diff --git a/api/v1beta1/hosted_controlplane.go b/api/v1beta1/hosted_controlplane.go
index b99ad1ec71a..35f963b0074 100644
--- a/api/v1beta1/hosted_controlplane.go
+++ b/api/v1beta1/hosted_controlplane.go
@@ -25,9 +25,16 @@ type HostedControlPlane struct {
 
 // HostedControlPlaneSpec defines the desired state of HostedControlPlane
 type HostedControlPlaneSpec struct {
-	ReleaseImage string                      `json:"releaseImage"`
-	PullSecret   corev1.LocalObjectReference `json:"pullSecret"`
-	IssuerURL    string                      `json:"issuerURL"`
+	// ReleaseImage is the release image applied to the hosted control plane.
+	ReleaseImage string `json:"releaseImage"`
+
+	PullSecret corev1.LocalObjectReference `json:"pullSecret"`
+
+	// IssuerURL is an OIDC issuer URL which is used as the issuer in all
+	// ServiceAccount tokens generated by the control plane API server. The
+	// default value is kubernetes.default.svc, which only works for in-cluster
+	// validation.
+	IssuerURL string `json:"issuerURL"`
 
 	// Networking specifies network configuration for the cluster.
 	// Temporarily optional for backward compatibility, required in future releases.
diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml
index 51f9d30aa5f..99a344b56a5 100644
--- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml
+++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml
@@ -5294,6 +5294,10 @@ spec:
                   The default value is SingleReplica.
                 type: string
               issuerURL:
+                description: IssuerURL is an OIDC issuer URL which is used as the
+                  issuer in all ServiceAccount tokens generated by the control plane
+                  API server. The default value is kubernetes.default.svc, which only
+                  works for in-cluster validation.
                 type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
@@ -5957,6 +5961,8 @@ spec:
                 type: object
                 x-kubernetes-map-type: atomic
               releaseImage:
+                description: ReleaseImage is the release image applied to the hosted
+                  control plane.
                 type: string
               secretEncryption:
                 description: SecretEncryption contains metadata about the kubernetes
diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml
index 42fb33fbdda..ea06fb55968 100644
--- a/hack/app-sre/saas_template.yaml
+++ b/hack/app-sre/saas_template.yaml
@@ -32661,6 +32661,10 @@ objects:
                     nodes. The default value is SingleReplica.
                   type: string
                 issuerURL:
+                  description: IssuerURL is an OIDC issuer URL which is used as the
+                    issuer in all ServiceAccount tokens generated by the control plane
+                    API server. The default value is kubernetes.default.svc, which
+                    only works for in-cluster validation.
                   type: string
                 kubeconfig:
                   description: KubeConfig specifies the name and key for the kubeconfig
@@ -33335,6 +33339,8 @@ objects:
                   type: object
                   x-kubernetes-map-type: atomic
                 releaseImage:
+                  description: ReleaseImage is the release image applied to the hosted
+                    control plane.
                   type: string
                 secretEncryption:
                   description: SecretEncryption contains metadata about the kubernetes