diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go
index ba77759b..69a17b95 100644
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@@ -26,7 +26,6 @@ import (
 	authorizationv1 "k8s.io/api/authorization/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
 	authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
@@ -166,13 +165,8 @@ func TestE2EFullIntegration(t *testing.T) {
 
 	// If there is a proxy, we always want the "pinniped login oidc" command to use it, even if the
 	// parent kubectl process is connecting to an external load balancer and not using the proxy.
-	if env.Proxy != "" {
-		restConfig.ExecProvider.Env = append(restConfig.ExecProvider.Env,
-			clientcmdapi.ExecEnvVar{Name: "http_proxy", Value: env.Proxy},
-			clientcmdapi.ExecEnvVar{Name: "https_proxy", Value: env.Proxy},
-			clientcmdapi.ExecEnvVar{Name: "no_proxy", Value: "127.0.0.1"},
-		)
-	}
+	kubeconfigYAML = env.InjectProxyEnvIntoKubeconfig(kubeconfigYAML)
+	t.Logf("test kubeconfig after proxy environment addition:\n%s\n\n", kubeconfigYAML)
 
 	kubeconfigPath := filepath.Join(tempDir, "kubeconfig.yaml")
 	require.NoError(t, ioutil.WriteFile(kubeconfigPath, []byte(kubeconfigYAML), 0600))
diff --git a/test/library/env.go b/test/library/env.go
index 0cf28a42..ba2b3b2c 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -10,6 +10,8 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"sigs.k8s.io/yaml"
 
 	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
@@ -67,10 +69,47 @@ type TestOIDCUpstream struct {
 
 // ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.
 func (e *TestEnv) ProxyEnv() []string {
+	vars := e.proxyVars()
+	if vars == nil {
+		return nil
+	}
+	res := make([]string, 0, len(vars))
+	for k, v := range vars {
+		res = append(res, k+"="+v)
+	}
+	return res
+}
+
+func (e *TestEnv) InjectProxyEnvIntoKubeconfig(kubeconfigYAML string) string {
+	proxyVars := e.proxyVars()
+	if proxyVars == nil {
+		return kubeconfigYAML
+	}
+
+	kubeconfig, err := clientcmd.Load([]byte(kubeconfigYAML))
+	require.NoError(e.t, err)
+	for i := range kubeconfig.AuthInfos {
+		if exec := kubeconfig.AuthInfos[i].Exec; exec != nil {
+			for k, v := range proxyVars {
+				exec.Env = append(exec.Env, clientcmdapi.ExecEnvVar{Name: k, Value: v})
+			}
+		}
+	}
+
+	newYAML, err := clientcmd.Write(*kubeconfig)
+	require.NoError(t, err)
+	return string(newYAML)
+}
+
+func (e *TestEnv) proxyVars() map[string] {
 	if e.Proxy == "" {
 		return nil
 	}
-	return []string{"http_proxy=" + e.Proxy, "https_proxy=" + e.Proxy, "no_proxy=127.0.0.1"}
+	return map[string]string{
+		"http_proxy":  e.Proxy,
+		"https_proxy": e.Proxy,
+		"no_proxy":    "127.0.0.1",
+	}
 }
 
 // IntegrationEnv gets the integration test environment from OS environment variables. This