diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
index 892eb3bb..2f534107 100644
--- a/pkg/bundle/bundle.go
+++ b/pkg/bundle/bundle.go
@@ -38,7 +38,6 @@ import (
 	trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
 	"github.com/cert-manager/trust-manager/pkg/bundle/internal/ssa_client"
 	"github.com/cert-manager/trust-manager/pkg/bundle/internal/target"
-	"github.com/cert-manager/trust-manager/pkg/fspkg"
 )
 
 // Options hold options for the Bundle controller.
@@ -68,10 +67,6 @@ type bundle struct {
 	// a cache-backed Kubernetes client
 	client client.Client
 
-	// defaultPackage holds the loaded 'default' certificate package, if one was specified
-	// at startup.
-	defaultPackage *fspkg.Package
-
 	// recorder is used for create Kubernetes Events for reconciled Bundles.
 	recorder record.EventRecorder
 
@@ -81,6 +76,8 @@ type bundle struct {
 	// Options holds options for the Bundle controller.
 	Options
 
+	sourceDataBuilder *bundleDataBuilder
+
 	targetReconciler *target.Reconciler
 }
 
@@ -135,7 +132,7 @@ func (b *bundle) reconcileBundle(ctx context.Context, req ctrl.Request) (result
 	statusPatch = &trustapi.BundleStatus{
 		DefaultCAPackageVersion: bundle.Status.DefaultCAPackageVersion,
 	}
-	resolvedBundle, err := b.buildSourceBundle(ctx, bundle.Spec.Sources, bundle.Spec.Target.AdditionalFormats)
+	resolvedBundle, err := b.sourceDataBuilder.buildSourceBundle(ctx, bundle.Spec.Sources, bundle.Spec.Target.AdditionalFormats)
 
 	// If any source is not found, update the Bundle status to an unready state.
 	if errors.As(err, &notFoundError{}) {
diff --git a/pkg/bundle/bundle_test.go b/pkg/bundle/bundle_test.go
index f27b7075..911c05ce 100644
--- a/pkg/bundle/bundle_test.go
+++ b/pkg/bundle/bundle_test.go
@@ -1312,15 +1312,20 @@ func Test_Reconcile(t *testing.T) {
 			)
 
 			log, ctx := ktesting.NewTestContext(t)
+			opts := Options{
+				Log:                  log,
+				Namespace:            trustNamespace,
+				SecretTargetsEnabled: !test.disableSecretTargets,
+				FilterExpiredCerts:   true,
+			}
 			b := &bundle{
 				client:   fakeClient,
 				recorder: fakeRecorder,
 				clock:    fixedclock,
-				Options: Options{
-					Log:                  log,
-					Namespace:            trustNamespace,
-					SecretTargetsEnabled: !test.disableSecretTargets,
-					FilterExpiredCerts:   true,
+				Options:  opts,
+				sourceDataBuilder: &bundleDataBuilder{
+					client:  fakeClient,
+					Options: opts,
 				},
 				targetReconciler: &target.Reconciler{
 					Client: fakeClient,
@@ -1336,7 +1341,7 @@ func Test_Reconcile(t *testing.T) {
 			}
 
 			if test.configureDefaultPackage {
-				b.defaultPackage = testDefaultPackage.Clone()
+				b.sourceDataBuilder.defaultPackage = testDefaultPackage.Clone()
 			}
 			resp, result, err := b.reconcileBundle(ctx, ctrl.Request{NamespacedName: types.NamespacedName{Name: bundleName}})
 			if (err != nil) != test.expError {
diff --git a/pkg/bundle/controller.go b/pkg/bundle/controller.go
index 3ea5d114..d6b5fcd0 100644
--- a/pkg/bundle/controller.go
+++ b/pkg/bundle/controller.go
@@ -57,6 +57,10 @@ func AddBundleController(
 		recorder: mgr.GetEventRecorderFor("bundles"),
 		clock:    clock.RealClock{},
 		Options:  opts,
+		sourceDataBuilder: &bundleDataBuilder{
+			client:  mgr.GetClient(),
+			Options: opts,
+		},
 		targetReconciler: &target.Reconciler{
 			Client: mgr.GetClient(),
 			Cache:  targetCache,
@@ -69,7 +73,7 @@ func AddBundleController(
 			return fmt.Errorf("must load default package successfully when default package location is set: %w", err)
 		}
 
-		b.defaultPackage = &pkg
+		b.sourceDataBuilder.defaultPackage = &pkg
 
 		b.Options.Log.Info("successfully loaded default package from filesystem", "path", b.Options.DefaultPackageLocation)
 	}
diff --git a/pkg/bundle/source.go b/pkg/bundle/source.go
index d3bcea6d..ca05635c 100644
--- a/pkg/bundle/source.go
+++ b/pkg/bundle/source.go
@@ -29,6 +29,7 @@ import (
 
 	trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
 	"github.com/cert-manager/trust-manager/pkg/bundle/internal/target"
+	"github.com/cert-manager/trust-manager/pkg/fspkg"
 	"github.com/cert-manager/trust-manager/pkg/util"
 )
 
@@ -45,10 +46,22 @@ type bundleData struct {
 	defaultCAPackageStringID string
 }
 
+type bundleDataBuilder struct {
+	// a cache-backed Kubernetes client
+	client client.Client
+
+	// defaultPackage holds the loaded 'default' certificate package, if one was specified
+	// at startup.
+	defaultPackage *fspkg.Package
+
+	// Options holds options for the Bundle controller.
+	Options
+}
+
 // buildSourceBundle retrieves and concatenates all source bundle data for this Bundle object.
 // Each source data is validated and pruned to ensure that all certificates within are valid, and
 // is each bundle is concatenated together with a new line character.
-func (b *bundle) buildSourceBundle(ctx context.Context, sources []trustapi.BundleSource, formats *trustapi.AdditionalFormats) (bundleData, error) {
+func (b *bundleDataBuilder) buildSourceBundle(ctx context.Context, sources []trustapi.BundleSource, formats *trustapi.AdditionalFormats) (bundleData, error) {
 	var resolvedBundle bundleData
 	certPool := util.NewCertPool(util.WithFilteredExpiredCerts(b.FilterExpiredCerts))
 
@@ -109,7 +122,7 @@ func (b *bundle) buildSourceBundle(ctx context.Context, sources []trustapi.Bundl
 }
 
 // configMapBundle returns the data in the source ConfigMap within the trust Namespace.
-func (b *bundle) configMapBundle(ctx context.Context, ref *trustapi.SourceObjectKeySelector) (string, error) {
+func (b *bundleDataBuilder) configMapBundle(ctx context.Context, ref *trustapi.SourceObjectKeySelector) (string, error) {
 	// this slice will contain a single ConfigMap if we fetch by name
 	// or potentially multiple ConfigMaps if we fetch by label selector
 	var configMaps []corev1.ConfigMap
@@ -156,7 +169,7 @@ func (b *bundle) configMapBundle(ctx context.Context, ref *trustapi.SourceObject
 }
 
 // secretBundle returns the data in the source Secret within the trust Namespace.
-func (b *bundle) secretBundle(ctx context.Context, ref *trustapi.SourceObjectKeySelector) (string, error) {
+func (b *bundleDataBuilder) secretBundle(ctx context.Context, ref *trustapi.SourceObjectKeySelector) (string, error) {
 	// this slice will contain a single Secret if we fetch by name
 	// or potentially multiple Secrets if we fetch by label selector
 	var secrets []corev1.Secret
diff --git a/pkg/bundle/source_test.go b/pkg/bundle/source_test.go
index 1c78bffc..5100c378 100644
--- a/pkg/bundle/source_test.go
+++ b/pkg/bundle/source_test.go
@@ -340,7 +340,7 @@ func Test_buildSourceBundle(t *testing.T) {
 				WithScheme(trustapi.GlobalScheme).
 				Build()
 
-			b := &bundle{
+			b := &bundleDataBuilder{
 				client: fakeClient,
 				defaultPackage: &fspkg.Package{
 					Name:    "testpkg",