diff --git a/apis/workloads/v1alpha1/console_attach_webhook.go b/apis/workloads/v1alpha1/console_attach_webhook.go
index ac2b4ce7..38c82820 100644
--- a/apis/workloads/v1alpha1/console_attach_webhook.go
+++ b/apis/workloads/v1alpha1/console_attach_webhook.go
@@ -49,7 +49,7 @@ func (c *ConsoleAttachObserverWebhook) Handle(ctx context.Context, req admission
 	)
 	logger.Info("starting request", "event", "request.start")
 	defer func(start time.Time) {
-		logging.WithNoRecord(logger).Info("completed request", "event", "request.end", "duration", time.Now().Sub(start).Seconds())
+		logging.WithNoRecord(logger).Info("completed request", "event", "request.end", "duration", time.Since(start).Seconds())
 	}(time.Now())
 
 	attachOptions := &corev1.PodAttachOptions{}
diff --git a/apis/workloads/v1alpha1/console_authenticator_webhook.go b/apis/workloads/v1alpha1/console_authenticator_webhook.go
index 5bda1ef1..e02154d7 100644
--- a/apis/workloads/v1alpha1/console_authenticator_webhook.go
+++ b/apis/workloads/v1alpha1/console_authenticator_webhook.go
@@ -34,7 +34,7 @@ func (c *ConsoleAuthenticatorWebhook) Handle(ctx context.Context, req admission.
 	logger := c.logger.WithValues("uuid", string(req.UID))
 	logger.Info("starting request", "event", "request.start")
 	defer func(start time.Time) {
-		logger.Info("completed request", "event", "request.end", "duration", time.Now().Sub(start).Seconds())
+		logger.Info("completed request", "event", "request.end", "duration", time.Since(start).Seconds())
 	}(time.Now())
 
 	csl := &Console{}
diff --git a/apis/workloads/v1alpha1/console_authorisation_webhook.go b/apis/workloads/v1alpha1/console_authorisation_webhook.go
index e12a9897..b97d085a 100644
--- a/apis/workloads/v1alpha1/console_authorisation_webhook.go
+++ b/apis/workloads/v1alpha1/console_authorisation_webhook.go
@@ -42,7 +42,7 @@ func (c *ConsoleAuthorisationWebhook) Handle(ctx context.Context, req admission.
 	logger := c.logger.WithValues("uuid", string(req.UID))
 	logger.Info("starting request", "event", "request.start")
 	defer func(start time.Time) {
-		logger.Info("completed request", "event", "request.end", "duration", time.Now().Sub(start).Seconds())
+		logger.Info("completed request", "event", "request.end", "duration", time.Since(start).Seconds())
 	}(time.Now())
 
 	// request console authorisation object
diff --git a/apis/workloads/v1alpha1/console_template_validation_webhook.go b/apis/workloads/v1alpha1/console_template_validation_webhook.go
index 0209c46a..3019265d 100644
--- a/apis/workloads/v1alpha1/console_template_validation_webhook.go
+++ b/apis/workloads/v1alpha1/console_template_validation_webhook.go
@@ -33,7 +33,7 @@ func (c *ConsoleTemplateValidationWebhook) Handle(ctx context.Context, req admis
 	logger.Info("starting request", "event", "request.start")
 
 	defer func(start time.Time) {
-		logger.Info("request completed", "event", "request.end", "duration", time.Now().Sub(start).Seconds())
+		logger.Info("request completed", "event", "request.end", "duration", time.Since(start).Seconds())
 	}(time.Now())
 
 	template := &ConsoleTemplate{}
diff --git a/cmd/rbac-manager/main.go b/cmd/rbac-manager/main.go
index 8314ec32..dbe9ad22 100644
--- a/cmd/rbac-manager/main.go
+++ b/cmd/rbac-manager/main.go
@@ -9,6 +9,7 @@ import (
 	"github.com/alecthomas/kingpin"
 	"golang.org/x/oauth2/google"
 	directoryv1 "google.golang.org/api/admin/directory/v1"
+	"google.golang.org/api/option"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp" // this is required to auth against GCP
@@ -113,5 +114,5 @@ func createGoogleDirectory(ctx context.Context, subject string) (*directoryv1.Se
 	// Access to the directory API must be signed with a Subject to enable domain selection.
 	conf.Subject = subject
 
-	return directoryv1.New(conf.Client(ctx))
+	return directoryv1.NewService(ctx, option.WithHTTPClient(conf.Client(ctx)))
 }
diff --git a/cmd/vault-manager/acceptance/acceptance.go b/cmd/vault-manager/acceptance/acceptance.go
index 54f472d5..d7bdfe9d 100644
--- a/cmd/vault-manager/acceptance/acceptance.go
+++ b/cmd/vault-manager/acceptance/acceptance.go
@@ -402,7 +402,6 @@ func (r *Runner) Run(logger kitlog.Logger, config *rest.Config) {
 		Expect(buffer.String()).To(
 			ContainSubstring(fmt.Sprintf("VAULT_TEST_SHELLWORD=%s", SentinelSecretValueShellword)),
 		)
-		return
 	}
 
 	expectsFuncFiles := func(buffer bytes.Buffer) {
@@ -415,7 +414,6 @@ func (r *Runner) Run(logger kitlog.Logger, config *rest.Config) {
 		Expect(buffer.String()).To(
 			ContainSubstring(fmt.Sprintf("ascii:%s", strings.Split(SentinelSecretValueNonASCII, "\n")[0])),
 		)
-		return
 	}
 
 	Describe("theatre-secrets", func() {
diff --git a/cmd/vault-manager/main.go b/cmd/vault-manager/main.go
index ce44ad49..d00885db 100644
--- a/cmd/vault-manager/main.go
+++ b/cmd/vault-manager/main.go
@@ -20,9 +20,6 @@ var (
 
 	commonOpts = cmd.NewCommonOptions(app).WithMetrics(app)
 
-	namespace               = app.Flag("namespace", "Kubernetes webhook service namespace").Default("theatre-system").String()
-	serviceName             = app.Flag("service-name", "Name of service for webhook").Default("theatre-vault-manager").String()
-	webhookName             = app.Flag("webhook-name", "Name of webhook").Default("theatre-vault").String()
 	theatreImage            = app.Flag("theatre-image", "Set to the same image as current binary").Required().String()
 	installPath             = app.Flag("install-path", "Location to install theatre binaries").Default("/var/run/theatre").String()
 	namespaceLabel          = app.Flag("namespace-label", "Namespace label that enables webhook to operate on").Default("theatre-secrets-injector").String()
diff --git a/controllers/rbac/directoryrolebinding/cached_directory_test.go b/controllers/rbac/directoryrolebinding/cached_directory_test.go
index 267aea83..9b2da6c6 100644
--- a/controllers/rbac/directoryrolebinding/cached_directory_test.go
+++ b/controllers/rbac/directoryrolebinding/cached_directory_test.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	directoryv1 "google.golang.org/api/admin/directory/v1"
+	"google.golang.org/api/option"
 	gock "gopkg.in/h2non/gock.v1"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
@@ -121,7 +122,7 @@ var _ = Describe("NewGoogleDirectory", func() {
 		gock.DisableNetworking()
 		gock.New("") // this shouldn't be necessary, but is
 
-		service, err := directoryv1.New(client)
+		service, err := directoryv1.NewService(context.TODO(), option.WithHTTPClient(client))
 		Expect(err).NotTo(HaveOccurred())
 
 		directory = NewGoogleDirectory(service.Members)
diff --git a/controllers/rbac/directoryrolebinding/google_directory_test.go b/controllers/rbac/directoryrolebinding/google_directory_test.go
index aa8e0cdf..115e42ee 100644
--- a/controllers/rbac/directoryrolebinding/google_directory_test.go
+++ b/controllers/rbac/directoryrolebinding/google_directory_test.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	directoryv1 "google.golang.org/api/admin/directory/v1"
+	"google.golang.org/api/option"
 	gock "gopkg.in/h2non/gock.v1"
 
 	. "github.com/onsi/ginkgo"
@@ -25,7 +26,7 @@ var _ = Describe("NewGoogleDirectory", func() {
 		gock.DisableNetworking()
 		gock.New("") // this shouldn't be necessary, but is
 
-		service, err := directoryv1.New(client)
+		service, err := directoryv1.NewService(context.TODO(), option.WithHTTPClient(client))
 		Expect(err).NotTo(HaveOccurred())
 
 		directory = NewGoogleDirectory(service.Members)
diff --git a/pkg/workloads/console/events/gcp_pubsub.go b/pkg/workloads/console/events/gcp_pubsub.go
index 6821aafd..4b4d0b9c 100644
--- a/pkg/workloads/console/events/gcp_pubsub.go
+++ b/pkg/workloads/console/events/gcp_pubsub.go
@@ -14,7 +14,7 @@ func (e ErrorPubsubFailedConnect) Unwrap() error { return e.err }
 func (e ErrorPubsubFailedConnect) Error() string {
 	return fmt.Sprintf(
 		"failed to connect to pubsub topic: %s",
-		e.Error(),
+		e.err,
 	)
 }
 
diff --git a/pkg/workloads/console/events/publisher.go b/pkg/workloads/console/events/publisher.go
index 9de85dc3..da1f5bcf 100644
--- a/pkg/workloads/console/events/publisher.go
+++ b/pkg/workloads/console/events/publisher.go
@@ -11,7 +11,7 @@ var _ Publisher = &NopPublisher{}
 // https://en.wikipedia.org/wiki/NOP_(code)
 type NopPublisher struct{}
 
-func (_ NopPublisher) Publish(_ context.Context, _ interface{}) (string, error) { return "nop", nil }
+func (nop NopPublisher) Publish(_ context.Context, _ interface{}) (string, error) { return "nop", nil }
 
 func NewNopPublisher() *NopPublisher {
 	return &NopPublisher{}
diff --git a/pkg/workloads/console/runner/runner.go b/pkg/workloads/console/runner/runner.go
index 8d22654d..5c19184a 100644
--- a/pkg/workloads/console/runner/runner.go
+++ b/pkg/workloads/console/runner/runner.go
@@ -198,7 +198,7 @@ func (c *Runner) Create(ctx context.Context, opts CreateOptions) (*workloadsv1al
 
 	// Wait for authorisation step or until ready
 	_, err = c.WaitUntilReady(ctx, *csl, false)
-	if err == consolePendingAuthorisationError {
+	if err == errConsolePendingAuthorisation {
 		rule, err := tpl.GetAuthorisationRuleForCommand(opts.Command)
 		if err != nil {
 			return csl, fmt.Errorf("failed to get authorisation rule %w", err)
@@ -838,8 +838,8 @@ func (c *Runner) WaitUntilReady(ctx context.Context, createdCsl workloadsv1alpha
 }
 
 var (
-	consolePendingAuthorisationError = errors.New("console pending authorisation")
-	consoleNotFoundError             = errors.New("console not found")
+	errConsoleNotFound             = errors.New("console not found")
+	errConsolePendingAuthorisation = errors.New("console pending authorisation")
 )
 
 func (c *Runner) waitForConsole(ctx context.Context, createdCsl workloadsv1alpha1.Console, waitForAuthorisation bool) (*workloadsv1alpha1.Console, error) {
@@ -876,7 +876,7 @@ func (c *Runner) waitForConsole(ctx context.Context, createdCsl workloadsv1alpha
 		return csl, nil
 	}
 	if isPendingAuthorisation(csl) {
-		return csl, consolePendingAuthorisationError
+		return csl, errConsolePendingAuthorisation
 	}
 	// If the console has already stopped it may have already run to
 	// completion, so let's return it
@@ -903,7 +903,7 @@ func (c *Runner) waitForConsole(ctx context.Context, createdCsl workloadsv1alpha
 				return csl, nil
 			}
 			if isPendingAuthorisation(csl) {
-				return csl, consolePendingAuthorisationError
+				return csl, errConsolePendingAuthorisation
 			}
 			// If the console has already stopped it may have already run to
 			// completion, so let's return it
@@ -912,7 +912,7 @@ func (c *Runner) waitForConsole(ctx context.Context, createdCsl workloadsv1alpha
 			}
 		case <-ctx.Done():
 			if csl == nil {
-				return nil, fmt.Errorf("%s: %w", consoleNotFoundError, ctx.Err())
+				return nil, fmt.Errorf("%s: %w", errConsoleNotFound, ctx.Err())
 			}
 			return nil, fmt.Errorf("console's last phase was: %v: %w", csl.Status.Phase, ctx.Err())
 		}