K8s, and `controller-gen` versions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -71,6 +71,12 @@ updates:
    schedule:
      interval: "daily"
    target-branch: ci
+  - package-ecosystem: "docker"
+    directory: "/dockerfiles/go-lint-runner/"
+    open-pull-requests-limit: 100
+    schedule:
+      interval: "daily"
+    target-branch: ci
  - package-ecosystem: "docker"
    directory: "/dockerfiles/integration-test-runner/"
    open-pull-requests-limit: 100
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,14 +1,24 @@
 # https://golangci-lint.run/usage/configuration/
+run:
+  timeout: 1m

-version: "2"
 linters:
-  default: none
+  disable-all: true
  enable:
+    # default linters
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - typecheck
+    - unused
+
+    # additional linters for this project (we should disable these if they get annoying).
    - asciicheck
    - bodyclose
-    - copyloopvar
+    # - depguard
    - dogsled
-    - errcheck
    - exhaustive
    - funlen
    - gochecknoglobals
@@ -17,149 +27,136 @@ linters:
    - gocyclo
    - godot
    - goheader
+    - goimports
+    - revive
    - goprintffuncname
    - gosec
-    - govet
-    - importas
-    - ineffassign
-    - intrange
-    - makezero
    - misspell
    - nakedret
    - nestif
    - noctx
    - nolintlint
    - prealloc
-    - revive
    - rowserrcheck
-    - spancheck
    - sqlclosecheck
-    - staticcheck
    - unconvert
-    - unused
    - whitespace
-  settings:
-    funlen:
-      lines: 150
-      statements: 50
-    goheader:
-      values:
-        regexp:
-          # YYYY or YYYY-YYYY
-          YEARS: \d\d\d\d(-\d\d\d\d)?
-      template: |-
-        Copyright {{YEARS}} the Pinniped contributors. All Rights Reserved.
-        SPDX-License-Identifier: Apache-2.0
-    importas:
-      alias:
-        - pkg: k8s.io/apimachinery/pkg/util/errors
-          alias: utilerrors
-        - pkg: k8s.io/apimachinery/pkg/api/errors
-          alias: apierrors
-        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
-          alias: metav1
-        - pkg: k8s.io/api/core/v1
-          alias: corev1
-        - pkg: github.com/coreos/go-oidc/v3/oidc
-          alias: coreosoidc
-        - pkg: github.com/ory/fosite/handler/oauth2
-          alias: fositeoauth2
-        - pkg: github.com/ory/fosite/token/jwt
-          alias: fositejwt
-        - pkg: github.com/go-jose/go-jose/v4/jwt
-          alias: josejwt
-        - pkg: github.com/go-jose/go-jose/v3
-          alias: oldjosev3
-        - pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
-          alias: authenticationv1alpha1
-        - pkg: go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1
-          alias: clientsecretv1alpha1
-        - pkg: go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
-          alias: supervisorconfigv1alpha1
-        - pkg: go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1
-          alias: conciergeconfigv1alpha1
-        - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned
-          alias: conciergeclientset
-        - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme
-          alias: conciergeclientsetscheme
-        - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake
-          alias: conciergefake
-        - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned
-          alias: supervisorclientset
-        - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
-          alias: supervisorclientsetscheme
-        - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake
-          alias: supervisorfake
-        - pkg: go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
-          alias: idpv1alpha1
-        - pkg: go.pinniped.dev/generated/latest/client/concierge/informers/externalversions
-          alias: conciergeinformers
-        - pkg: go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions
-          alias: supervisorinformers
-        - pkg: go.pinniped.dev/internal/concierge/scheme
-          alias: conciergescheme
-      no-unaliased: true # All packages explicitly listed above must be aliased
-      no-extra-aliases: false # Allow other aliases than the ones explicitly listed above
-    revive:
-      max-open-files: 2048
-      rules:
-        # Allow unused params that start with underscore. It can be nice to keep unused param names when implementing
-        # an interface sometimes, to help readers understand why it is unused in that particular implementation.
-        - name: unused-parameter
-          arguments:
-            - allowRegex: ^_
-    spancheck:
-      # https://golangci-lint.run/usage/linters/#spancheck
-      checks:
-        - end
-        - record-error
-        - set-status
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    rules:
-      # exclude tests from some rules for things that are useful in a testing context.
-      - linters:
-          - funlen
-          - gochecknoglobals
-          - revive
-        path: _test\.go
-      - linters:
-          - revive
-        path: internal/testutil/
-    paths:
-      - generated
-      - third_party$
-      - builtin$
-      - examples$
-formatters:
-  enable:
+    - copyloopvar
+    - intrange
+    # - fatcontext Starting in go@1.23.1 and golangci-lint@1.61.0 this gave a lot of false positives
+    # - canonicalheader Can't do this one since it alerts on valid headers such as X-XSS-Protection
+    - spancheck
+    - importas
+    - makezero
+    - prealloc
    - gofmt
-    - goimports
-  settings:
-    gofmt:
-      # Simplify code: gofmt with `-s` option.
-      # Default: true
-      simplify: false
-      # Apply the rewrite rules to the source before reformatting.
-      # https://pkg.go.dev/cmd/gofmt
-      # Default: []
-      rewrite-rules:
-        - pattern: interface{}
-          replacement: any
-        - pattern: a[b:len(a)]
-          replacement: a[b:]
-    goimports:
-      local-prefixes:
-        - go.pinniped.dev
-  exclusions:
-    generated: lax
-    paths:
-      - generated
-      - third_party$
-      - builtin$
-      - examples$
+
+issues:
+  exclude-dirs:
+    - generated
+  exclude-rules:
+    # exclude tests from some rules for things that are useful in a testing context.
+    - path: _test\.go
+      linters:
+        - funlen
+        - gochecknoglobals
+        - revive
+    - path: internal/testutil/
+      linters:
+      - revive
+
+linters-settings:
+  funlen:
+    lines: 150
+    statements: 50
+  goheader:
+    values:
+      regexp:
+        # YYYY or YYYY-YYYY
+        YEARS: \d\d\d\d(-\d\d\d\d)?
+    template: |-
+      Copyright {{YEARS}} the Pinniped contributors. All Rights Reserved.
+      SPDX-License-Identifier: Apache-2.0
+  goimports:
+    local-prefixes: go.pinniped.dev
+  revive:
+    max-open-files: 2048
+    rules:
+      - name: unused-parameter
+        arguments:
+          # Allow unused params that start with underscore. It can be nice to keep unused param names when implementing
+          # an interface sometimes, to help readers understand why it is unused in that particular implementation.
+          - allowRegex: "^_"
+  spancheck:
+    # https://golangci-lint.run/usage/linters/#spancheck
+    checks:
+    - end
+    - record-error
+    - set-status
+  importas:
+    no-unaliased: true # All packages explicitly listed below must be aliased
+    no-extra-aliases: false # Allow other aliases than the ones explicitly listed below
+    alias:
+    # k8s.io/apimachinery
+    - pkg: k8s.io/apimachinery/pkg/util/errors
+      alias: utilerrors
+    - pkg: k8s.io/apimachinery/pkg/api/errors
+      alias: apierrors
+    - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+      alias: metav1
+    # k8s.io
+    - pkg: k8s.io/api/core/v1
+      alias: corev1
+    # OAuth2/OIDC/Fosite/JOSE
+    - pkg: github.com/coreos/go-oidc/v3/oidc
+      alias: coreosoidc
+    - pkg: github.com/ory/fosite/handler/oauth2
+      alias: fositeoauth2
+    - pkg: github.com/ory/fosite/token/jwt
+      alias: fositejwt
+    - pkg: github.com/go-jose/go-jose/v4/jwt
+      alias: josejwt
+    - pkg: github.com/go-jose/go-jose/v3
+      alias: oldjosev3
+    # Generated Pinniped
+    - pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
+      alias: authenticationv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1
+      alias: clientsecretv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
+      alias: supervisorconfigv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1
+      alias: conciergeconfigv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned
+      alias: conciergeclientset
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme
+      alias: conciergeclientsetscheme
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake
+      alias: conciergefake
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned
+      alias: supervisorclientset
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
+      alias: supervisorclientsetscheme
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake
+      alias: supervisorfake
+    - pkg: go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
+      alias: idpv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/informers/externalversions
+      alias: conciergeinformers
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions
+      alias: supervisorinformers
+    # Pinniped internal
+    - pkg: go.pinniped.dev/internal/concierge/scheme
+      alias: conciergescheme
+  gofmt:
+    # Simplify code: gofmt with `-s` option.
+    # Default: true
+    simplify: false
+    # Apply the rewrite rules to the source before reformatting.
+    # https://pkg.go.dev/cmd/gofmt
+    # Default: []
+    rewrite-rules:
+    - pattern: 'interface{}'
+      replacement: 'any'
+    - pattern: 'a[b:len(a)]'
+      replacement: 'a[b:]'
--- a/15
+++ b/15
@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:1

-# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-ARG BUILD_IMAGE=golang:1.24.3@sha256:86b4cff66e04d41821a17cea30c1031ed53e2635e2be99ae0b4a7d69336b5063
-ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:c0f429e16b13e583da7e5a6ec20dd656d325d88e6819cafe0adb0828976529dc
+ARG BUILD_IMAGE=golang:1.23.3@sha256:73f06be4578c9987ce560087e2e2ea6485fb605e3910542cadd8fa09fc5f3e31
+ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea

 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
-FROM --platform=$BUILDPLATFORM $BUILD_IMAGE AS build-env
+FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env

 WORKDIR /work

@@ -21,9 +21,6 @@ ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
 ARG TARGETOS
 ARG TARGETARCH

-# If provided, must be a comma-separated list of Go build tags.
-ARG ADDITIONAL_BUILD_TAGS
-
 # Build the statically linked (CGO_ENABLED=0) binary.
 # Mount source, build cache, and module cache for performance reasons.
 # See https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
@@ -32,8 +29,8 @@ RUN \
  --mount=type=cache,target=/cache/gocache \
  --mount=type=cache,target=/cache/gomodcache \
  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH && \
-  go build -tags $ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
-  go build -tags $ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
--- a/README.md
+++ b/README.md
@@ -47,4 +47,4 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).

 Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE).

-Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
--- a/apis/concierge/authentication/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/authentication/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/config/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/config/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/config/v1alpha1/register.go.tmpl
+++ b/apis/concierge/config/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -161,6 +161,24 @@ type ImpersonationProxyServiceSpec struct {
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// This field is deprecated and will be removed in a future version.
+	// +optional
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+}
+
+// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// This type is deprecated and will be removed in a future version.
+type CredentialIssuerKubeConfigInfo struct {
+	// The K8s API server URL.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
+
+	// The K8s API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

 // CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
--- a/apis/concierge/identity/doc.go.tmpl
+++ b/apis/concierge/identity/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/identity/register.go.tmpl
+++ b/apis/concierge/identity/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/types_userinfo.go.tmpl
+++ b/apis/concierge/identity/types_userinfo.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/types_whoamirequest.go.tmpl
+++ b/apis/concierge/identity/types_whoamirequest.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/v1alpha1/conversion.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/defaults.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/identity/v1alpha1/register.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/types_whoamirequest.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/types_whoamirequest.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/validation/validation.go.tmpl
+++ b/apis/concierge/identity/validation/validation.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package validation
--- a/apis/concierge/login/doc.go.tmpl
+++ b/apis/concierge/login/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/login/register.go.tmpl
+++ b/apis/concierge/login/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/types_clustercredential.go.tmpl
+++ b/apis/concierge/login/types_clustercredential.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/types_tokencredentialrequest.go.tmpl
+++ b/apis/concierge/login/types_tokencredentialrequest.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/v1alpha1/conversion.go.tmpl
+++ b/apis/concierge/login/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/defaults.go.tmpl
+++ b/apis/concierge/login/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/login/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/login/v1alpha1/register.go.tmpl
+++ b/apis/concierge/login/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/types_clustercredential.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_clustercredential.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/types_tokencredentialrequest.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_tokencredentialrequest.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/clientsecret/doc.go.tmpl
+++ b/apis/supervisor/clientsecret/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/supervisor/clientsecret/register.go.tmpl
+++ b/apis/supervisor/clientsecret/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package clientsecret
--- a/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl
+++ b/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package clientsecret
--- a/apis/supervisor/clientsecret/v1alpha1/conversion.go.tmpl
+++ b/apis/supervisor/clientsecret/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/clientsecret/v1alpha1/defaults.go.tmpl
+++ b/apis/supervisor/clientsecret/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/clientsecret/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/clientsecret/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/clientsecret/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl
+++ b/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/config/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/supervisor/config/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -209,7 +209,6 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/supervisor/idp/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
+++ b/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
+++ b/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package oidc
--- a/cmd/pinniped/cmd/audit_id.go
+++ b/cmd/pinniped/cmd/audit_id.go
@@ -1,46 +0,0 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package cmd
-
-import (
-	"net/http"
-
-	"go.pinniped.dev/internal/httputil/roundtripper"
-	"go.pinniped.dev/internal/plog"
-)
-
-type auditIDLoggerFunc func(path string, statusCode int, auditID string)
-
-func logAuditID(path string, statusCode int, auditID string) {
-	plog.Info("Received auditID for failed request",
-		"path", path,
-		"statusCode", statusCode,
-		"auditID", auditID)
-}
-
-func LogAuditIDTransportWrapper(rt http.RoundTripper) http.RoundTripper {
-	return logAuditIDTransportWrapper(rt, logAuditID)
-}
-
-func logAuditIDTransportWrapper(rt http.RoundTripper, auditIDLoggerFunc auditIDLoggerFunc) http.RoundTripper {
-	return roundtripper.WrapFunc(rt, func(r *http.Request) (*http.Response, error) {
-		response, responseErr := rt.RoundTrip(r)
-
-		if responseErr != nil ||
-			response == nil ||
-			response.Header.Get("audit-ID") == "" ||
-			response.Request == nil ||
-			response.Request.URL == nil {
-			return response, responseErr
-		}
-
-		// Use the request path from the response's request, in case the
-		// original request was modified by any other roudtrippers in the chain.
-		auditIDLoggerFunc(response.Request.URL.Path,
-			response.StatusCode,
-			response.Header.Get("audit-ID"))
-
-		return response, responseErr
-	})
-}
--- a/cmd/pinniped/cmd/audit_id_test.go
+++ b/cmd/pinniped/cmd/audit_id_test.go
@@ -1,116 +0,0 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package cmd
-
-import (
-	"errors"
-	"net/http"
-	"net/url"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"go.pinniped.dev/internal/httputil/roundtripper"
-)
-
-func TestLogAuditIDTransportWrapper(t *testing.T) {
-	canonicalAuditIdHeaderName := "Audit-Id"
-
-	tests := []struct {
-		name        string
-		response    *http.Response
-		responseErr error
-		want        func(t *testing.T, called func()) auditIDLoggerFunc
-		wantCalled  bool
-	}{
-		{
-			name: "happy HTTP response - no error and no log",
-			response: &http.Response{ // no headers
-				StatusCode: http.StatusOK,
-				Request: &http.Request{
-					URL: &url.URL{
-						Path: "some-path-from-response-request",
-					},
-				},
-			},
-			responseErr: nil,
-			want: func(t *testing.T, called func()) auditIDLoggerFunc {
-				return func(_ string, _ int, _ string) {
-					called()
-				}
-			},
-			wantCalled: false, // make it obvious
-		},
-		{
-			name:        "nil HTTP response - no error and no log",
-			response:    nil,
-			responseErr: nil,
-			want: func(t *testing.T, called func()) auditIDLoggerFunc {
-				return func(_ string, _ int, _ string) {
-					called()
-				}
-			},
-			wantCalled: false, // make it obvious
-		},
-		{
-			name:        "err HTTP response - no error and no log",
-			response:    nil,
-			responseErr: errors.New("some error"),
-			want: func(t *testing.T, called func()) auditIDLoggerFunc {
-				return func(_ string, _ int, _ string) {
-					called()
-				}
-			},
-			wantCalled: false, // make it obvious
-		},
-		{
-			name: "happy HTTP response with audit-ID - logs",
-			response: &http.Response{
-				Header: http.Header{
-					canonicalAuditIdHeaderName: []string{"some-audit-id", "some-other-audit-id-that-will-never-be-seen"},
-				},
-				StatusCode: http.StatusBadGateway, // statusCode does not matter
-				Request: &http.Request{
-					URL: &url.URL{
-						Path: "some-path-from-response-request",
-					},
-				},
-			},
-			want: func(t *testing.T, called func()) auditIDLoggerFunc {
-				return func(path string, statusCode int, auditID string) {
-					called()
-					require.Equal(t, "some-path-from-response-request", path)
-					require.Equal(t, http.StatusBadGateway, statusCode)
-					require.Equal(t, "some-audit-id", auditID)
-				}
-			},
-			wantCalled: true, // make it obvious
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			require.NotNil(t, test.want)
-
-			mockRequest := &http.Request{
-				URL: &url.URL{
-					Path: "should-never-use-this-path",
-				},
-			}
-			var mockRt roundtripper.Func = func(r *http.Request) (*http.Response, error) {
-				require.Equal(t, mockRequest, r)
-				return test.response, test.responseErr
-			}
-			called := false
-			subjectRt := logAuditIDTransportWrapper(mockRt, test.want(t, func() {
-				called = true
-			}))
-			actualResponse, err := subjectRt.RoundTrip(mockRequest) //nolint:bodyclose // there is no Body.
-			require.Equal(t, test.responseErr, err)                 // This roundtripper only returns mocked errors.
-			require.Equal(t, test.response, actualResponse)
-			require.Equal(t, test.wantCalled, called,
-				"want logFunc to be called: %t, actually was called: %t", test.wantCalled, called)
-		})
-	}
-}
--- a/cmd/pinniped/cmd/kube_util.go
+++ b/cmd/pinniped/cmd/kube_util.go
@@ -1,36 +1,34 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd

 import (
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
-	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 )

-// getClientsetsFunc is a function that can return clients for the Concierge and Kubernetes APIs given a
+// getConciergeClientsetFunc is a function that can return a clientset for the Concierge API given a
 // clientConfig and the apiGroupSuffix with which the API is running.
-type getClientsetsFunc func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error)
+type getConciergeClientsetFunc func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error)

-// getRealClientsets returns real implementations of the Concierge and Kubernetes client interfaces.
-func getRealClientsets(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error) {
+// getRealConciergeClientset returns a real implementation of a conciergeclientset.Interface.
+func getRealConciergeClientset(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
 	restConfig, err := clientConfig.ClientConfig()
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 	client, err := kubeclient.New(
 		kubeclient.WithConfig(restConfig),
 		kubeclient.WithMiddleware(groupsuffix.New(apiGroupSuffix)),
 	)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
-	return client.PinnipedConcierge, client.Kubernetes, client.Aggregation, nil
+	return client.PinnipedConcierge, nil
 }

 // newClientConfig returns a clientcmd.ClientConfig given an optional kubeconfig path override and
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -20,12 +20,10 @@ import (
 	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	_ "k8s.io/client-go/plugin/pkg/client/auth" // Adds handlers for various dynamic auth plugins in client-go
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

 	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
@@ -40,7 +38,7 @@ import (
 type kubeconfigDeps struct {
 	getenv        func(key string) string
 	getPathToSelf func() (string, error)
-	getClientsets getClientsetsFunc
+	getClientset  getConciergeClientsetFunc
 	log           plog.MinLogger
 }

@@ -48,7 +46,7 @@ func kubeconfigRealDeps() kubeconfigDeps {
 	return kubeconfigDeps{
 		getenv:        os.Getenv,
 		getPathToSelf: os.Executable,
-		getClientsets: getRealClientsets,
+		getClientset:  getRealConciergeClientset,
 		log:           plog.New(),
 	}
 }
@@ -217,7 +215,7 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 		return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err)
 	}
 	cluster := currentKubeConfig.Clusters[currentKubeconfigNames.ClusterName]
-	conciergeClient, kubeClient, aggregatorClient, err := deps.getClientsets(clientConfig, flags.concierge.apiGroupSuffix)
+	clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix)
 	if err != nil {
 		return fmt.Errorf("could not configure Kubernetes client: %w", err)
 	}
@@ -230,15 +228,13 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	}

 	if !flags.concierge.disabled {
-		// Look up the Concierge's CredentialIssuer, and optionally wait for it to have no pending strategies showing in its status.
-		credentialIssuer, err := waitForCredentialIssuer(ctx, conciergeClient, flags, deps)
+		credentialIssuer, err := waitForCredentialIssuer(ctx, clientset, flags, deps)
 		if err != nil {
 			return err
 		}

-		// Decide which Concierge authenticator should be used in the resulting kubeconfig.
 		authenticator, err := lookupAuthenticator(
-			conciergeClient,
+			clientset,
 			flags.concierge.authenticatorType,
 			flags.concierge.authenticatorName,
 			deps.log,
@@ -246,15 +242,10 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 		if err != nil {
 			return err
 		}
-
-		// Discover from the CredentialIssuer how the resulting kubeconfig should be configured to talk to this Concierge.
 		if err := discoverConciergeParams(credentialIssuer, &flags, cluster, deps.log); err != nil {
 			return err
 		}
-
-		// Discover how the resulting kubeconfig should interact with the selected authenticator.
-		// For a JWTAuthenticator, this includes discovering how to talk to the OIDC issuer configured in its spec fields.
-		if err := discoverAuthenticatorParams(ctx, authenticator, &flags, kubeClient, aggregatorClient, deps.log); err != nil {
+		if err := discoverAuthenticatorParams(authenticator, &flags, deps.log); err != nil {
 			return err
 		}

@@ -264,7 +255,6 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	}

 	if len(flags.oidc.issuer) > 0 {
-		// The OIDC provider may or may not be a Pinniped Supervisor. Find out.
 		err = pinnipedSupervisorDiscovery(ctx, &flags, deps.log)
 		if err != nil {
 			return err
@@ -416,7 +406,10 @@ func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.I
 		deadline, _ := ctx.Deadline()
 		attempts := 1

-		for hasPendingStrategy(credentialIssuer) {
+		for {
+			if !hasPendingStrategy(credentialIssuer) {
+				break
+			}
 			logStrategies(credentialIssuer, deps.log)
 			deps.log.Info("waiting for CredentialIssuer pending strategies to finish",
 				"attempts", attempts,
@@ -495,14 +488,7 @@ func logStrategies(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, l
 	}
 }

-func discoverAuthenticatorParams(
-	ctx context.Context,
-	authenticator metav1.Object,
-	flags *getKubeconfigParams,
-	kubeClient kubernetes.Interface,
-	aggregatorClient aggregatorclient.Interface,
-	log plog.MinLogger,
-) error {
+func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log plog.MinLogger) error {
 	switch auth := authenticator.(type) {
 	case *authenticationv1alpha1.WebhookAuthenticator:
 		// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
@@ -534,130 +520,19 @@ func discoverAuthenticatorParams(
 		}

 		// If the --oidc-ca-bundle flags was not set explicitly, default it to the
-		// spec.tls.certificateAuthorityData field of the JWTAuthenticator, if that field is set, or else
-		// try to discover it from the spec.tls.certificateAuthorityDataSource, if that field is set.
-		if len(flags.oidc.caBundle) == 0 && auth.Spec.TLS != nil {
-			err := discoverOIDCCABundle(ctx, auth, flags, kubeClient, aggregatorClient, log)
+		// spec.tls.certificateAuthorityData field of the JWTAuthenticator.
+		if len(flags.oidc.caBundle) == 0 && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" {
+			decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData)
 			if err != nil {
-				return err
+				return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", auth.Name, err)
 			}
+			log.Info("discovered OIDC CA bundle", "roots", countCACerts(decoded))
+			flags.oidc.caBundle = decoded
 		}
 	}
 	return nil
 }

-func discoverOIDCCABundle(
-	ctx context.Context,
-	jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator,
-	flags *getKubeconfigParams,
-	kubeClient kubernetes.Interface,
-	aggregatorClient aggregatorclient.Interface,
-	log plog.MinLogger,
-) error {
-	if jwtAuthenticator.Spec.TLS.CertificateAuthorityData != "" {
-		decodedCABundleData, err := base64.StdEncoding.DecodeString(jwtAuthenticator.Spec.TLS.CertificateAuthorityData)
-		if err != nil {
-			return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", jwtAuthenticator.Name, err)
-		}
-		log.Info("discovered OIDC CA bundle", "roots", countCACerts(decodedCABundleData))
-		flags.oidc.caBundle = decodedCABundleData
-	} else if jwtAuthenticator.Spec.TLS.CertificateAuthorityDataSource != nil {
-		caBundleData, err := discoverOIDCCABundleFromCertificateAuthorityDataSource(
-			ctx, jwtAuthenticator, flags.concierge.apiGroupSuffix, kubeClient, aggregatorClient, log)
-		if err != nil {
-			return err
-		}
-		flags.oidc.caBundle = caBundleData
-	}
-	return nil
-}
-
-func discoverOIDCCABundleFromCertificateAuthorityDataSource(
-	ctx context.Context,
-	jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator,
-	apiGroupSuffix string,
-	kubeClient kubernetes.Interface,
-	aggregatorClient aggregatorclient.Interface,
-	log plog.MinLogger,
-) ([]byte, error) {
-	conciergeNamespace, err := discoverConciergeNamespace(ctx, apiGroupSuffix, aggregatorClient)
-	if err != nil {
-		return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator %s: %w", jwtAuthenticator.Name, err)
-	}
-	log.Info("discovered Concierge namespace for API group suffix", "apiGroupSuffix", apiGroupSuffix)
-
-	var caBundleData []byte
-	var keyExisted bool
-	caSource := jwtAuthenticator.Spec.TLS.CertificateAuthorityDataSource
-
-	// Note that the Kind, Name, and Key fields must all be non-empty, and Kind must be Secret or ConfigMap, due to CRD validations.
-	switch caSource.Kind {
-	case authenticationv1alpha1.CertificateAuthorityDataSourceKindConfigMap:
-		caBundleConfigMap, err := kubeClient.CoreV1().ConfigMaps(conciergeNamespace).Get(ctx, caSource.Name, metav1.GetOptions{})
-		if err != nil {
-			return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but encountered error getting %s %s/%s specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource: %w",
-				caSource.Kind, conciergeNamespace, caSource.Name, jwtAuthenticator.Name, err)
-		}
-		var caBundleDataStr string
-		caBundleDataStr, keyExisted = caBundleConfigMap.Data[caSource.Key]
-		caBundleData = []byte(caBundleDataStr)
-	case authenticationv1alpha1.CertificateAuthorityDataSourceKindSecret:
-		caBundleSecret, err := kubeClient.CoreV1().Secrets(conciergeNamespace).Get(ctx, caSource.Name, metav1.GetOptions{})
-		if err != nil {
-			return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but encountered error getting %s %s/%s specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource: %w",
-				caSource.Kind, conciergeNamespace, caSource.Name, jwtAuthenticator.Name, err)
-		}
-		caBundleData, keyExisted = caBundleSecret.Data[caSource.Key]
-	default:
-		return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.Kind value %q is not supported by this CLI version",
-			jwtAuthenticator.Name, caSource.Kind)
-	}
-
-	if !keyExisted {
-		return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but key %q specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.key does not exist in %s %s/%s",
-			caSource.Key, jwtAuthenticator.Name, caSource.Kind, conciergeNamespace, caSource.Name)
-	}
-
-	if len(caBundleData) == 0 {
-		return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but key %q specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.key exists but has empty value in %s %s/%s",
-			caSource.Key, jwtAuthenticator.Name, caSource.Kind, conciergeNamespace, caSource.Name)
-	}
-
-	numCACerts := countCACerts(caBundleData)
-	if numCACerts == 0 {
-		return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but value at key %q specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.key does not contain any CA certificates in %s %s/%s",
-			caSource.Key, jwtAuthenticator.Name, caSource.Kind, conciergeNamespace, caSource.Name)
-	}
-
-	log.Info("discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource", "roots", numCACerts)
-	return caBundleData, nil
-}
-
-func discoverConciergeNamespace(ctx context.Context, apiGroupSuffix string, aggregatorClient aggregatorclient.Interface) (string, error) {
-	// Let's look for the APIService for the API group of the Concierge's TokenCredentialRequest aggregated API.
-	apiGroup := "login.concierge." + apiGroupSuffix
-
-	// List all APIServices.
-	apiServiceList, err := aggregatorClient.ApiregistrationV1().APIServices().List(ctx, metav1.ListOptions{})
-	if err != nil {
-		return "", fmt.Errorf("error listing APIServices: %w", err)
-	}
-
-	// Find one with the expected API group name.
-	for _, apiService := range apiServiceList.Items {
-		if apiService.Spec.Group == apiGroup {
-			if apiService.Spec.Service.Namespace != "" {
-				// We are assuming that all API versions (e.g. v1alpha1) of this API group are backed by service(s)
-				// in the same namespace, which is the namespace of the Concierge hosting this API suffix.
-				return apiService.Spec.Service.Namespace, nil
-			}
-		}
-	}
-
-	// Couldn't find any APIService for the expected API group name which contained a namespace reference in its spec.
-	return "", fmt.Errorf("could not find APIService with non-empty spec.service.namespace for API group %s", apiGroup)
-}
-
 func getConciergeFrontend(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*conciergeconfigv1alpha1.CredentialIssuerFrontend, error) {
 	for _, strategy := range credentialIssuer.Status.Strategies {
 		// Skip unhealthy strategies.
@@ -665,15 +540,26 @@ func getConciergeFrontend(credentialIssuer *conciergeconfigv1alpha1.CredentialIs
 			continue
 		}

-		// If the strategy frontend is nil, skip.
+		// Backfill the .status.strategies[].frontend field from .status.kubeConfigInfo for backwards compatibility.
+		if strategy.Type == conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType && strategy.Frontend == nil && credentialIssuer.Status.KubeConfigInfo != nil {
+			strategy = *strategy.DeepCopy()
+			strategy.Frontend = &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+				Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
+				TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
+					Server:                   credentialIssuer.Status.KubeConfigInfo.Server,
+					CertificateAuthorityData: credentialIssuer.Status.KubeConfigInfo.CertificateAuthorityData,
+				},
+			}
+		}
+
+		// If the strategy frontend is still nil, skip.
 		if strategy.Frontend == nil {
 			continue
 		}

 		//	Skip any unknown frontend types.
 		switch strategy.Frontend.Type {
-		case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
-			conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
+		case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
 		default:
 			continue
 		}
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -11,20 +11,15 @@ import (
 	"os"
 	"path/filepath"
 	"slices"
+	"strings"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/fake"
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/clientcmd"
-	v1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
-	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
-	aggregatorfake "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake"
 	"k8s.io/utils/ptr"

 	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
@@ -70,69 +65,14 @@ func TestGetKubeconfig(t *testing.T) {
 		}
 	}

-	caBundleInSecret := func(issuerCABundle, secretName, secretNamespace, secretDataKey string) runtime.Object {
-		return &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      secretName,
-				Namespace: secretNamespace,
-			},
-			Data: map[string][]byte{
-				secretDataKey: []byte(issuerCABundle),
-				"other":       []byte("unrelated"),
-			},
-		}
-	}
-
-	caBundleInConfigmap := func(issuerCABundle, cmName, cmNamespace, cmDataKey string) runtime.Object {
-		return &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      cmName,
-				Namespace: cmNamespace,
-			},
-			Data: map[string]string{
-				cmDataKey: issuerCABundle,
-				"other":   "unrelated",
-			},
-		}
-	}
-
-	jwtAuthenticator := func(issuerCABundle, issuerURL string) *authenticationv1alpha1.JWTAuthenticator {
-		encodedCABundle := ""
-		if issuerCABundle != "" {
-			encodedCABundle = base64.StdEncoding.EncodeToString([]byte(issuerCABundle))
-		}
+	jwtAuthenticator := func(issuerCABundle string, issuerURL string) runtime.Object {
 		return &authenticationv1alpha1.JWTAuthenticator{
 			ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 			Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
 				Issuer:   issuerURL,
 				Audience: "test-audience",
 				TLS: &authenticationv1alpha1.TLSSpec{
-					CertificateAuthorityData: encodedCABundle,
-				},
-			},
-		}
-	}
-
-	jwtAuthenticatorWithCABundleDataSource := func(sourceKind, sourceName, sourceKey, issuerURL string) runtime.Object {
-		authenticator := jwtAuthenticator("", issuerURL)
-		authenticator.Spec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
-			Kind: authenticationv1alpha1.CertificateAuthorityDataSourceKind(sourceKind),
-			Name: sourceName,
-			Key:  sourceKey,
-		}
-		return authenticator
-	}
-
-	apiService := func(group, version, serviceNamespace string) *v1.APIService {
-		return &v1.APIService{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: version + "." + group,
-			},
-			Spec: v1.APIServiceSpec{
-				Group:   group,
-				Version: version,
-				Service: &v1.ServiceReference{
-					Namespace: serviceNamespace,
+					CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)),
 				},
 			},
 		}
@@ -205,11 +145,7 @@ func TestGetKubeconfig(t *testing.T) {
 		getPathToSelfErr        error
 		getClientsetErr         error
 		conciergeObjects        func(string, string) []runtime.Object
-		kubeObjects             func(string) []runtime.Object
-		apiServiceObjects       []runtime.Object
 		conciergeReactions      []kubetesting.Reactor
-		kubeReactions           []kubetesting.Reactor
-		apiServiceReactions     []kubetesting.Reactor
 		oidcDiscoveryResponse   func(string) string
 		oidcDiscoveryStatusCode int
 		idpsDiscoveryResponse   string
@@ -678,18 +614,18 @@ func TestGetKubeconfig(t *testing.T) {
 					&conciergeconfigv1alpha1.CredentialIssuer{
 						ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
 						Status: conciergeconfigv1alpha1.CredentialIssuerStatus{
+							KubeConfigInfo: &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{
+								Server:                   "https://concierge-endpoint",
+								CertificateAuthorityData: "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
+							},
 							Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{{
 								Type:           conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
 								Status:         conciergeconfigv1alpha1.SuccessStrategyStatus,
 								Reason:         conciergeconfigv1alpha1.FetchedKeyStrategyReason,
 								Message:        "Successfully fetched key",
 								LastUpdateTime: metav1.Now(),
-								Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
-									Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
-									TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
-										Server: "https://concierge-endpoint.example.com",
-									},
-								},
+								// Simulate a previous version of CredentialIssuer that's missing this Frontend field.
+								Frontend: nil,
 							}},
 						},
 					},
@@ -721,321 +657,6 @@ func TestGetKubeconfig(t *testing.T) {
 				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7` + "\n")
 			},
 		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but Secret not found",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error getting Secret test-concierge-namespace/my-ca-secret specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource: secrets "my-ca-secret" not found` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in ConfigMap, but ConfigMap not found",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("ConfigMap", "my-ca-configmap", "ca.crt", issuerURL),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error getting ConfigMap test-concierge-namespace/my-ca-configmap specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource: configmaps "my-ca-configmap" not found` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but invalid TLS bundle found in Secret",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			kubeObjects: func(issuerCABundle string) []runtime.Object {
-				return []runtime.Object{
-					caBundleInSecret("invalid CA bundle data", "my-ca-secret", "test-concierge-namespace", "ca.crt"),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but value at key "ca.crt" specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.key does not contain any CA certificates in Secret test-concierge-namespace/my-ca-secret` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but specified key not found in Secret",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			kubeObjects: func(issuerCABundle string) []runtime.Object {
-				return []runtime.Object{
-					caBundleInSecret(issuerCABundle, "my-ca-secret", "test-concierge-namespace", "wrong_key_name"),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but key "ca.crt" specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.key does not exist in Secret test-concierge-namespace/my-ca-secret` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but specified key has empty value in Secret",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			kubeObjects: func(issuerCABundle string) []runtime.Object {
-				return []runtime.Object{
-					caBundleInSecret("", "my-ca-secret", "test-concierge-namespace", "ca.crt"),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but key "ca.crt" specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.key exists but has empty value in Secret test-concierge-namespace/my-ca-secret` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle source, but source's Kind is not supported",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Unsupported-Value", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.Kind value "Unsupported-Value" is not supported by this CLI version` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but no related APIService found",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("unrelated.example.com", "v1alpha1", "test-concierge-namespace"),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator test-authenticator: could not find APIService with non-empty spec.service.namespace for API group login.concierge.pinniped.dev` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but related APIService has empty namespace in spec",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", ""),
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator test-authenticator: could not find APIService with non-empty spec.service.namespace for API group login.concierge.pinniped.dev` + "\n")
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret, but error when listing APIServices",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			apiServiceReactions: []kubetesting.Reactor{
-				&kubetesting.SimpleReactor{
-					Verb:     "*",
-					Resource: "apiservices",
-					Reaction: func(kubetesting.Action) (bool, runtime.Object, error) {
-						return true, nil, fmt.Errorf("some list error")
-					},
-				},
-			},
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-				}
-			},
-			wantError: true,
-			wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
-				return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator test-authenticator: error listing APIServices: some list error` + "\n")
-			},
-		},
 		{
 			name: "autodetect JWT authenticator, invalid substring in audience",
 			args: func(issuerCABundle string, issuerURL string) []string {
@@ -1980,257 +1601,6 @@ func TestGetKubeconfig(t *testing.T) {
 					base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
 			},
 		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in Secret",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-					"--skip-validation",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
-				}
-			},
-			kubeObjects: func(issuerCABundle string) []runtime.Object {
-				return []runtime.Object{
-					caBundleInSecret(issuerCABundle, "my-ca-secret", "test-concierge-namespace", "ca.crt"),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-				apiService("unrelated.pinniped.dev", "v1alpha1", "unrelated-namespace"),
-				apiService("login.concierge.pinniped.dev", "v1alpha2", "test-concierge-namespace"),
-			},
-			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource  {"roots": 1}`,
-				}
-			},
-			wantStdout: func(issuerCABundle string, issuerURL string) string {
-				return here.Docf(`
-					apiVersion: v1
-					clusters:
-					- cluster:
-						certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
-						server: https://fake-server-url-value
-					  name: kind-cluster-pinniped
-					contexts:
-					- context:
-						cluster: kind-cluster-pinniped
-						user: kind-user-pinniped
-					  name: kind-context-pinniped
-					current-context: kind-context-pinniped
-					kind: Config
-					preferences: {}
-					users:
-					- name: kind-user-pinniped
-					  user:
-						exec:
-						  apiVersion: client.authentication.k8s.io/v1beta1
-						  args:
-						  - login
-						  - oidc
-						  - --enable-concierge
-						  - --concierge-api-group-suffix=pinniped.dev
-						  - --concierge-authenticator-name=test-authenticator
-						  - --concierge-authenticator-type=jwt
-						  - --concierge-endpoint=https://fake-server-url-value
-						  - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
-						  - --issuer=%s
-						  - --client-id=pinniped-cli
-						  - --scopes=offline_access,openid,pinniped:request-audience,username,groups
-						  - --ca-bundle-data=%s
-						  - --request-audience=test-audience
-						  command: '.../path/to/pinniped'
-						  env: []
-						  installHint: The pinniped CLI does not appear to be installed.  See https://get.pinniped.dev/cli
-						    for more details
-						  provideClusterInfo: true
-					`,
-					issuerURL,
-					base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in ConfigMap",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-					"--skip-validation",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("ConfigMap", "my-ca-configmap", "ca.crt", issuerURL),
-				}
-			},
-			kubeObjects: func(issuerCABundle string) []runtime.Object {
-				return []runtime.Object{
-					caBundleInConfigmap(issuerCABundle, "my-ca-configmap", "test-concierge-namespace", "ca.crt"),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
-				apiService("unrelated.pinniped.dev", "v1alpha1", "unrelated-namespace"),
-				apiService("login.concierge.pinniped.dev", "v1alpha2", "test-concierge-namespace"),
-			},
-			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "pinniped.dev"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource  {"roots": 1}`,
-				}
-			},
-			wantStdout: func(issuerCABundle string, issuerURL string) string {
-				return here.Docf(`
-					apiVersion: v1
-					clusters:
-					- cluster:
-						certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
-						server: https://fake-server-url-value
-					  name: kind-cluster-pinniped
-					contexts:
-					- context:
-						cluster: kind-cluster-pinniped
-						user: kind-user-pinniped
-					  name: kind-context-pinniped
-					current-context: kind-context-pinniped
-					kind: Config
-					preferences: {}
-					users:
-					- name: kind-user-pinniped
-					  user:
-						exec:
-						  apiVersion: client.authentication.k8s.io/v1beta1
-						  args:
-						  - login
-						  - oidc
-						  - --enable-concierge
-						  - --concierge-api-group-suffix=pinniped.dev
-						  - --concierge-authenticator-name=test-authenticator
-						  - --concierge-authenticator-type=jwt
-						  - --concierge-endpoint=https://fake-server-url-value
-						  - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
-						  - --issuer=%s
-						  - --client-id=pinniped-cli
-						  - --scopes=offline_access,openid,pinniped:request-audience,username,groups
-						  - --ca-bundle-data=%s
-						  - --request-audience=test-audience
-						  command: '.../path/to/pinniped'
-						  env: []
-						  installHint: The pinniped CLI does not appear to be installed.  See https://get.pinniped.dev/cli
-						    for more details
-						  provideClusterInfo: true
-					`,
-					issuerURL,
-					base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
-			},
-		},
-		{
-			name: "autodetect JWT authenticator with CA bundle in ConfigMap with a custom API group suffix",
-			args: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					"--kubeconfig", "./testdata/kubeconfig.yaml",
-					"--concierge-api-group-suffix=acme.com",
-					"--skip-validation",
-				}
-			},
-			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
-				return []runtime.Object{
-					credentialIssuer(),
-					jwtAuthenticatorWithCABundleDataSource("ConfigMap", "my-ca-configmap", "ca.crt", issuerURL),
-				}
-			},
-			kubeObjects: func(issuerCABundle string) []runtime.Object {
-				return []runtime.Object{
-					caBundleInConfigmap(issuerCABundle, "my-ca-configmap", "test-concierge-namespace", "ca.crt"),
-				}
-			},
-			apiServiceObjects: []runtime.Object{
-				apiService("login.concierge.acme.com", "v1alpha1", "test-concierge-namespace"),
-				apiService("unrelated.pinniped.dev", "v1alpha1", "unrelated-namespace"),
-				apiService("login.concierge.pinniped.dev", "v1alpha2", "another-unrelated-namespace"),
-			},
-			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
-			wantLogs: func(issuerCABundle string, issuerURL string) []string {
-				return []string{
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge namespace for API group suffix  {"apiGroupSuffix": "acme.com"}`,
-					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource  {"roots": 1}`,
-				}
-			},
-			wantAPIGroupSuffix: "acme.com",
-			wantStdout: func(issuerCABundle string, issuerURL string) string {
-				return here.Docf(`
-					apiVersion: v1
-					clusters:
-					- cluster:
-						certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
-						server: https://fake-server-url-value
-					  name: kind-cluster-pinniped
-					contexts:
-					- context:
-						cluster: kind-cluster-pinniped
-						user: kind-user-pinniped
-					  name: kind-context-pinniped
-					current-context: kind-context-pinniped
-					kind: Config
-					preferences: {}
-					users:
-					- name: kind-user-pinniped
-					  user:
-						exec:
-						  apiVersion: client.authentication.k8s.io/v1beta1
-						  args:
-						  - login
-						  - oidc
-						  - --enable-concierge
-						  - --concierge-api-group-suffix=acme.com
-						  - --concierge-authenticator-name=test-authenticator
-						  - --concierge-authenticator-type=jwt
-						  - --concierge-endpoint=https://fake-server-url-value
-						  - --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
-						  - --issuer=%s
-						  - --client-id=pinniped-cli
-						  - --scopes=offline_access,openid,pinniped:request-audience,username,groups
-						  - --ca-bundle-data=%s
-						  - --request-audience=test-audience
-						  command: '.../path/to/pinniped'
-						  env: []
-						  installHint: The pinniped CLI does not appear to be installed.  See https://get.pinniped.dev/cli
-						    for more details
-						  provideClusterInfo: true
-					`,
-					issuerURL,
-					base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
-			},
-		},
 		{
 			name: "autodetect nothing, set a bunch of options",
 			args: func(issuerCABundle string, issuerURL string) []string {
@@ -3842,7 +3212,6 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 		},
 	}
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var issuerEndpointPtr *string
@@ -3877,37 +3246,6 @@ func TestGetKubeconfig(t *testing.T) {
 			}), nil)
 			issuerEndpointPtr = ptr.To(testServer.URL)

-			getClientsetFunc := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error) {
-				if tt.wantAPIGroupSuffix == "" {
-					require.Equal(t, "pinniped.dev", apiGroupSuffix) // "pinniped.dev" = api group suffix default
-				} else {
-					require.Equal(t, tt.wantAPIGroupSuffix, apiGroupSuffix)
-				}
-				if tt.getClientsetErr != nil {
-					return nil, nil, nil, tt.getClientsetErr
-				}
-				fakeAggregatorClient := aggregatorfake.NewSimpleClientset(tt.apiServiceObjects...)
-				fakeKubeClient := fake.NewClientset()
-				if tt.kubeObjects != nil {
-					kubeObjects := tt.kubeObjects(string(testServerCA))
-					fakeKubeClient = fake.NewClientset(kubeObjects...)
-				}
-				fakeConciergeClient := conciergefake.NewSimpleClientset()
-				if tt.conciergeObjects != nil {
-					fakeConciergeClient = conciergefake.NewSimpleClientset(tt.conciergeObjects(string(testServerCA), testServer.URL)...)
-				}
-				if len(tt.conciergeReactions) > 0 {
-					fakeConciergeClient.ReactionChain = slices.Concat(tt.conciergeReactions, fakeConciergeClient.ReactionChain)
-				}
-				if len(tt.kubeReactions) > 0 {
-					fakeKubeClient.ReactionChain = slices.Concat(tt.kubeReactions, fakeKubeClient.ReactionChain)
-				}
-				if len(tt.apiServiceReactions) > 0 {
-					fakeAggregatorClient.ReactionChain = slices.Concat(tt.apiServiceReactions, fakeAggregatorClient.ReactionChain)
-				}
-				return fakeConciergeClient, fakeKubeClient, fakeAggregatorClient, nil
-			}
-
 			var log bytes.Buffer

 			cmd := kubeconfigCommand(kubeconfigDeps{
@@ -3920,8 +3258,25 @@ func TestGetKubeconfig(t *testing.T) {
 					}
 					return ".../path/to/pinniped", nil
 				},
-				getClientsets: getClientsetFunc,
-				log:           plog.TestConsoleLogger(t, &log),
+				getClientset: func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
+					if tt.wantAPIGroupSuffix == "" {
+						require.Equal(t, "pinniped.dev", apiGroupSuffix) // "pinniped.dev" = api group suffix default
+					} else {
+						require.Equal(t, tt.wantAPIGroupSuffix, apiGroupSuffix)
+					}
+					if tt.getClientsetErr != nil {
+						return nil, tt.getClientsetErr
+					}
+					fake := conciergefake.NewSimpleClientset()
+					if tt.conciergeObjects != nil {
+						fake = conciergefake.NewSimpleClientset(tt.conciergeObjects(string(testServerCA), testServer.URL)...)
+					}
+					if len(tt.conciergeReactions) > 0 {
+						fake.ReactionChain = slices.Concat(tt.conciergeReactions, fake.ReactionChain)
+					}
+					return fake, nil
+				},
+				log: plog.TestConsoleLogger(t, &log),
 			})
 			require.NotNil(t, cmd)

@@ -3938,10 +3293,14 @@ func TestGetKubeconfig(t *testing.T) {
 				require.NoError(t, err)
 			}

+			var expectedLogs string
 			if tt.wantLogs != nil {
-				wantLogs := tt.wantLogs(string(testServerCA), testServer.URL)
-				testutil.RequireLogLines(t, wantLogs, &log)
+				temp := tt.wantLogs(string(testServerCA), testServer.URL)
+				if len(temp) > 0 {
+					expectedLogs = strings.Join(tt.wantLogs(string(testServerCA), testServer.URL), "\n") + "\n"
+				}
 			}
+			require.Equal(t, expectedLogs, log.String())

 			expectedStdout := ""
 			if tt.wantStdout != nil {
--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@@ -224,7 +224,6 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 			conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
 			conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
 			conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
-			conciergeclient.WithTransportWrapper(LogAuditIDTransportWrapper),
 		)
 		if err != nil {
 			return fmt.Errorf("invalid Concierge parameters: %w", err)
--- a/cmd/pinniped/cmd/login_oidc_test.go
+++ b/cmd/pinniped/cmd/login_oidc_test.go
@@ -274,8 +274,8 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 4,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  cmd/login_oidc.go:268  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  cmd/login_oidc.go:288  No concierge configured, skipping token credential exchange`,
+				nowStr + `  cmd/login_oidc.go:267  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  cmd/login_oidc.go:287  No concierge configured, skipping token credential exchange`,
 			},
 		},
 		{
@@ -319,10 +319,10 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 12,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  cmd/login_oidc.go:268  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  cmd/login_oidc.go:278  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
-				nowStr + `  cmd/login_oidc.go:286  Successfully exchanged token for cluster credential.`,
-				nowStr + `  cmd/login_oidc.go:293  caching cluster credential for future use.`,
+				nowStr + `  cmd/login_oidc.go:267  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  cmd/login_oidc.go:277  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  cmd/login_oidc.go:285  Successfully exchanged token for cluster credential.`,
+				nowStr + `  cmd/login_oidc.go:292  caching cluster credential for future use.`,
 			},
 		},
 	}
--- a/cmd/pinniped/cmd/login_static.go
+++ b/cmd/pinniped/cmd/login_static.go
@@ -113,7 +113,6 @@ func runStaticLogin(cmd *cobra.Command, deps staticLoginDeps, flags staticLoginP
 			conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
 			conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
 			conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
-			conciergeclient.WithTransportWrapper(LogAuditIDTransportWrapper),
 		)
 		if err != nil {
 			return fmt.Errorf("invalid Concierge parameters: %w", err)
--- a/cmd/pinniped/cmd/login_static_test.go
+++ b/cmd/pinniped/cmd/login_static_test.go
@@ -147,7 +147,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				Error: could not complete Concierge credential exchange: some concierge error
 			`),
 			wantLogs: []string{
-				nowStr + `  cmd/login_static.go:160  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  cmd/login_static.go:159  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
 			},
 		},
 		{
--- a/cmd/pinniped/cmd/whoami.go
+++ b/cmd/pinniped/cmd/whoami.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -25,14 +25,14 @@ import (
 )

 type whoamiDeps struct {
-	getenv        func(key string) string
-	getClientsets getClientsetsFunc
+	getenv       func(key string) string
+	getClientset getConciergeClientsetFunc
 }

 func whoamiRealDeps() whoamiDeps {
 	return whoamiDeps{
-		getenv:        os.Getenv,
-		getClientsets: getRealClientsets,
+		getenv:       os.Getenv,
+		getClientset: getRealConciergeClientset,
 	}
 }

@@ -82,7 +82,7 @@ func newWhoamiCommand(deps whoamiDeps) *cobra.Command {

 func runWhoami(output io.Writer, deps whoamiDeps, flags *whoamiFlags) error {
 	clientConfig := newClientConfig(flags.kubeconfigPath, flags.kubeconfigContextOverride)
-	conciergeClient, _, _, err := deps.getClientsets(clientConfig, flags.apiGroupSuffix)
+	clientset, err := deps.getClientset(clientConfig, flags.apiGroupSuffix)
 	if err != nil {
 		return fmt.Errorf("could not configure Kubernetes client: %w", err)
 	}
@@ -108,7 +108,7 @@ func runWhoami(output io.Writer, deps whoamiDeps, flags *whoamiFlags) error {
 		defer cancelFunc()
 	}

-	whoAmI, err := conciergeClient.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
+	whoAmI, err := clientset.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	if err != nil {
 		hint := ""
 		if apierrors.IsNotFound(err) {
--- a/cmd/pinniped/cmd/whoami_test.go
+++ b/cmd/pinniped/cmd/whoami_test.go
@@ -1,4 +1,4 @@
-// Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -11,10 +11,8 @@ import (
 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/kubernetes"
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/clientcmd"
-	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

 	identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
@@ -292,15 +290,14 @@ func TestWhoami(t *testing.T) {
 			wantStderr:    "Error: could not complete WhoAmIRequest (is the Pinniped WhoAmI API running and healthy?): whoamirequests.identity.concierge.pinniped.dev \"whatever\" not found\n",
 		},
 	}
-
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			getClientsetFunc := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error) {
+			getClientset := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
 				if test.gettingClientsetErr != nil {
-					return nil, nil, nil, test.gettingClientsetErr
+					return nil, test.gettingClientsetErr
 				}
-				conciergeClient := conciergefake.NewSimpleClientset()
-				conciergeClient.PrependReactor("create", "whoamirequests", func(_ kubetesting.Action) (bool, runtime.Object, error) {
+				clientset := conciergefake.NewSimpleClientset()
+				clientset.PrependReactor("create", "whoamirequests", func(_ kubetesting.Action) (bool, runtime.Object, error) {
 					if test.callingAPIErr != nil {
 						return true, nil, test.callingAPIErr
 					}
@@ -319,14 +316,13 @@ func TestWhoami(t *testing.T) {
 						},
 					}, nil
 				})
-				return conciergeClient, nil, nil, nil
+				return clientset, nil
 			}
-
 			cmd := newWhoamiCommand(whoamiDeps{
 				getenv: func(key string) string {
 					return test.env[key]
 				},
-				getClientsets: getClientsetFunc,
+				getClientset: getClientset,
 			})

 			stdout, stderr := bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{})
--- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
@@ -134,6 +134,24 @@ spec:
          status:
            description: CredentialIssuerStatus describes the status of the Concierge.
            properties:
+              kubeConfigInfo:
+                description: |-
+                  Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+                  This field is deprecated and will be removed in a future version.
+                properties:
+                  certificateAuthorityData:
+                    description: The K8s API server CA bundle.
+                    minLength: 1
+                    type: string
+                  server:
+                    description: The K8s API server URL.
+                    minLength: 1
+                    pattern: ^https://|^http://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - server
+                type: object
              strategies:
                description: List of integration strategies that were attempted by
                  Pinniped.
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -1,18 +1,9 @@
-#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
 #@ load("@ytt:json", "json")
-#@ load("helpers.lib.yaml",
-#@   "defaultLabel",
-#@   "labels",
-#@   "deploymentPodLabel",
-#@   "namespace",
-#@   "defaultResourceName",
-#@   "defaultResourceNameWithSuffix",
-#@   "getAndValidateLogLevel",
-#@   "pinnipedDevAPIGroupWithPrefix",
-#@ )
+#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
 #@ load("@ytt:template", "template")

 #@ if not data.values.into_namespace:
@@ -77,7 +68,6 @@ data:
    apiGroupSuffix: (@= data.values.api_group_suffix @)
    # aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
    # impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
-    aggregatedAPIServerDisableAdmissionPlugins: []
    names:
      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
      credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
@@ -93,7 +83,6 @@ data:
    labels: (@= json.encode(labels()).rstrip() @)
    kubeCertAgent:
      namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
-      priorityClassName: (@= data.values.kube_cert_agent_priority_class_name @)
      (@ if data.values.kube_cert_agent_image: @)
      image: (@= data.values.kube_cert_agent_image @)
      (@ else: @)
@@ -105,17 +94,15 @@ data:
      (@ end @)
      (@ if data.values.image_pull_dockerconfigjson: @)
      imagePullSecrets:
-      - image-pull-secret
+        - image-pull-secret
      (@ end @)
    (@ if data.values.log_level: @)
    log:
      level: (@= getAndValidateLogLevel() @)
-      (@ end @)
+    (@ end @)
    tls:
      onedottwo:
        allowedCiphers: (@= str(data.values.allowed_ciphers_for_tls_onedottwo) @)
-    audit:
-      logUsernamesAndGroups: (@= data.values.audit.log_usernames_and_groups @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
--- a/deploy/concierge/helpers.lib.yaml
+++ b/deploy/concierge/helpers.lib.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
--- a/deploy/concierge/values.yaml
+++ b/deploy/concierge/values.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ def validate_strings_map(obj):
@@ -68,24 +68,15 @@ image_digest: ""
 image_tag: latest

 #@schema/title "Kube Cert Agent image"
-#@ kube_cert_agent_image_desc = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
+#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
 #@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
 #@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
-#@schema/desc kube_cert_agent_image_desc
+#@schema/desc kube_cert_agent_image
 #@schema/examples ("Image including tag or digest", "ghcr.io/vmware-tanzu/pinniped/pinniped-server:latest")
 #@schema/nullable
 #@schema/validation min_len=1
 kube_cert_agent_image: ""

-#@schema/title "Kube Cert Agent Priority Class Name"
-#@ kube_cert_agent_priority_class_name_desc = "Optionally specify a PriorityClassName for the 'kube-cert-agent' pod. \
-#@ See https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ for more details. \
-#@ By default, this is the empty string."
-#@schema/desc kube_cert_agent_priority_class_name_desc
-#@schema/examples ("name of a PriorityClass object", "high-priority")
-#@schema/validation min_len=0
-kube_cert_agent_priority_class_name: ""
-
 #@schema/title "Image pull dockerconfigjson"
 #@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
 #@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
@@ -240,15 +231,3 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
 #! An empty array is perfectly valid, as is any array of strings.
 allowed_ciphers_for_tls_onedottwo:
 - ""
-
-#@schema/title "Audit logging configuration"
-#@schema/desc "Customize the content of audit log events."
-audit:
-
-  #@schema/title "Log usernames and groups"
-  #@ log_usernames_and_groups_desc = "Enables or disables printing usernames and group names in audit logs. Options are 'enabled' or 'disabled'. \
-  #@ If enabled, usernames are group names may be printed in audit log events. \
-  #@ If disabled, usernames and group names will be redacted from audit logs because they might contain personally identifiable information."
-  #@schema/desc log_usernames_and_groups_desc
-  #@schema/validation one_of=["enabled", "disabled"]
-  log_usernames_and_groups: disabled
--- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
@@ -289,9 +289,6 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
-                x-kubernetes-validations:
-                - message: issuer must be an HTTPS URL
-                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -13,7 +13,7 @@
 #@   "pinnipedDevAPIGroupWithPrefix",
 #@   "getPinnipedConfigMapData",
 #@   "hasUnixNetworkEndpoint",
-#@ )
+#@  )
 #@ load("@ytt:template", "template")

 #@ if not data.values.into_namespace:
--- a/deploy/supervisor/helpers.lib.yaml
+++ b/deploy/supervisor/helpers.lib.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -57,12 +57,7 @@ _: #@ template.replace(data.values.custom_labels)
 #@       "onedottwo": {
 #@         "allowedCiphers": data.values.allowed_ciphers_for_tls_onedottwo
 #@       }
-#@     },
-#@     "audit": {
-#@       "logUsernamesAndGroups": data.values.audit.log_usernames_and_groups,
-#@       "logInternalPaths": data.values.audit.log_internal_paths
-#@     },
-#@     "aggregatedAPIServerDisableAdmissionPlugins": []
+#@     }
 #@   }
 #@   if data.values.log_level:
 #@     config["log"] = {}
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/values.yaml
+++ b/deploy/supervisor/values.yaml
@@ -220,23 +220,3 @@ endpoints: { }
 #! An empty array is perfectly valid, as is any array of strings.
 allowed_ciphers_for_tls_onedottwo:
 - ""
-
-#@schema/title "Audit logging configuration"
-#@schema/desc "Customize the content of audit log events."
-audit:
-
-  #@schema/title "Log usernames and groups"
-  #@ log_usernames_and_groups_desc = "Enables or disables printing usernames and group names in audit logs. Options are 'enabled' or 'disabled'. \
-  #@ If enabled, usernames are group names may be printed in audit log events. \
-  #@ If disabled, usernames and group names will be redacted from audit logs because they might contain personally identifiable information."
-  #@schema/desc log_usernames_and_groups_desc
-  #@schema/validation one_of=["enabled", "disabled"]
-  log_usernames_and_groups: disabled
-
-  #@schema/title "Log HTTPS requests for internal paths"
-  #@ log_internal_paths = "Enables or disables request logging for internal paths in audit logs. Options are 'enabled' or 'disabled'. \
-  #@ If enabled, requests to certain paths that are typically only used internal to the cluster (e.g. /healthz) will be enabled, which can be very verbose. \
-  #@ If disabled, requests to those paths will not be audit logged."
-  #@schema/desc log_internal_paths
-  #@schema/validation one_of=["enabled", "disabled"]
-  log_internal_paths: disabled
--- a/generated/1.25/README.adoc
+++ b/generated/1.25/README.adoc
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.25/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.25/apis/concierge/config/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.25/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.25/apis/concierge/config/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -161,6 +161,24 @@ type ImpersonationProxyServiceSpec struct {
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// This field is deprecated and will be removed in a future version.
+	// +optional
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+}
+
+// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// This type is deprecated and will be removed in a future version.
+type CredentialIssuerKubeConfigInfo struct {
+	// The K8s API server URL.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
+
+	// The K8s API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

 // CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
--- a/generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -66,6 +66,22 @@ func (in *CredentialIssuerFrontend) DeepCopy() *CredentialIssuerFrontend {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerKubeConfigInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
 	*out = *in
@@ -130,6 +146,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.KubeConfigInfo != nil {
+		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
+		*out = new(CredentialIssuerKubeConfigInfo)
+		**out = **in
+	}
 	return
 }

--- a/generated/1.25/apis/concierge/identity/doc.go
+++ b/generated/1.25/apis/concierge/identity/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.25/apis/concierge/identity/register.go
+++ b/generated/1.25/apis/concierge/identity/register.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.25/apis/concierge/identity/types_userinfo.go
+++ b/generated/1.25/apis/concierge/identity/types_userinfo.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.25/apis/concierge/identity/types_whoamirequest.go
+++ b/generated/1.25/apis/concierge/identity/types_whoamirequest.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.25/apis/concierge/identity/v1alpha1/conversion.go
+++ b/generated/1.25/apis/concierge/identity/v1alpha1/conversion.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/identity/v1alpha1/defaults.go
+++ b/generated/1.25/apis/concierge/identity/v1alpha1/defaults.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.25/apis/concierge/identity/v1alpha1/doc.go
+++ b/generated/1.25/apis/concierge/identity/v1alpha1/doc.go
@@ -1,9 +1,9 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.33/apis/concierge/identity
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.25/apis/concierge/identity
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=identity.concierge.pinniped.dev

--- a/generated/1.25/apis/concierge/identity/v1alpha1/register.go
+++ b/generated/1.25/apis/concierge/identity/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/Show More
+++ b/Show More