Merge pull request #681 from enj/enj/i/fix_bad_name

Fix bad test package name
2021-06-22 12:54:29 -04:00 · 2021-06-22 12:54:29 -04:00 · f09a45382e
parent 1929b47dda d78b845575
commit f09a45382e
36 changed files with 336 additions and 336 deletions
--- a/internal/controllerlib/test/integration/examplecontroller_test.go
+++ b/internal/controllerlib/test/integration/examplecontroller_test.go
@ -16,13 +16,13 @@ import (
 	"go.pinniped.dev/internal/controllerlib/test/integration/examplecontroller/api"
 	examplestart "go.pinniped.dev/internal/controllerlib/test/integration/examplecontroller/starter"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestExampleController(t *testing.T) {
-	library.SkipUnlessIntegration(t)
+	testlib.SkipUnlessIntegration(t)
-	config := library.NewClientConfig(t)
+	config := testlib.NewClientConfig(t)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@ -93,7 +93,7 @@ done:
 			expectedData := map[string][]byte{
 				api.SecretDataKey: []byte(secretData),
 			}
-			require.Equal(t, expectedData, secret.Data, "expected to see new secret data: %s", library.Sdump(secret))
+			require.Equal(t, expectedData, secret.Data, "expected to see new secret data: %s", testlib.Sdump(secret))
 			break done // immediately stop consuming events because we want to check for updated events below
 		case <-timeout:
@ -132,7 +132,7 @@ done2:
 			expectedData := map[string][]byte{
 				api.SecretDataKey: []byte(secretData2),
 			}
-			require.Equal(t, expectedData, secret.Data, "expected to see updated secret data: %s", library.Sdump(secret))
+			require.Equal(t, expectedData, secret.Data, "expected to see updated secret data: %s", testlib.Sdump(secret))
 			break done2 // immediately stop consuming events because we want to check for hot loops below
 		case <-timeout:
@ -154,7 +154,7 @@ done3:
 			}
 			// this assumes that no other actor in the system is trying to mutate this secret
-			t.Errorf("unexpected event seen for secret: %s", library.Sdump(event))
+			t.Errorf("unexpected event seen for secret: %s", testlib.Sdump(event))
 		case <-timeout:
 			break done3 // we saw no events matching our secret meaning that we are not hot looping
--- a/internal/dynamiccert/provider_test.go
+++ b/internal/dynamiccert/provider_test.go
@ -18,7 +18,7 @@ import (
 	"k8s.io/apiserver/pkg/storage/names"
 	"go.pinniped.dev/internal/certauthority"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestProviderWithDynamicServingCertificateController(t *testing.T) {
@ -205,12 +205,12 @@ func TestProviderWithDynamicServingCertificateController(t *testing.T) {
 			if err != nil && lastTLSConfig != nil {
 				// for debugging failures
 				t.Log("diff between client CAs:\n", cmp.Diff(
-					library.Sdump(wantClientCASubjects),
+					testlib.Sdump(wantClientCASubjects),
-					library.Sdump(poolSubjects(lastTLSConfig.ClientCAs)),
+					testlib.Sdump(poolSubjects(lastTLSConfig.ClientCAs)),
 				))
 				t.Log("diff between serving certs:\n", cmp.Diff(
-					library.Sdump(wantCerts),
+					testlib.Sdump(wantCerts),
-					library.Sdump(lastTLSConfig.Certificates),
+					testlib.Sdump(lastTLSConfig.Certificates),
 				))
 			}
 			require.NoError(t, err)
--- a/test/integration/category_test.go
+++ b/test/integration/category_test.go
@ -12,13 +12,13 @@ import (
 	"github.com/stretchr/testify/require"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func runTestKubectlCommand(t *testing.T, args ...string) (string, string) {
 	t.Helper()
 	var stdOut, stdErr bytes.Buffer
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		stdOut.Reset()
 		stdErr.Reset()
 		cmd := exec.Command("kubectl", args...)
@ -47,7 +47,7 @@ func requireCleanKubectlStderr(t *testing.T, stderr string) {
 }
 func TestGetPinnipedCategory(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	dotSuffix := "." + env.APIGroupSuffix
 	t.Run("category, no special params", func(t *testing.T) {
--- a/test/integration/cli_test.go
+++ b/test/integration/cli_test.go
@ -33,21 +33,21 @@ import (
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient"
 	"go.pinniped.dev/pkg/oidcclient/filesession"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
-	"go.pinniped.dev/test/library/browsertest"
+	"go.pinniped.dev/test/testlib/browsertest"
 )
 func TestCLIGetKubeconfigStaticToken(t *testing.T) {
-	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	// Create a test webhook configuration to use with the CLI.
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancelFunc()
-	authenticator := library.CreateTestWebhookAuthenticator(ctx, t)
+	authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t)
 	// Build pinniped CLI.
-	pinnipedExe := library.PinnipedCLIPath(t)
+	pinnipedExe := testlib.PinnipedCLIPath(t)
 	credCacheDir := testutil.TempDir(t)
 	stdout, stderr := runPinnipedCLI(t, nil, pinnipedExe, "get", "kubeconfig",
@ -63,7 +63,7 @@ func TestCLIGetKubeconfigStaticToken(t *testing.T) {
 	assert.Contains(t, stderr, "validated connection to the cluster")
 	// Even the deprecated command should now generate a kubeconfig with the new "pinniped login static" command.
-	restConfig := library.NewRestConfigFromKubeconfig(t, stdout)
+	restConfig := testlib.NewRestConfigFromKubeconfig(t, stdout)
 	require.NotNil(t, restConfig.ExecProvider)
 	require.Equal(t, []string{"login", "static"}, restConfig.ExecProvider.Args[:2])
@ -71,24 +71,24 @@ func TestCLIGetKubeconfigStaticToken(t *testing.T) {
 	// with kubectl to validate that it works.
 	t.Run(
 		"access as user with kubectl",
-		library.AccessAsUserWithKubectlTest(stdout, env.TestUser.ExpectedUsername, env.ConciergeNamespace),
+		testlib.AccessAsUserWithKubectlTest(stdout, env.TestUser.ExpectedUsername, env.ConciergeNamespace),
 	)
 	for _, group := range env.TestUser.ExpectedGroups {
 		group := group
 		t.Run(
 			"access as group "+group+" with kubectl",
-			library.AccessAsGroupWithKubectlTest(stdout, group, env.ConciergeNamespace),
+			testlib.AccessAsGroupWithKubectlTest(stdout, group, env.ConciergeNamespace),
 		)
 	}
 	// Create Kubernetes client with kubeconfig from pinniped CLI.
-	kubeClient := library.NewClientsetForKubeConfig(t, stdout)
+	kubeClient := testlib.NewClientsetForKubeConfig(t, stdout)
 	// Validate that we can auth to the API via our user.
-	t.Run("access as user with client-go", library.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, kubeClient))
+	t.Run("access as user with client-go", testlib.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, kubeClient))
 	for _, group := range env.TestUser.ExpectedGroups {
 		group := group
-		t.Run("access as group "+group+" with client-go", library.AccessAsGroupTest(ctx, group, kubeClient))
+		t.Run("access as group "+group+" with client-go", testlib.AccessAsGroupTest(ctx, group, kubeClient))
 	}
 	t.Run("whoami", func(t *testing.T) {
@ -116,14 +116,14 @@ func runPinnipedCLI(t *testing.T, envVars []string, pinnipedExe string, args ...
 	cmd.Stderr = &stderr
 	cmd.Env = envVars
 	require.NoErrorf(t, cmd.Run(), "stderr:\n%s\n\nstdout:\n%s\n\n", stderr.String(), stdout.String())
-	t.Logf("ran %q in %s", library.MaskTokens("pinniped "+strings.Join(args, " ")), time.Since(start).Round(time.Millisecond))
+	t.Logf("ran %q in %s", testlib.MaskTokens("pinniped "+strings.Join(args, " ")), time.Since(start).Round(time.Millisecond))
 	return stdout.String(), stderr.String()
 }
 func assertWhoami(ctx context.Context, t *testing.T, useProxy bool, pinnipedExe, kubeconfigPath, wantUsername string, wantGroups []string) {
 	t.Helper()
-	apiGroupSuffix := library.IntegrationEnv(t).APIGroupSuffix
+	apiGroupSuffix := testlib.IntegrationEnv(t).APIGroupSuffix
 	var stdout, stderr bytes.Buffer
 	cmd := exec.CommandContext(
@ -138,7 +138,7 @@ func assertWhoami(ctx context.Context, t *testing.T, useProxy bool, pinnipedExe,
 		apiGroupSuffix,
 	)
 	if useProxy {
-		cmd.Env = append(os.Environ(), library.IntegrationEnv(t).ProxyEnv()...)
+		cmd.Env = append(os.Environ(), testlib.IntegrationEnv(t).ProxyEnv()...)
 	}
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
@ -164,13 +164,13 @@ func deserializeWhoAmIRequest(t *testing.T, data string, apiGroupSuffix string)
 }
 func TestCLILoginOIDC(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
 	// Build pinniped CLI.
-	pinnipedExe := library.PinnipedCLIPath(t)
+	pinnipedExe := testlib.PinnipedCLIPath(t)
 	// Run "pinniped login oidc" to get an ExecCredential struct with an OIDC ID token.
 	credOutput, sessionCachePath := runPinnipedLoginOIDC(ctx, t, pinnipedExe)
@ -268,7 +268,7 @@ func runPinnipedLoginOIDC(
 ) (clientauthenticationv1beta1.ExecCredential, string) {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	// Make a temp directory to hold the session cache for this test.
 	sessionCachePath := testutil.TempDir(t) + "/sessions.yaml"
@ -304,7 +304,7 @@ func runPinnipedLoginOIDC(
 			}
 		}()
-		reader := bufio.NewReader(library.NewLoggerReader(t, "stderr", stderr))
+		reader := bufio.NewReader(testlib.NewLoggerReader(t, "stderr", stderr))
 		scanner := bufio.NewScanner(reader)
 		const prompt = "Please log in: "
@ -331,7 +331,7 @@ func runPinnipedLoginOIDC(
 				err = fmt.Errorf("stdout stream closed with error: %w", closeErr)
 			}
 		}()
-		reader := bufio.NewReader(library.NewLoggerReader(t, "stdout", stdout))
+		reader := bufio.NewReader(testlib.NewLoggerReader(t, "stdout", stdout))
 		var out clientauthenticationv1beta1.ExecCredential
 		if err := json.NewDecoder(reader).Decode(&out); err != nil {
 			return fmt.Errorf("could not read ExecCredential from stdout: %w", err)
@ -401,7 +401,7 @@ func spawnTestGoroutine(t *testing.T, f func() error) {
 }
 func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, sessionCachePath string) *exec.Cmd {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	callbackURL, err := url.Parse(env.CLIUpstreamOIDC.CallbackURL)
 	require.NoError(t, err)
 	cmd := exec.CommandContext(ctx, pinnipedExe, "login", "oidc",
--- a/test/integration/concierge_api_serving_certs_test.go
+++ b/test/integration/concierge_api_serving_certs_test.go
@ -14,11 +14,11 @@ import (
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/internal/testutil"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	defaultServingCertResourceName := env.ConciergeAppName + "-api-tls-serving-certificate"
 	tests := []struct {
@ -72,9 +72,9 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 	for _, test := range tests {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
-			kubeClient := library.NewKubernetesClientset(t)
+			kubeClient := testlib.NewKubernetesClientset(t)
-			aggregatedClient := library.NewAggregatedClientset(t)
+			aggregatedClient := testlib.NewAggregatedClientset(t)
-			conciergeClient := library.NewConciergeClientset(t)
+			conciergeClient := testlib.NewConciergeClientset(t)
 			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 			defer cancel()
@ -82,7 +82,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			// Create a testWebhook so we have a legitimate authenticator to pass to the
 			// TokenCredentialRequest API.
-			testWebhook := library.CreateTestWebhookAuthenticator(ctx, t)
+			testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t)
 			// Get the initial auto-generated version of the Secret.
 			secret, err := kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
@ -107,7 +107,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			require.NoError(t, test.forceRotation(ctx, kubeClient, env.ConciergeNamespace))
 			// Expect that the Secret comes back right away with newly minted certs.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				var err error
 				secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
 				requireEventually.NoError(err)
@ -127,7 +127,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
 			// Expect that the APIService was also updated with the new CA.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				apiService, err := aggregatedClient.ApiregistrationV1().APIServices().Get(ctx, apiServiceName, metav1.GetOptions{})
 				requireEventually.NoErrorf(err, "get for APIService %q returned error", apiServiceName)
 				requireEventually.Equalf(regeneratedCACert, apiService.Spec.CABundle, "CA bundle in APIService %q does not yet have the expected value", apiServiceName)
@ -141,7 +141,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			//
 			// our code changes all the certs immediately thus this should be healthy fairly quickly
 			// if this starts flaking, check for bugs in our dynamiccertificates.Notifier implementation
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				for i := 0; i < 10; i++ {
 					_, err := conciergeClient.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
 						TypeMeta:   metav1.TypeMeta{},
--- a/test/integration/concierge_availability_test.go
+++ b/test/integration/concierge_availability_test.go
@ -13,12 +13,12 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestGetDeployment(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	client := library.NewKubernetesClientset(t)
+	client := testlib.NewKubernetesClientset(t)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
@ -28,7 +28,7 @@ func TestGetDeployment(t *testing.T) {
 	cond := getDeploymentCondition(appDeployment.Status, appsv1.DeploymentAvailable)
 	require.NotNil(t, cond)
-	require.Equalf(t, corev1.ConditionTrue, cond.Status, "app should be available: %s", library.Sdump(appDeployment))
+	require.Equalf(t, corev1.ConditionTrue, cond.Status, "app should be available: %s", testlib.Sdump(appDeployment))
 }
 // getDeploymentCondition returns the condition with the provided type.
--- a/test/integration/concierge_client_test.go
+++ b/test/integration/concierge_client_test.go
@ -13,7 +13,7 @@ import (
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/pkg/conciergeclient"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 // Test certificate and private key that should get an authentication error. Generated with cfssl [1], like this:
@ -53,20 +53,20 @@ var (
 var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
 func TestClient(t *testing.T) {
-	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	webhook := library.CreateTestWebhookAuthenticator(ctx, t)
+	webhook := testlib.CreateTestWebhookAuthenticator(ctx, t)
 	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
-	invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
+	invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey)
 	_, err := invalidClient.Discovery().ServerVersion()
 	require.EqualError(t, err, "the server has asked for the client to provide credentials")
 	// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
-	clientConfig := library.NewClientConfig(t)
+	clientConfig := testlib.NewClientConfig(t)
 	client, err := conciergeclient.New(
 		conciergeclient.WithCABundle(string(clientConfig.CAData)),
 		conciergeclient.WithEndpoint(clientConfig.Host),
@ -75,14 +75,14 @@ func TestClient(t *testing.T) {
 	)
 	require.NoError(t, err)
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		resp, err := client.ExchangeToken(ctx, env.TestUser.Token)
 		requireEventually.NoError(err)
 		requireEventually.NotNil(resp.Status.ExpirationTimestamp)
 		requireEventually.InDelta(5*time.Minute, time.Until(resp.Status.ExpirationTimestamp.Time), float64(time.Minute))
 		// Create a client using the certificate and key returned by the token exchange.
-		validClient := library.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)
+		validClient := testlib.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)
 		// Make a version request, which should succeed even without any authorization.
 		_, err = validClient.Discovery().ServerVersion()
--- a/test/integration/concierge_credentialissuer_test.go
+++ b/test/integration/concierge_credentialissuer_test.go
@ -14,14 +14,14 @@ import (
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestCredentialIssuer(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	config := library.NewClientConfig(t)
+	config := testlib.NewClientConfig(t)
-	client := library.NewConciergeClientset(t)
+	client := testlib.NewConciergeClientset(t)
-	aggregatedClientset := library.NewAggregatedClientset(t)
+	aggregatedClientset := testlib.NewAggregatedClientset(t)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
@ -66,7 +66,7 @@ func TestCredentialIssuer(t *testing.T) {
 		}
 		require.NotNil(t, actualStatusStrategy)
-		if env.HasCapability(library.ClusterSigningKeyIsAvailable) {
+		if env.HasCapability(testlib.ClusterSigningKeyIsAvailable) {
 			require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
 			require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
 			require.Equal(t, "key was fetched successfully", actualStatusStrategy.Message)
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@ -19,16 +19,16 @@ import (
 	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestUnsuccessfulCredentialRequest(t *testing.T) {
-	env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
+	env := testlib.IntegrationEnv(t).WithCapability(testlib.AnonymousAuthenticationSupported)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	response, err := library.CreateTokenCredentialRequest(ctx, t,
+	response, err := testlib.CreateTokenCredentialRequest(ctx, t,
 		loginv1alpha1.TokenCredentialRequestSpec{
 			Token: env.TestUser.Token,
 			Authenticator: corev1.TypedLocalObjectReference{
@ -45,7 +45,7 @@ func TestUnsuccessfulCredentialRequest(t *testing.T) {
 }
 func TestSuccessfulCredentialRequest(t *testing.T) {
-	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	ctx, cancel := context.WithTimeout(context.Background(), 6*time.Minute)
 	defer cancel()
@ -57,16 +57,16 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 	}{
 		{
 			name:          "webhook",
-			authenticator: library.CreateTestWebhookAuthenticator,
+			authenticator: testlib.CreateTestWebhookAuthenticator,
 			token: func(t *testing.T) (string, string, []string) {
-				return library.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups
+				return testlib.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups
 			},
 		},
 		{
 			name:          "jwt authenticator",
-			authenticator: library.CreateTestJWTAuthenticatorForCLIUpstream,
+			authenticator: testlib.CreateTestJWTAuthenticatorForCLIUpstream,
 			token: func(t *testing.T) (string, string, []string) {
-				pinnipedExe := library.PinnipedCLIPath(t)
+				pinnipedExe := testlib.PinnipedCLIPath(t)
 				credOutput, _ := runPinnipedLoginOIDC(ctx, t, pinnipedExe)
 				token := credOutput.Status.Token
@ -87,9 +87,9 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 			token, username, groups := test.token(t)
 			var response *loginv1alpha1.TokenCredentialRequest
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				var err error
-				response, err = library.CreateTokenCredentialRequest(ctx, t,
+				response, err = testlib.CreateTokenCredentialRequest(ctx, t,
 					loginv1alpha1.TokenCredentialRequestSpec{Token: token, Authenticator: authenticator},
 				)
 				requireEventually.NoError(err, "the request should never fail at the HTTP level")
@ -108,7 +108,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 			}, 10*time.Second, 500*time.Millisecond)
 			// Create a client using the certificate from the CredentialRequest.
-			clientWithCertFromCredentialRequest := library.NewClientsetWithCertAndKey(
+			clientWithCertFromCredentialRequest := testlib.NewClientsetWithCertAndKey(
 				t,
 				response.Status.Credential.ClientCertificateData,
 				response.Status.Credential.ClientKeyData,
@ -116,13 +116,13 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 			t.Run(
 				"access as user",
-				library.AccessAsUserTest(ctx, username, clientWithCertFromCredentialRequest),
+				testlib.AccessAsUserTest(ctx, username, clientWithCertFromCredentialRequest),
 			)
 			for _, group := range groups {
 				group := group
 				t.Run(
 					"access as group "+group,
-					library.AccessAsGroupTest(ctx, group, clientWithCertFromCredentialRequest),
+					testlib.AccessAsGroupTest(ctx, group, clientWithCertFromCredentialRequest),
 				)
 			}
 		})
@ -130,15 +130,15 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 }
 func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTheUser(t *testing.T) {
-	_ = library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	_ = testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	// Create a testWebhook so we have a legitimate authenticator to pass to the
 	// TokenCredentialRequest API.
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	testWebhook := library.CreateTestWebhookAuthenticator(ctx, t)
+	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t)
-	response, err := library.CreateTokenCredentialRequest(context.Background(), t,
+	response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
 		loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},
 	)
@ -150,15 +150,15 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
 }
 func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T) {
-	_ = library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	_ = testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	// Create a testWebhook so we have a legitimate authenticator to pass to the
 	// TokenCredentialRequest API.
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	testWebhook := library.CreateTestWebhookAuthenticator(ctx, t)
+	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t)
-	response, err := library.CreateTokenCredentialRequest(context.Background(), t,
+	response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
 		loginv1alpha1.TokenCredentialRequestSpec{Token: "", Authenticator: testWebhook},
 	)
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@ -65,7 +65,7 @@ import (
 	"go.pinniped.dev/internal/httputil/roundtripper"
 	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/testutil"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 // syncBuffer wraps bytes.Buffer with a mutex so we don't have races in our test code.
@ -100,22 +100,22 @@ func (sb *syncBuffer) Write(b []byte) (int, error) {
 // - AKS ephemeral clusters: auto mode will choose enabled, supports LBs, has squid.
 // - EKS ephemeral clusters: auto mode will choose enabled, supports LBs, has squid.
 func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's complex.
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	impersonatorShouldHaveStartedAutomaticallyByDefault := !env.HasCapability(library.ClusterSigningKeyIsAvailable)
+	impersonatorShouldHaveStartedAutomaticallyByDefault := !env.HasCapability(testlib.ClusterSigningKeyIsAvailable)
-	clusterSupportsLoadBalancers := env.HasCapability(library.HasExternalLoadBalancerProvider)
+	clusterSupportsLoadBalancers := env.HasCapability(testlib.HasExternalLoadBalancerProvider)
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Minute)
 	defer cancel()
 	// Create a client using the admin kubeconfig.
-	adminClient := library.NewKubernetesClientset(t)
+	adminClient := testlib.NewKubernetesClientset(t)
-	adminConciergeClient := library.NewConciergeClientset(t)
+	adminConciergeClient := testlib.NewConciergeClientset(t)
 	// Create a WebhookAuthenticator and prepare a TokenCredentialRequestSpec using the authenticator for use later.
 	credentialRequestSpecWithWorkingCredentials := loginv1alpha1.TokenCredentialRequestSpec{
 		Token:         env.TestUser.Token,
-		Authenticator: library.CreateTestWebhookAuthenticator(ctx, t),
+		Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t),
 	}
 	// The address of the ClusterIP service that points at the impersonation proxy's port (used when there is no load balancer).
@ -139,13 +139,13 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// However, we issue short-lived certs, so this cert will only be valid for a few minutes.
 			// Cache it until it is almost expired and then refresh it whenever it is close to expired.
 			//
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				resp, err := createTokenCredentialRequest(credentialRequestSpecWithWorkingCredentials, client)
 				requireEventually.NoError(err)
 				requireEventually.NotNil(resp)
 				requireEventually.NotNil(resp.Status)
 				requireEventually.NotNil(resp.Status.Credential)
-				requireEventually.Nilf(resp.Status.Message, "expected no error message but got: %s", library.Sdump(resp.Status.Message))
+				requireEventually.Nilf(resp.Status.Message, "expected no error message but got: %s", testlib.Sdump(resp.Status.Message))
 				requireEventually.NotEmpty(resp.Status.Credential.ClientCertificateData)
 				requireEventually.NotEmpty(resp.Status.Credential.ClientKeyData)
@ -217,7 +217,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// Auto mode should have decided that the impersonator will run and should have started a load balancer,
 		// and we will be able to use the load balancer to access the impersonator. (e.g. GKE, AKS, EKS)
 		// Check that load balancer has been automatically created by the impersonator's "auto" mode.
-		library.RequireEventuallyWithoutError(t, func() (bool, error) {
+		testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 			return hasImpersonationProxyLoadBalancerService(ctx, env, adminClient)
 		}, 30*time.Second, 500*time.Millisecond)
@ -251,7 +251,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		}
 		// Check that no load balancer has been created by the impersonator's "auto" mode.
-		library.RequireNeverWithoutError(t, func() (bool, error) {
+		testlib.RequireNeverWithoutError(t, func() (bool, error) {
 			return hasImpersonationProxyLoadBalancerService(ctx, env, adminClient)
 		}, 10*time.Second, 500*time.Millisecond)
@ -290,12 +290,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 	t.Run("positive tests", func(t *testing.T) {
 		// Create an RBAC rule to allow this user to read/write everything.
-		library.CreateTestClusterRoleBinding(t,
+		testlib.CreateTestClusterRoleBinding(t,
 			rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: env.TestUser.ExpectedUsername},
 			rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "edit"},
 		)
 		// Wait for the above RBAC rule to take effect.
-		library.WaitForUserToHaveAccess(t, env.TestUser.ExpectedUsername, []string{}, &authorizationv1.ResourceAttributes{
+		testlib.WaitForUserToHaveAccess(t, env.TestUser.ExpectedUsername, []string{}, &authorizationv1.ResourceAttributes{
 			Verb: "get", Group: "", Version: "v1", Resource: "namespaces",
 		})
@ -318,13 +318,13 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// influencing RBAC checks correctly.
 		t.Run(
 			"access as user",
-			library.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, impersonationProxyKubeClient(t)),
+			testlib.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, impersonationProxyKubeClient(t)),
 		)
 		for _, group := range env.TestUser.ExpectedGroups {
 			group := group
 			t.Run(
 				"access as group "+group,
-				library.AccessAsGroupTest(ctx, group, impersonationProxyKubeClient(t)),
+				testlib.AccessAsGroupTest(ctx, group, impersonationProxyKubeClient(t)),
 			)
 		}
@ -447,7 +447,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// Use labels on our created ConfigMaps to avoid accidentally listing other ConfigMaps that might
 			// exist in the namespace. In Kube 1.20+ there is a default ConfigMap in every namespace.
 			configMapLabels := labels.Set{
-				"pinniped.dev/testConfigMap": library.RandHex(t, 8),
+				"pinniped.dev/testConfigMap": testlib.RandHex(t, 8),
 			}
 			// Test "create" verb through the impersonation proxy.
@ -469,7 +469,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// Make sure that all of the created ConfigMaps show up in the informer's cache to
 			// demonstrate that the informer's "watch" verb is working through the impersonation proxy.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				_, err := informer.Lister().ConfigMaps(namespaceName).Get("configmap-1")
 				requireEventually.NoError(err)
 				_, err = informer.Lister().ConfigMaps(namespaceName).Get("configmap-2")
@ -496,7 +496,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			require.Equal(t, "bar", updateResult.Data["foo"])
 			// Make sure that the updated ConfigMap shows up in the informer's cache.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				configMap, err := informer.Lister().ConfigMaps(namespaceName).Get("configmap-3")
 				requireEventually.NoError(err)
 				requireEventually.Equal("bar", configMap.Data["foo"])
@ -514,7 +514,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			require.Equal(t, "42", patchResult.Data["baz"])
 			// Make sure that the patched ConfigMap shows up in the informer's cache.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				configMap, err := informer.Lister().ConfigMaps(namespaceName).Get("configmap-3")
 				requireEventually.NoError(err)
 				requireEventually.Equal("bar", configMap.Data["foo"])
@ -526,7 +526,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			require.NoError(t, err)
 			// Make sure that the deleted ConfigMap shows up in the informer's cache.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				_, err := informer.Lister().ConfigMaps(namespaceName).Get("configmap-3")
 				requireEventually.Truef(k8serrors.IsNotFound(err), "expected a NotFound error from get, got %v", err)
@ -540,7 +540,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			require.NoError(t, err)
 			// Make sure that the deleted ConfigMaps shows up in the informer's cache.
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				list, err := informer.Lister().ConfigMaps(namespaceName).List(configMapLabels.AsSelector())
 				requireEventually.NoError(err)
 				requireEventually.Empty(list)
@ -630,7 +630,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		t.Run("nested impersonation as a cluster admin user is allowed", func(t *testing.T) {
 			t.Parallel()
 			// Copy the admin credentials from the admin kubeconfig.
-			adminClientRestConfig := library.NewClientConfig(t)
+			adminClientRestConfig := testlib.NewClientConfig(t)
 			clusterAdminCredentials := getCredForConfig(t, adminClientRestConfig)
 			// figure out who the admin user is
@ -705,7 +705,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		t.Run("nested impersonation as a cluster admin fails on reserved key", func(t *testing.T) {
 			t.Parallel()
-			adminClientRestConfig := library.NewClientConfig(t)
+			adminClientRestConfig := testlib.NewClientConfig(t)
 			clusterAdminCredentials := getCredForConfig(t, adminClientRestConfig)
 			nestedImpersonationClient := newImpersonationProxyClientWithCredentials(t,
@ -762,11 +762,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			time.Sleep(15 * time.Second)
 			// allow the test SA to impersonate any SA
-			library.CreateTestClusterRoleBinding(t,
+			testlib.CreateTestClusterRoleBinding(t,
 				rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Name: saName, Namespace: namespaceName},
 				rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "edit"},
 			)
-			library.WaitForUserToHaveAccess(t, serviceaccount.MakeUsername(namespaceName, saName), []string{}, &authorizationv1.ResourceAttributes{
+			testlib.WaitForUserToHaveAccess(t, serviceaccount.MakeUsername(namespaceName, saName), []string{}, &authorizationv1.ResourceAttributes{
 				Verb: "impersonate", Group: "", Version: "v1", Resource: "serviceaccounts",
 			})
@ -817,7 +817,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 				Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 			// we expect the impersonation proxy to match the behavior of KAS in regards to anonymous requests
-			if env.HasCapability(library.AnonymousAuthenticationSupported) {
+			if env.HasCapability(testlib.AnonymousAuthenticationSupported) {
 				require.NoError(t, err)
 				require.Equal(t,
 					expectedWhoAmIRequestResponse(
@ -828,7 +828,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					whoAmI,
 				)
 			} else {
-				require.True(t, k8serrors.IsUnauthorized(err), library.Sdump(err))
+				require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
 			}
 			// Test using a service account token.
@ -895,7 +895,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			_, badAudErr := impersonationProxySABadAudPinnipedConciergeClient.IdentityV1alpha1().WhoAmIRequests().
 				Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
-			require.True(t, k8serrors.IsUnauthorized(badAudErr), library.Sdump(badAudErr))
+			require.True(t, k8serrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
 			tokenRequest, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{
 				Spec: authenticationv1.TokenRequestSpec{
@ -932,11 +932,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			)
 			// allow the test SA to create CSRs
-			library.CreateTestClusterRoleBinding(t,
+			testlib.CreateTestClusterRoleBinding(t,
 				rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Name: saName, Namespace: namespaceName},
 				rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "system:node-bootstrapper"},
 			)
-			library.WaitForUserToHaveAccess(t, serviceaccount.MakeUsername(namespaceName, saName), []string{}, &authorizationv1.ResourceAttributes{
+			testlib.WaitForUserToHaveAccess(t, serviceaccount.MakeUsername(namespaceName, saName), []string{}, &authorizationv1.ResourceAttributes{
 				Verb: "create", Group: certificatesv1.GroupName, Version: "*", Resource: "certificatesigningrequests",
 			})
@ -1007,7 +1007,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// run the kubectl attach command
 			namespaceName := createTestNamespace(t, adminClient)
-			attachPod := library.CreatePod(ctx, t, "impersonation-proxy-attach", namespaceName, corev1.PodSpec{
+			attachPod := testlib.CreatePod(ctx, t, "impersonation-proxy-attach", namespaceName, corev1.PodSpec{
 				Containers: []corev1.Container{
 					{
 						Name:    "impersonation-proxy-attach",
@ -1040,7 +1040,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// see that we can read stdout and it spits out stdin output back to us
 			wantAttachStdout := fmt.Sprintf("VAR: %s\n", echoString)
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				requireEventually.Equal(
 					wantAttachStdout,
 					attachStdout.String(),
@ -1084,7 +1084,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 				dialer.Proxy = func(req *http.Request) (*url.URL, error) {
 					proxyURL, err := url.Parse(env.Proxy)
 					require.NoError(t, err)
-					t.Logf("passing request for %s through proxy %s", library.RedactURLParams(req.URL), proxyURL.String())
+					t.Logf("passing request for %s through proxy %s", testlib.RedactURLParams(req.URL), proxyURL.String())
 					return proxyURL, nil
 				}
 			}
@ -1163,7 +1163,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 				httpTransport.Proxy = func(req *http.Request) (*url.URL, error) {
 					proxyURL, err := url.Parse(env.Proxy)
 					require.NoError(t, err)
-					t.Logf("passing request for %s through proxy %s", library.RedactURLParams(req.URL), proxyURL.String())
+					t.Logf("passing request for %s through proxy %s", testlib.RedactURLParams(req.URL), proxyURL.String())
 					return proxyURL, nil
 				}
 			}
@ -1237,7 +1237,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			impersonationProxyAnonymousRestClient, err := rest.RESTClientFor(copyConfig)
 			require.NoError(t, err)
-			adminClientRestConfig := library.NewClientConfig(t)
+			adminClientRestConfig := testlib.NewClientConfig(t)
 			clusterAdminCredentials := getCredForConfig(t, adminClientRestConfig)
 			impersonationProxyAdminClientAsAnonymousConfig := newImpersonationProxyClientWithCredentials(t,
 				clusterAdminCredentials,
@ -1266,7 +1266,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 								Authenticator: corev1.TypedLocalObjectReference{APIGroup: pointer.String("anything.pinniped.dev")},
 							},
 						}, metav1.CreateOptions{})
-					require.True(t, k8serrors.IsInvalid(err), library.Sdump(err))
+					require.True(t, k8serrors.IsInvalid(err), testlib.Sdump(err))
 					require.Equal(t, `.login.concierge.pinniped.dev "" is invalid: spec.token.value: Required value: token must be supplied`, err.Error())
 					require.Equal(t, &loginv1alpha1.TokenCredentialRequest{}, tkr)
 				})
@ -1282,21 +1282,21 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					t.Parallel()
 					whoami, errWho := impersonationProxyAdminRestClientAsAnonymous.Post().Body([]byte(`{}`)).AbsPath("/apis/identity.concierge." + env.APIGroupSuffix + "/v1alpha1/whoamirequests").DoRaw(ctx)
-					require.NoError(t, errWho, library.Sdump(errWho))
+					require.NoError(t, errWho, testlib.Sdump(errWho))
 					require.True(t, strings.HasPrefix(string(whoami), `{"kind":"WhoAmIRequest","apiVersion":"identity.concierge.`+env.APIGroupSuffix+`/v1alpha1","metadata":{"creationTimestamp":null},"spec":{},"status":{"kubernetesUserInfo":{"user":{"username":"system:anonymous","groups":["system:unauthenticated"],"extra":{"original-user-info.impersonation-proxy.concierge.pinniped.dev":["{\"username\":`), string(whoami))
 					healthz, errHealth := impersonationProxyAdminRestClientAsAnonymous.Get().AbsPath("/healthz").DoRaw(ctx)
-					require.NoError(t, errHealth, library.Sdump(errHealth))
+					require.NoError(t, errHealth, testlib.Sdump(errHealth))
 					require.Equal(t, "ok", string(healthz))
 					healthzLog, errHealthzLog := impersonationProxyAdminRestClientAsAnonymous.Get().AbsPath("/healthz/log").DoRaw(ctx)
-					require.True(t, k8serrors.IsForbidden(errHealthzLog), "%s\n%s", library.Sdump(errHealthzLog), string(healthzLog))
+					require.True(t, k8serrors.IsForbidden(errHealthzLog), "%s\n%s", testlib.Sdump(errHealthzLog), string(healthzLog))
 					require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/healthz/log\": decision made by impersonation-proxy.concierge.pinniped.dev","reason":"Forbidden","details":{},"code":403}`+"\n", string(healthzLog))
 				})
 			})
 			t.Run("anonymous authentication enabled", func(t *testing.T) {
-				library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
+				testlib.IntegrationEnv(t).WithCapability(testlib.AnonymousAuthenticationSupported)
 				t.Parallel()
 				// anonymous auth enabled
@ -1308,7 +1308,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					t.Parallel()
 					healthz, errHealth := impersonationProxyAnonymousRestClient.Get().AbsPath("/healthz").DoRaw(ctx)
-					require.NoError(t, errHealth, library.Sdump(errHealth))
+					require.NoError(t, errHealth, testlib.Sdump(errHealth))
 					require.Equal(t, "ok", string(healthz))
 				})
@ -1321,9 +1321,9 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					pod, err := impersonationProxyAnonymousClient.Kubernetes.CoreV1().Pods(metav1.NamespaceSystem).
 						Get(ctx, "does-not-matter", metav1.GetOptions{})
-					require.True(t, k8serrors.IsForbidden(err), library.Sdump(err))
+					require.True(t, k8serrors.IsForbidden(err), testlib.Sdump(err))
 					require.EqualError(t, err, `pods "does-not-matter" is forbidden: User "system:anonymous" cannot get resource "pods" in API group "" in the namespace "kube-system": `+
-						`decision made by impersonation-proxy.concierge.pinniped.dev`, library.Sdump(err))
+						`decision made by impersonation-proxy.concierge.pinniped.dev`, testlib.Sdump(err))
 					require.Equal(t, &corev1.Pod{}, pod)
 				})
@ -1349,7 +1349,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			})
 			t.Run("anonymous authentication disabled", func(t *testing.T) {
-				library.IntegrationEnv(t).WithoutCapability(library.AnonymousAuthenticationSupported)
+				testlib.IntegrationEnv(t).WithoutCapability(testlib.AnonymousAuthenticationSupported)
 				t.Parallel()
 				// - hit the healthz endpoint (non-resource endpoint)
@ -1360,7 +1360,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					t.Parallel()
 					healthz, err := impersonationProxyAnonymousRestClient.Get().AbsPath("/healthz").DoRaw(ctx)
-					require.True(t, k8serrors.IsUnauthorized(err), library.Sdump(err))
+					require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
 					require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(healthz))
 				})
@ -1373,7 +1373,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					pod, err := impersonationProxyAnonymousClient.Kubernetes.CoreV1().Pods(metav1.NamespaceSystem).
 						Get(ctx, "does-not-matter", metav1.GetOptions{})
-					require.True(t, k8serrors.IsUnauthorized(err), library.Sdump(err))
+					require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
 					require.Equal(t, &corev1.Pod{}, pod)
 				})
@ -1386,7 +1386,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					whoAmI, err := impersonationProxyAnonymousClient.PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 						Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
-					require.True(t, k8serrors.IsUnauthorized(err), library.Sdump(err))
+					require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
 					require.Equal(t, &identityv1alpha1.WhoAmIRequest{}, whoAmI)
 				})
 			})
@ -1404,7 +1404,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// sanity check default expected error message
 		_, err := impersonationProxySSRRClient.Create(ctx, invalidSSRR, metav1.CreateOptions{})
-		require.True(t, k8serrors.IsBadRequest(err), library.Sdump(err))
+		require.True(t, k8serrors.IsBadRequest(err), testlib.Sdump(err))
 		require.EqualError(t, err, "no namespace on request")
 		// remove the impersonation proxy SA's permissions
@ -1434,14 +1434,14 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			_, errUpdate := crbClient.Update(ctx, crbEnd, metav1.UpdateOptions{})
 			require.NoError(t, errUpdate)
-			library.WaitForUserToHaveAccess(t, saFullName, nil, &authorizationv1.ResourceAttributes{
+			testlib.WaitForUserToHaveAccess(t, saFullName, nil, &authorizationv1.ResourceAttributes{
 				Verb:     "impersonate",
 				Resource: "users",
 			})
 		})
 		// assert that the impersonation proxy stops working when we remove its permissions
-		library.RequireEventuallyWithoutError(t, func() (bool, error) {
+		testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 			_, errCreate := impersonationProxySSRRClient.Create(ctx, invalidSSRR, metav1.CreateOptions{})
 			switch {
@ -1491,7 +1491,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		}
 		waitForServiceAnnotations := func(annotations map[string]string) {
-			library.RequireEventuallyWithoutError(t, func() (bool, error) {
+			testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 				service, err := adminClient.CoreV1().Services(env.ConciergeNamespace).Get(ctx, impersonationProxyLoadBalancerName(env), metav1.GetOptions{})
 				if err != nil {
 					return false, err
@ -1509,8 +1509,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		})
 		// Set a new annotation in the CredentialIssuer spec.impersonationProxy.service.annotations field.
-		newAnnotationKey := "pinniped.dev/test-" + library.RandHex(t, 8)
+		newAnnotationKey := "pinniped.dev/test-" + testlib.RandHex(t, 8)
-		newAnnotationValue := "test-" + library.RandHex(t, 8)
+		newAnnotationValue := "test-" + testlib.RandHex(t, 8)
 		updatedAnnotations := previous.Spec.ImpersonationProxy.Service.DeepCopy().Annotations
 		updatedAnnotations[newAnnotationKey] = newAnnotationValue
 		applyCredentialIssuerAnnotations(updatedAnnotations)
@ -1535,7 +1535,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		})
 		// wait until the credential issuer is updated with the new url
-		library.RequireEventuallyWithoutError(t, func() (bool, error) {
+		testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 			newImpersonationProxyURL, _ := performImpersonatorDiscovery(ctx, t, env, adminConciergeClient)
 			return newImpersonationProxyURL == "https://"+clusterIPServiceURL, nil
 		}, 30*time.Second, 500*time.Millisecond)
@ -1549,7 +1549,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// everything should work properly through the cluster ip service
 		t.Run(
 			"access as user",
-			library.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, client),
+			testlib.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, client),
 		)
 	})
@ -1564,7 +1564,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		if clusterSupportsLoadBalancers {
 			// The load balancer should have been deleted when we disabled the impersonation proxy.
 			// Note that this can take kind of a long time on real cloud providers (e.g. ~22 seconds on EKS).
-			library.RequireEventuallyWithoutError(t, func() (bool, error) {
+			testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 				hasService, err := hasImpersonationProxyLoadBalancerService(ctx, env, adminClient)
 				return !hasService, err
 			}, 2*time.Minute, 500*time.Millisecond)
@ -1576,7 +1576,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// so we'll skip this check on clusters which have load balancers but don't run the squid proxy.
 		// The other cluster types that do run the squid proxy will give us sufficient coverage here.
 		if env.Proxy != "" {
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				// It's okay if this returns RBAC errors because this user has no role bindings.
 				// What we want to see is that the proxy eventually shuts down entirely.
 				_, err := impersonationProxyViaSquidKubeClientWithoutCredential(t, proxyServiceEndpoint).CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
@ -1587,7 +1587,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// Check that the generated TLS cert Secret was deleted by the controller because it's supposed to clean this up
 		// when we disable the impersonator.
-		library.RequireEventually(t, func(requireEventually *require.Assertions) {
+		testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 			_, err := adminClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{})
 			requireEventually.Truef(k8serrors.IsNotFound(err), "expected NotFound error, got %v", err)
 		}, 10*time.Second, 250*time.Millisecond)
@ -1602,14 +1602,14 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// include an unsuccessful impersonation strategy saying that it was manually configured to be disabled.
 		requireDisabledStrategy(ctx, t, env, adminConciergeClient)
-		if !env.HasCapability(library.ClusterSigningKeyIsAvailable) && env.HasCapability(library.AnonymousAuthenticationSupported) {
+		if !env.HasCapability(testlib.ClusterSigningKeyIsAvailable) && env.HasCapability(testlib.AnonymousAuthenticationSupported) {
 			// This cluster does not support the cluster signing key strategy, so now that we've manually disabled the
 			// impersonation strategy, we should be left with no working strategies.
 			// Given that there are no working strategies, a TokenCredentialRequest which would otherwise work should now
 			// fail, because there is no point handing out credentials that are not going to work for any strategy.
 			// Note that library.CreateTokenCredentialRequest makes an unauthenticated request, so we can't meaningfully
 			// perform this part of the test on a cluster which does not allow anonymous authentication.
-			tokenCredentialRequestResponse, err := library.CreateTokenCredentialRequest(ctx, t, credentialRequestSpecWithWorkingCredentials)
+			tokenCredentialRequestResponse, err := testlib.CreateTokenCredentialRequest(ctx, t, credentialRequestSpecWithWorkingCredentials)
 			require.NoError(t, err)
 			require.NotNil(t, tokenCredentialRequestResponse.Status.Message, "expected an error message but got nil")
@ -1666,7 +1666,7 @@ func createServiceAccountToken(ctx context.Context, t *testing.T, adminClient ku
 			Delete(context.Background(), secret.Name, metav1.DeleteOptions{}))
 	})
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		secret, err = adminClient.CoreV1().Secrets(namespaceName).Get(ctx, secret.Name, metav1.GetOptions{})
 		if err != nil {
 			return false, err
@ -1692,7 +1692,7 @@ func expectedWhoAmIRequestResponse(username string, groups []string, extra map[s
 	}
 }
-func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *library.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface) (string, []byte) {
+func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface) (string, []byte) {
 	t.Helper()
 	var impersonationProxyURL string
@ -1700,7 +1700,7 @@ func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *librar
 	t.Log("Waiting for CredentialIssuer strategy to be successful")
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		credentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
 		if err != nil || credentialIssuer.Status.Strategies == nil {
 			t.Log("Did not find any CredentialIssuer with any strategies")
@ -1738,10 +1738,10 @@ func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *librar
 	return impersonationProxyURL, impersonationProxyCACertPEM
 }
-func requireDisabledStrategy(ctx context.Context, t *testing.T, env *library.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface) {
+func requireDisabledStrategy(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface) {
 	t.Helper()
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		credentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
 		if err != nil || credentialIssuer.Status.Strategies == nil {
 			t.Log("Did not find any CredentialIssuer with any strategies")
@ -1812,12 +1812,12 @@ func kubeconfigProxyFunc(t *testing.T, squidProxyURL string) func(req *http.Requ
 		parsedSquidProxyURL, err := url.Parse(squidProxyURL)
 		require.NoError(t, err)
-		t.Logf("passing request for %s through proxy %s", library.RedactURLParams(req.URL), parsedSquidProxyURL.String())
+		t.Logf("passing request for %s through proxy %s", testlib.RedactURLParams(req.URL), parsedSquidProxyURL.String())
 		return parsedSquidProxyURL, nil
 	}
 }
-func updateCredentialIssuer(ctx context.Context, t *testing.T, env *library.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface, spec conciergev1alpha.CredentialIssuerSpec) {
+func updateCredentialIssuer(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface, spec conciergev1alpha.CredentialIssuerSpec) {
 	t.Helper()
 	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
@ -1832,7 +1832,7 @@ func updateCredentialIssuer(ctx context.Context, t *testing.T, env *library.Test
 	require.NoError(t, err)
 }
-func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *library.TestEnv, client kubernetes.Interface) (bool, error) {
+func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *testlib.TestEnv, client kubernetes.Interface) (bool, error) {
 	service, err := client.CoreV1().Services(env.ConciergeNamespace).Get(ctx, impersonationProxyLoadBalancerName(env), metav1.GetOptions{})
 	if k8serrors.IsNotFound(err) {
 		return false, nil
@ -1843,34 +1843,34 @@ func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *library.
 	return service.Spec.Type == corev1.ServiceTypeLoadBalancer, nil
 }
-func impersonationProxyTLSSecretName(env *library.TestEnv) string {
+func impersonationProxyTLSSecretName(env *testlib.TestEnv) string {
 	return env.ConciergeAppName + "-impersonation-proxy-tls-serving-certificate"
 }
-func impersonationProxyCASecretName(env *library.TestEnv) string {
+func impersonationProxyCASecretName(env *testlib.TestEnv) string {
 	return env.ConciergeAppName + "-impersonation-proxy-ca-certificate"
 }
-func impersonationProxyLoadBalancerName(env *library.TestEnv) string {
+func impersonationProxyLoadBalancerName(env *testlib.TestEnv) string {
 	return env.ConciergeAppName + "-impersonation-proxy-load-balancer"
 }
-func impersonationProxyClusterIPName(env *library.TestEnv) string {
+func impersonationProxyClusterIPName(env *testlib.TestEnv) string {
 	return env.ConciergeAppName + "-impersonation-proxy-cluster-ip"
 }
-func credentialIssuerName(env *library.TestEnv) string {
+func credentialIssuerName(env *testlib.TestEnv) string {
 	return env.ConciergeAppName + "-config"
 }
-func getImpersonationKubeconfig(t *testing.T, env *library.TestEnv, impersonationProxyURL string, impersonationProxyCACertPEM []byte, authenticator corev1.TypedLocalObjectReference) (string, []string, string) {
+func getImpersonationKubeconfig(t *testing.T, env *testlib.TestEnv, impersonationProxyURL string, impersonationProxyCACertPEM []byte, authenticator corev1.TypedLocalObjectReference) (string, []string, string) {
 	t.Helper()
-	pinnipedExe := library.PinnipedCLIPath(t)
+	pinnipedExe := testlib.PinnipedCLIPath(t)
 	tempDir := testutil.TempDir(t)
 	var envVarsWithProxy []string
-	if !env.HasCapability(library.HasExternalLoadBalancerProvider) {
+	if !env.HasCapability(testlib.HasExternalLoadBalancerProvider) {
 		// Only if you don't have a load balancer, use the squid proxy when it's available.
 		envVarsWithProxy = append(os.Environ(), env.ProxyEnv()...)
 	}
@ -1991,8 +1991,8 @@ func createTokenCredentialRequest(
 func newImpersonationProxyClientWithCredentials(t *testing.T, credentials *loginv1alpha1.ClusterCredential, impersonationProxyURL string, impersonationProxyCACertPEM []byte, nestedImpersonationConfig *rest.ImpersonationConfig) *kubeclient.Client {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	clusterSupportsLoadBalancers := env.HasCapability(library.HasExternalLoadBalancerProvider)
+	clusterSupportsLoadBalancers := env.HasCapability(testlib.HasExternalLoadBalancerProvider)
 	kubeconfig := impersonationProxyRestConfig(credentials, impersonationProxyURL, impersonationProxyCACertPEM, nestedImpersonationConfig)
 	if !clusterSupportsLoadBalancers {
@ -2000,7 +2000,7 @@ func newImpersonationProxyClientWithCredentials(t *testing.T, credentials *login
 		// Prefer to go through a load balancer because that's how the impersonator is intended to be used in the real world.
 		kubeconfig.Proxy = kubeconfigProxyFunc(t, env.Proxy)
 	}
-	return library.NewKubeclient(t, kubeconfig)
+	return testlib.NewKubeclient(t, kubeconfig)
 }
 func newAnonymousImpersonationProxyClient(t *testing.T, impersonationProxyURL string, impersonationProxyCACertPEM []byte, nestedImpersonationConfig *rest.ImpersonationConfig) *kubeclient.Client {
@ -2013,34 +2013,34 @@ func newAnonymousImpersonationProxyClient(t *testing.T, impersonationProxyURL st
 func newImpersonationProxyClientWithCredentialsAndProxy(t *testing.T, credentials *loginv1alpha1.ClusterCredential, impersonationProxyURL string, impersonationProxyCACertPEM []byte, nestedImpersonationConfig *rest.ImpersonationConfig) *kubeclient.Client {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	kubeconfig := impersonationProxyRestConfig(credentials, impersonationProxyURL, impersonationProxyCACertPEM, nestedImpersonationConfig)
 	kubeconfig.Proxy = kubeconfigProxyFunc(t, env.Proxy)
-	return library.NewKubeclient(t, kubeconfig)
+	return testlib.NewKubeclient(t, kubeconfig)
 }
 // this uses a proxy in all cases, the other will only use it if you don't have load balancer capabilities.
 func newAnonymousImpersonationProxyClientWithProxy(t *testing.T, impersonationProxyURL string, impersonationProxyCACertPEM []byte, nestedImpersonationConfig *rest.ImpersonationConfig) *kubeclient.Client {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	emptyCredentials := &loginv1alpha1.ClusterCredential{}
 	kubeconfig := impersonationProxyRestConfig(emptyCredentials, impersonationProxyURL, impersonationProxyCACertPEM, nestedImpersonationConfig)
 	kubeconfig.Proxy = kubeconfigProxyFunc(t, env.Proxy)
-	return library.NewKubeclient(t, kubeconfig)
+	return testlib.NewKubeclient(t, kubeconfig)
 }
 func impersonationProxyViaSquidKubeClientWithoutCredential(t *testing.T, proxyServiceEndpoint string) kubernetes.Interface {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	proxyURL := "https://" + proxyServiceEndpoint
 	kubeconfig := impersonationProxyRestConfig(&loginv1alpha1.ClusterCredential{}, proxyURL, nil, nil)
 	kubeconfig.Proxy = kubeconfigProxyFunc(t, env.Proxy)
-	return library.NewKubeclient(t, kubeconfig).Kubernetes
+	return testlib.NewKubeclient(t, kubeconfig).Kubernetes
 }
 func newImpersonationProxyClient(
--- a/test/integration/concierge_kubecertagent_test.go
+++ b/test/integration/concierge_kubecertagent_test.go
@ -17,18 +17,18 @@ import (
 	"k8s.io/utils/pointer"
 	conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestKubeCertAgent(t *testing.T) {
-	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-	kubeClient := library.NewKubernetesClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
-	adminConciergeClient := library.NewConciergeClientset(t)
+	adminConciergeClient := testlib.NewConciergeClientset(t)
 	// Expect there to be at least on healthy kube-cert-agent pod on this cluster.
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 		defer cancel()
 		agentPods, err := kubeClient.CoreV1().Pods(env.ConciergeNamespace).List(ctx, metav1.ListOptions{
@ -50,7 +50,7 @@ func TestKubeCertAgent(t *testing.T) {
 	}, 1*time.Minute, 2*time.Second, "never saw a healthy kube-cert-agent Pod running")
 	// Expect that the CredentialIssuer will have a healthy KubeClusterSigningCertificate strategy.
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 		defer cancel()
 		credentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
@ -94,10 +94,10 @@ func findSuccessfulStrategy(credentialIssuer *conciergev1alpha.CredentialIssuer,
 }
 func TestLegacyPodCleaner(t *testing.T) {
-	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
-	kubeClient := library.NewKubernetesClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
 	// Pick the same labels that the legacy code would have used to run the kube-cert-agent pod.
 	legacyAgentLabels := map[string]string{}
@ -137,7 +137,7 @@ func TestLegacyPodCleaner(t *testing.T) {
 	})
 	// Expect the legacy-pod-cleaner controller to delete the pod.
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		_, err := kubeClient.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
 		if k8serrors.IsNotFound(err) {
 			t.Logf("fake legacy agent pod %s/%s was deleted as expected", pod.Namespace, pod.Name)
--- a/test/integration/concierge_kubectl_test.go
+++ b/test/integration/concierge_kubectl_test.go
@ -10,12 +10,12 @@ import (
 	"github.com/stretchr/testify/require"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 // Smoke test to see if the kubeconfig works and the cluster is reachable.
 func TestGetNodes(t *testing.T) {
-	library.SkipUnlessIntegration(t)
+	testlib.SkipUnlessIntegration(t)
 	cmd := exec.Command("kubectl", "get", "nodes")
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@ -42,19 +42,19 @@ import (
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient"
 	"go.pinniped.dev/pkg/oidcclient/filesession"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
-	"go.pinniped.dev/test/library/browsertest"
+	"go.pinniped.dev/test/testlib/browsertest"
 )
 // TestE2EFullIntegration tests a full integration scenario that combines the supervisor, concierge, and CLI.
 func TestE2EFullIntegration(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 15*time.Minute)
 	defer cancelFunc()
 	// Build pinniped CLI.
-	pinnipedExe := library.PinnipedCLIPath(t)
+	pinnipedExe := testlib.PinnipedCLIPath(t)
 	tempDir := testutil.TempDir(t)
 	// Start the browser driver.
@ -86,7 +86,7 @@ func TestE2EFullIntegration(t *testing.T) {
 	require.NoError(t, err)
 	// Write the serving cert to a secret.
-	certSecret := library.CreateTestSecret(t,
+	certSecret := testlib.CreateTestSecret(t,
 		env.SupervisorNamespace,
 		"oidc-provider-tls",
 		corev1.SecretTypeTLS,
@ -94,15 +94,15 @@ func TestE2EFullIntegration(t *testing.T) {
 	)
 	// Create the downstream FederationDomain and expect it to go into the success status condition.
-	downstream := library.CreateTestFederationDomain(ctx, t,
+	downstream := testlib.CreateTestFederationDomain(ctx, t,
 		issuerURL.String(),
 		certSecret.Name,
 		configv1alpha1.SuccessFederationDomainStatusCondition,
 	)
 	// Create a JWTAuthenticator that will validate the tokens from the downstream issuer.
-	clusterAudience := "test-cluster-" + library.RandHex(t, 8)
+	clusterAudience := "test-cluster-" + testlib.RandHex(t, 8)
-	authenticator := library.CreateTestJWTAuthenticator(ctx, t, authv1alpha.JWTAuthenticatorSpec{
+	authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authv1alpha.JWTAuthenticatorSpec{
 		Issuer:   downstream.Spec.Issuer,
 		Audience: clusterAudience,
 		TLS:      &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64},
@ -114,11 +114,11 @@ func TestE2EFullIntegration(t *testing.T) {
 		expectedGroups := env.SupervisorUpstreamOIDC.ExpectedGroups
 		// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
-		library.CreateTestClusterRoleBinding(t,
+		testlib.CreateTestClusterRoleBinding(t,
 			rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: expectedUsername},
 			rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "view"},
 		)
-		library.WaitForUserToHaveAccess(t, expectedUsername, []string{}, &authorizationv1.ResourceAttributes{
+		testlib.WaitForUserToHaveAccess(t, expectedUsername, []string{}, &authorizationv1.ResourceAttributes{
 			Verb:     "get",
 			Group:    "",
 			Version:  "v1",
@ -126,7 +126,7 @@ func TestE2EFullIntegration(t *testing.T) {
 		})
 		// Create upstream OIDC provider and wait for it to become ready.
-		library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
+		testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
 			Issuer: env.SupervisorUpstreamOIDC.Issuer,
 			TLS: &idpv1alpha1.TLSSpec{
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -139,7 +139,7 @@ func TestE2EFullIntegration(t *testing.T) {
 				Groups:   env.SupervisorUpstreamOIDC.GroupsClaim,
 			},
 			Client: idpv1alpha1.OIDCClient{
-				SecretName: library.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
+				SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
 			},
 		}, idpv1alpha1.PhaseReady)
@ -194,7 +194,7 @@ func TestE2EFullIntegration(t *testing.T) {
 				}
 			}()
-			reader := bufio.NewReader(library.NewLoggerReader(t, "stderr", stderrPipe))
+			reader := bufio.NewReader(testlib.NewLoggerReader(t, "stderr", stderrPipe))
 			line, err := reader.ReadString('\n')
 			if err != nil {
 				return fmt.Errorf("could not read login URL line from stderr: %w", err)
@ -277,7 +277,7 @@ func TestE2EFullIntegration(t *testing.T) {
 	// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands.
 	t.Run("with Supervisor LDAP upstream IDP", func(t *testing.T) {
-		if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+		if len(env.ToolsNamespace) == 0 && !env.HasCapability(testlib.CanReachInternetLDAPPorts) {
 			t.Skip("LDAP integration test requires connectivity to an LDAP server")
 		}
@ -285,11 +285,11 @@ func TestE2EFullIntegration(t *testing.T) {
 		expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
 		// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
-		library.CreateTestClusterRoleBinding(t,
+		testlib.CreateTestClusterRoleBinding(t,
 			rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: expectedUsername},
 			rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "view"},
 		)
-		library.WaitForUserToHaveAccess(t, expectedUsername, []string{}, &authorizationv1.ResourceAttributes{
+		testlib.WaitForUserToHaveAccess(t, expectedUsername, []string{}, &authorizationv1.ResourceAttributes{
 			Verb:     "get",
 			Group:    "",
 			Version:  "v1",
@ -297,7 +297,7 @@ func TestE2EFullIntegration(t *testing.T) {
 		})
 		// Put the bind service account's info into a Secret.
-		bindSecret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", corev1.SecretTypeBasicAuth,
+		bindSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", corev1.SecretTypeBasicAuth,
 			map[string]string{
 				corev1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
 				corev1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
@ -305,7 +305,7 @@ func TestE2EFullIntegration(t *testing.T) {
 		)
 		// Create upstream LDAP provider and wait for it to become ready.
-		library.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
+		testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
 			Host: env.SupervisorUpstreamLDAP.Host,
 			TLS: &idpv1alpha1.TLSSpec{
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
@ -379,7 +379,7 @@ func TestE2EFullIntegration(t *testing.T) {
 func readFromFileUntilStringIsSeen(t *testing.T, f *os.File, until string) {
 	readFromFile := ""
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		someOutput, foundEOF := readAvailableOutput(t, f)
 		readFromFile += someOutput
 		if strings.Contains(readFromFile, until) {
@ -407,7 +407,7 @@ func readAvailableOutput(t *testing.T, r io.Reader) (string, bool) {
 func requireUserCanUseKubectlWithoutAuthenticatingAgain(
 	ctx context.Context,
 	t *testing.T,
-	env *library.TestEnv,
+	env *testlib.TestEnv,
 	downstream *configv1alpha1.FederationDomain,
 	kubeconfigPath string,
 	sessionCachePath string,
@ -485,7 +485,7 @@ func requireGCAnnotationsOnSessionStorage(ctx context.Context, t *testing.T, sup
 	// check that the access token is new (since it's just been refreshed) and has close to two minutes left.
 	testutil.RequireTimeInDelta(t, startTime.Add(2*time.Minute), token.AccessToken.Expiry.Time, 15*time.Second)
-	kubeClient := library.NewKubernetesClientset(t).CoreV1()
+	kubeClient := testlib.NewKubernetesClientset(t).CoreV1()
 	// get the access token secret that matches the signature from the cache
 	accessTokenSignature := strings.Split(token.AccessToken.Token, ".")[1]
@ -515,14 +515,14 @@ func requireGCAnnotationsOnSessionStorage(ctx context.Context, t *testing.T, sup
 	testutil.RequireTimeInDelta(t, accessTokenGCTime, refreshTokenGCTime, 1*time.Minute)
 }
-func runPinnipedGetKubeconfig(t *testing.T, env *library.TestEnv, pinnipedExe string, tempDir string, pinnipedCLICommand []string) string {
+func runPinnipedGetKubeconfig(t *testing.T, env *testlib.TestEnv, pinnipedExe string, tempDir string, pinnipedCLICommand []string) string {
 	// Run "pinniped get kubeconfig" to get a kubeconfig YAML.
 	envVarsWithProxy := append(os.Environ(), env.ProxyEnv()...)
 	kubeconfigYAML, stderr := runPinnipedCLI(t, envVarsWithProxy, pinnipedExe, pinnipedCLICommand...)
 	t.Logf("stderr output from 'pinniped get kubeconfig':\n%s\n\n", stderr)
 	t.Logf("test kubeconfig:\n%s\n\n", kubeconfigYAML)
-	restConfig := library.NewRestConfigFromKubeconfig(t, kubeconfigYAML)
+	restConfig := testlib.NewRestConfigFromKubeconfig(t, kubeconfigYAML)
 	require.NotNil(t, restConfig.ExecProvider)
 	require.Equal(t, []string{"login", "oidc"}, restConfig.ExecProvider.Args[:2])
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@ -16,13 +16,13 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/discovery"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestGetAPIResourceList(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	client := library.NewKubernetesClientset(t)
+	client := testlib.NewKubernetesClientset(t)
 	groups, resources, err := client.Discovery().ServerGroupsAndResources()
 	// discovery can have partial failures when an API service is unavailable (i.e. because of TestAPIServingCertificateAutoCreationAndRotation)
--- a/test/integration/kubeclient_test.go
+++ b/test/integration/kubeclient_test.go
@ -22,14 +22,14 @@ import (
 	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/ownerref"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestKubeClientOwnerRef(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	regularClient := library.NewKubernetesClientset(t)
+	regularClient := testlib.NewKubernetesClientset(t)
-	regularAggregationClient := library.NewAggregatedClientset(t)
+	regularAggregationClient := testlib.NewAggregatedClientset(t)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
@ -75,7 +75,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 		UID:        parentSecret.UID,
 	}
-	snorlaxAPIGroup := fmt.Sprintf("%s.snorlax.dev", library.RandHex(t, 8))
+	snorlaxAPIGroup := fmt.Sprintf("%s.snorlax.dev", testlib.RandHex(t, 8))
 	parentAPIService, err := regularAggregationClient.ApiregistrationV1().APIServices().Create(
 		ctx,
 		&apiregistrationv1.APIService{
@ -114,7 +114,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 		UID:        parentAPIService.UID,
 	}
-	apiServiceRef, err := apiserviceref.New(parentAPIService.Name, kubeclient.WithConfig(library.NewClientConfig(t)))
+	apiServiceRef, err := apiserviceref.New(parentAPIService.Name, kubeclient.WithConfig(testlib.NewClientConfig(t)))
 	require.NoError(t, err)
 	// create a client that should set an owner ref back to parent on create
@ -122,7 +122,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 		kubeclient.WithMiddleware(ownerref.New(parentSecret)), // secret owner ref first when possible
 		apiServiceRef, // api service for everything else
 		kubeclient.WithMiddleware(groupsuffix.New(env.APIGroupSuffix)),
-		kubeclient.WithConfig(library.NewClientConfig(t)),
+		kubeclient.WithConfig(testlib.NewClientConfig(t)),
 	)
 	require.NoError(t, err)
@ -188,7 +188,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 	})
 	// cluster scoped API service should be owned by the other one we created above
-	pandasAPIGroup := fmt.Sprintf("%s.pandas.dev", library.RandHex(t, 8))
+	pandasAPIGroup := fmt.Sprintf("%s.pandas.dev", testlib.RandHex(t, 8))
 	apiService, err := ownerRefClient.Aggregation.ApiregistrationV1().APIServices().Create(
 		ctx,
 		&apiregistrationv1.APIService{
@ -305,7 +305,7 @@ func hasOwnerRef(t *testing.T, obj metav1.Object, ref metav1.OwnerReference) {
 func isEventuallyDeleted(t *testing.T, f func() error) {
 	t.Helper()
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		err := f()
 		switch {
 		case err == nil:
--- a/test/integration/ldap_client_test.go
+++ b/test/integration/ldap_client_test.go
@ -21,11 +21,11 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"go.pinniped.dev/internal/upstreamldap"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestLDAPSearch(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	// Note that these tests depend on the values hard-coded in the LDIF file in test/deploy/tools/ldap.yaml.
 	// It requires the test LDAP server from the tools deployment.
@ -613,7 +613,7 @@ func TestLDAPSearch(t *testing.T) {
 }
 func TestSimultaneousLDAPRequestsOnSingleProvider(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	// Note that these tests depend on the values hard-coded in the LDIF file in test/deploy/tools/ldap.yaml.
 	// It requires the test LDAP server from the tools deployment.
@ -673,7 +673,7 @@ type authUserResult struct {
 	err           error
 }
-func defaultProviderConfig(env *library.TestEnv, port string) *upstreamldap.ProviderConfig {
+func defaultProviderConfig(env *testlib.TestEnv, port string) *upstreamldap.ProviderConfig {
 	return &upstreamldap.ProviderConfig{
 		Name:               "test-ldap-provider",
 		Host:               "127.0.0.1:" + port,
@ -775,7 +775,7 @@ func startLongRunningCommandAndWaitForInitialOutput(
 		require.NoError(t, err)
 	})
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		t.Logf(`Waiting for %s to emit output: "%s"`, command, waitForOutputToContain)
 		requireEventually.Equal(-1, cmd.ProcessState.ExitCode(), "subcommand ended sooner than expected")
 		requireEventually.Contains(watchOn.String(), waitForOutputToContain, "expected process to emit output")
--- a/test/integration/rbac_test.go
+++ b/test/integration/rbac_test.go
@ -19,20 +19,20 @@ import (
 	v1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	"k8s.io/client-go/rest"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestServiceAccountPermissions(t *testing.T) {
 	// TODO: update this test to check the permissions of all service accounts
 	//  For now it just checks the permissions of the impersonation proxy SA
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
 	defer cancel()
 	// impersonate the SA since it is easier than fetching a token and lets us control the group memberships
-	config := rest.CopyConfig(library.NewClientConfig(t))
+	config := rest.CopyConfig(testlib.NewClientConfig(t))
 	config.Impersonate = rest.ImpersonationConfig{
 		UserName: serviceaccount.MakeUsername(env.ConciergeNamespace, env.ConciergeAppName+"-impersonation-proxy"),
 		// avoid permissions assigned to system:serviceaccounts by explicitly impersonating system:serviceaccounts:<namespace>
@ -42,7 +42,7 @@ func TestServiceAccountPermissions(t *testing.T) {
 		Groups: []string{serviceaccount.MakeNamespaceGroupName(env.ConciergeNamespace), user.AllAuthenticated},
 	}
-	ssrrClient := library.NewKubeclient(t, config).Kubernetes.AuthorizationV1().SelfSubjectRulesReviews()
+	ssrrClient := testlib.NewKubeclient(t, config).Kubernetes.AuthorizationV1().SelfSubjectRulesReviews()
 	// the impersonation proxy SA has the same permissions for all checks because it should only be authorized via cluster role bindings
@ -67,7 +67,7 @@ func TestServiceAccountPermissions(t *testing.T) {
 		)
 	}
-	crbs, err := library.NewKubernetesClientset(t).RbacV1().ClusterRoleBindings().List(ctx, metav1.ListOptions{LabelSelector: "eks.amazonaws.com/component=pod-security-policy"})
+	crbs, err := testlib.NewKubernetesClientset(t).RbacV1().ClusterRoleBindings().List(ctx, metav1.ListOptions{LabelSelector: "eks.amazonaws.com/component=pod-security-policy"})
 	require.NoError(t, err)
 	if len(crbs.Items) > 0 {
 		expectedResourceRules = append(expectedResourceRules,
@ -121,14 +121,14 @@ func testPermissionsInNamespace(ctx context.Context, t *testing.T, ssrrClient v1
 func getOtherPinnipedGroupSuffix(t *testing.T) string {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	var resources []*metav1.APIResourceList
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		// we need a complete discovery listing for the check we are trying to make below
 		// loop since tests like TestAPIServingCertificateAutoCreationAndRotation can break discovery
-		_, r, err := library.NewKubernetesClientset(t).Discovery().ServerGroupsAndResources()
+		_, r, err := testlib.NewKubernetesClientset(t).Discovery().ServerGroupsAndResources()
 		if err != nil {
 			t.Logf("retrying due to partial discovery failure: %v", err)
 			return false, nil
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@ -28,7 +28,7 @@ import (
 	pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 // This test is intended to exercise the supervisor's HTTP port 8080. It can either access it directly via
@ -40,15 +40,15 @@ import (
 // Testing talking to the supervisor's port 8443 where the supervisor is terminating TLS itself is
 // handled by the others tests in this file.
 func TestSupervisorOIDCDiscovery(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	client := library.NewSupervisorClientset(t)
+	client := testlib.NewSupervisorClientset(t)
 	ns := env.SupervisorNamespace
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	defer cancel()
-	temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(ctx, t, ns, defaultTLSCertSecretName(env), client, library.NewKubernetesClientset(t))
+	temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(ctx, t, ns, defaultTLSCertSecretName(env), client, testlib.NewKubernetesClientset(t))
 	tests := []struct {
 		Scheme   string
@ -111,7 +111,7 @@ func TestSupervisorOIDCDiscovery(t *testing.T) {
 		// When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving.
 		config6Duplicate1, _ := requireCreatingFederationDomainCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer6, client)
-		config6Duplicate2 := library.CreateTestFederationDomain(ctx, t, issuer6, "", "")
+		config6Duplicate2 := testlib.CreateTestFederationDomain(ctx, t, issuer6, "", "")
 		requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateFederationDomainStatusCondition)
 		requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateFederationDomainStatusCondition)
 		requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer6)
@ -136,7 +136,7 @@ func TestSupervisorOIDCDiscovery(t *testing.T) {
 		}
 		// When we create a provider with an invalid issuer, the status is set to invalid.
-		badConfig := library.CreateTestFederationDomain(ctx, t, badIssuer, "", "")
+		badConfig := testlib.CreateTestFederationDomain(ctx, t, badIssuer, "", "")
 		requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidFederationDomainStatusCondition)
 		requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, badIssuer)
 		requireDeletingFederationDomainCausesDiscoveryEndpointsToDisappear(t, badConfig, client, ns, scheme, addr, caBundle, badIssuer)
@ -144,9 +144,9 @@ func TestSupervisorOIDCDiscovery(t *testing.T) {
 }
 func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	pinnipedClient := library.NewSupervisorClientset(t)
+	pinnipedClient := testlib.NewSupervisorClientset(t)
-	kubeClient := library.NewKubernetesClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
 	ns := env.SupervisorNamespace
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
@ -162,7 +162,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
 	certSecretName1 := "integration-test-cert-1"
 	// Create an FederationDomain with a spec.tls.secretName.
-	federationDomain1 := library.CreateTestFederationDomain(ctx, t, issuer1, certSecretName1, "")
+	federationDomain1 := testlib.CreateTestFederationDomain(ctx, t, issuer1, certSecretName1, "")
 	requireStatus(t, pinnipedClient, federationDomain1.Namespace, federationDomain1.Name, v1alpha1.SuccessFederationDomainStatusCondition)
 	// The spec.tls.secretName Secret does not exist, so the endpoints should fail with TLS errors.
@ -202,7 +202,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
 	certSecretName2 := "integration-test-cert-2"
 	// Create an FederationDomain with a spec.tls.secretName.
-	federationDomain2 := library.CreateTestFederationDomain(ctx, t, issuer2, certSecretName2, "")
+	federationDomain2 := testlib.CreateTestFederationDomain(ctx, t, issuer2, certSecretName2, "")
 	requireStatus(t, pinnipedClient, federationDomain2.Namespace, federationDomain2.Name, v1alpha1.SuccessFederationDomainStatusCondition)
 	// Create the Secret.
@ -215,9 +215,9 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
 }
 func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	pinnipedClient := library.NewSupervisorClientset(t)
+	pinnipedClient := testlib.NewSupervisorClientset(t)
-	kubeClient := library.NewKubernetesClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
 	ns := env.SupervisorNamespace
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
@ -236,7 +236,7 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
 		port = hostAndPortSegments[1]
 	}
-	ips, err := library.LookupIP(ctx, hostname)
+	ips, err := testlib.LookupIP(ctx, hostname)
 	require.NoError(t, err)
 	require.NotEmpty(t, ips)
 	ipWithPort := ips[0].String() + ":" + port
@ -245,7 +245,7 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
 	issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)
 	// Create an FederationDomain without a spec.tls.secretName.
-	federationDomain1 := library.CreateTestFederationDomain(ctx, t, issuerUsingIPAddress, "", "")
+	federationDomain1 := testlib.CreateTestFederationDomain(ctx, t, issuerUsingIPAddress, "", "")
 	requireStatus(t, pinnipedClient, federationDomain1.Namespace, federationDomain1.Name, v1alpha1.SuccessFederationDomainStatusCondition)
 	// There is no default TLS cert and the spec.tls.secretName was not set, so the endpoints should fail with TLS errors.
@ -259,7 +259,7 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
 	// Create an FederationDomain with a spec.tls.secretName.
 	certSecretName := "integration-test-cert-1"
-	federationDomain2 := library.CreateTestFederationDomain(ctx, t, issuerUsingHostname, certSecretName, "")
+	federationDomain2 := testlib.CreateTestFederationDomain(ctx, t, issuerUsingHostname, certSecretName, "")
 	requireStatus(t, pinnipedClient, federationDomain2.Namespace, federationDomain2.Name, v1alpha1.SuccessFederationDomainStatusCondition)
 	// Create the Secret.
@ -274,7 +274,7 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
 	_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
 }
-func defaultTLSCertSecretName(env *library.TestEnv) string {
+func defaultTLSCertSecretName(env *testlib.TestEnv) string {
 	return env.SupervisorAppName + "-default-tls-certificate" //nolint:gosec // this is not a hardcoded credential
 }
@ -397,7 +397,7 @@ func requireEndpointNotFound(t *testing.T, url, host, caBundle string) {
 	requestNonExistentPath.Host = host
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		response, err := httpClient.Do(requestNonExistentPath)
 		requireEventually.NoError(err)
 		requireEventually.NoError(response.Body.Close())
@ -411,7 +411,7 @@ func requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t *testing.T, url
 	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	defer cancel()
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 		requireEventually.NoError(err)
@ -432,7 +432,7 @@ func requireCreatingFederationDomainCausesDiscoveryEndpointsToAppear(
 	client pinnipedclientset.Interface,
 ) (*v1alpha1.FederationDomain, *ExpectedJWKSResponseFormat) {
 	t.Helper()
-	newFederationDomain := library.CreateTestFederationDomain(ctx, t, issuerName, "", "")
+	newFederationDomain := testlib.CreateTestFederationDomain(ctx, t, issuerName, "", "")
 	jwksResult := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, nil)
 	requireStatus(t, client, newFederationDomain.Namespace, newFederationDomain.Name, v1alpha1.SuccessFederationDomainStatusCondition)
 	return newFederationDomain, jwksResult
@ -552,7 +552,7 @@ func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer, caBundle
 	// Fetch that discovery endpoint. Give it some time for the endpoint to come into existence.
 	var response *http.Response
 	var responseBody []byte
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		var err error
 		response, err = httpClient.Do(requestDiscoveryEndpoint)
 		requireEventually.NoError(err)
@ -603,7 +603,7 @@ func requireDelete(t *testing.T, client pinnipedclientset.Interface, ns, name st
 func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name string, status v1alpha1.FederationDomainStatusCondition) {
 	t.Helper()
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 		defer cancel()
--- a/test/integration/supervisor_healthz_test.go
+++ b/test/integration/supervisor_healthz_test.go
@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 // The Supervisor health endpoint is public because that makes it easier
@ -23,7 +23,7 @@ import (
 // happen on a private container port at this time.
 // This test checks that it is working and that it is public.
 func TestSupervisorHealthz(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	if env.SupervisorHTTPAddress == "" {
 		t.Skip("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS not defined")
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@ -32,12 +32,12 @@ import (
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/pkce"
 	"go.pinniped.dev/pkg/oidcclient/state"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
-	"go.pinniped.dev/test/library/browsertest"
+	"go.pinniped.dev/test/testlib/browsertest"
 )
 func TestSupervisorLogin(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	tests := []struct {
 		name                                 string
@ -55,13 +55,13 @@ func TestSupervisorLogin(t *testing.T) {
 			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
-				library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
+				testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
 					Issuer: env.SupervisorUpstreamOIDC.Issuer,
 					TLS: &idpv1alpha1.TLSSpec{
 						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
 					},
 					Client: idpv1alpha1.OIDCClient{
-						SecretName: library.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
+						SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
 					},
 				}, idpv1alpha1.PhaseReady)
 			},
@ -78,13 +78,13 @@ func TestSupervisorLogin(t *testing.T) {
 			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
-				library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
+				testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
 					Issuer: env.SupervisorUpstreamOIDC.Issuer,
 					TLS: &idpv1alpha1.TLSSpec{
 						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
 					},
 					Client: idpv1alpha1.OIDCClient{
-						SecretName: library.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
+						SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
 					},
 					Claims: idpv1alpha1.OIDCClaims{
 						Username: env.SupervisorUpstreamOIDC.UsernameClaim,
@ -104,19 +104,19 @@ func TestSupervisorLogin(t *testing.T) {
 			name: "ldap with email as username and groups names as DNs and using an LDAP provider which supports TLS",
 			maybeSkip: func(t *testing.T) {
 				t.Helper()
-				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+				if len(env.ToolsNamespace) == 0 && !env.HasCapability(testlib.CanReachInternetLDAPPorts) {
 					t.Skip("LDAP integration test requires connectivity to an LDAP server")
 				}
 			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
-				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
+				secret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
 					map[string]string{
 						v1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
 						v1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
 					},
 				)
-				ldapIDP := library.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
+				ldapIDP := testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
 					Host: env.SupervisorUpstreamLDAP.Host,
 					TLS: &idpv1alpha1.TLSSpec{
 						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
@ -169,19 +169,19 @@ func TestSupervisorLogin(t *testing.T) {
 			name: "ldap with CN as username and group names as CNs and using an LDAP provider which only supports StartTLS", // try another variation of configuration options
 			maybeSkip: func(t *testing.T) {
 				t.Helper()
-				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+				if len(env.ToolsNamespace) == 0 && !env.HasCapability(testlib.CanReachInternetLDAPPorts) {
 					t.Skip("LDAP integration test requires connectivity to an LDAP server")
 				}
 			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
-				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
+				secret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
 					map[string]string{
 						v1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
 						v1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
 					},
 				)
-				ldapIDP := library.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
+				ldapIDP := testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
 					Host: env.SupervisorUpstreamLDAP.StartTLSOnlyHost,
 					TLS: &idpv1alpha1.TLSSpec{
 						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
@ -278,7 +278,7 @@ func testSupervisorLogin(
 	requestAuthorization func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client),
 	wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch string, wantDownstreamIDTokenGroups []string,
 ) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@ -305,12 +305,12 @@ func testSupervisorLogin(
 					return nil, nil
 				}
 				if env.Proxy == "" {
-					t.Logf("passing request for %s with no proxy", library.RedactURLParams(req.URL))
+					t.Logf("passing request for %s with no proxy", testlib.RedactURLParams(req.URL))
 					return nil, nil
 				}
 				proxyURL, err := url.Parse(env.Proxy)
 				require.NoError(t, err)
-				t.Logf("passing request for %s through proxy %s", library.RedactURLParams(req.URL), proxyURL.String())
+				t.Logf("passing request for %s through proxy %s", testlib.RedactURLParams(req.URL), proxyURL.String())
 				return proxyURL, nil
 			},
 		},
@ -329,7 +329,7 @@ func testSupervisorLogin(
 	require.NoError(t, err)
 	// Write the serving cert to a secret.
-	certSecret := library.CreateTestSecret(t,
+	certSecret := testlib.CreateTestSecret(t,
 		env.SupervisorNamespace,
 		"oidc-provider-tls",
 		v1.SecretTypeTLS,
@ -337,7 +337,7 @@ func testSupervisorLogin(
 	)
 	// Create the downstream FederationDomain and expect it to go into the success status condition.
-	downstream := library.CreateTestFederationDomain(ctx, t,
+	downstream := testlib.CreateTestFederationDomain(ctx, t,
 		issuerURL.String(),
 		certSecret.Name,
 		configv1alpha1.SuccessFederationDomainStatusCondition,
@ -354,7 +354,7 @@ func testSupervisorLogin(
 		nil,
 	)
 	require.NoError(t, err)
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		rsp, err := httpClient.Do(requestJWKSEndpoint)
 		requireEventually.NoError(err)
 		requireEventually.NoError(rsp.Body.Close())
@ -366,7 +366,7 @@ func testSupervisorLogin(
 	// Perform OIDC discovery for our downstream.
 	var discovery *coreosoidc.Provider
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		var err error
 		discovery, err = coreosoidc.NewProvider(oidcHTTPClientContext, downstream.Spec.Issuer)
 		requireEventually.NoError(err)
@ -403,7 +403,7 @@ func testSupervisorLogin(
 	// Expect that our callback handler was invoked.
 	callback := localCallbackServer.waitForCallback(10 * time.Second)
-	t.Logf("got callback request: %s", library.MaskTokens(callback.URL.String()))
+	t.Logf("got callback request: %s", testlib.MaskTokens(callback.URL.String()))
 	require.Equal(t, stateParam.String(), callback.URL.Query().Get("state"))
 	require.ElementsMatch(t, []string{"openid", "pinniped:request-audience", "offline_access"}, strings.Split(callback.URL.Query().Get("scope"), " "))
 	authcode := callback.URL.Query().Get("code")
@ -497,7 +497,7 @@ func verifyTokenResponse(
 func requestAuthorizationUsingOIDCIdentityProvider(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client) {
 	t.Helper()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)
 	defer cancelFunc()
@ -512,7 +512,7 @@ func requestAuthorizationUsingOIDCIdentityProvider(t *testing.T, downstreamAutho
 	// Open the web browser and navigate to the downstream authorize URL.
 	page := browsertest.Open(t)
-	t.Logf("opening browser to downstream authorize URL %s", library.MaskTokens(downstreamAuthorizeURL))
+	t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL))
 	require.NoError(t, page.Navigate(downstreamAuthorizeURL))
 	// Expect to be redirected to the upstream provider and log in.
@ -542,7 +542,7 @@ func requestAuthorizationUsingLDAPIdentityProvider(t *testing.T, downstreamAutho
 	// to retry this request multiple times until we get the expected 302 status response.
 	var authResponse *http.Response
 	var responseBody []byte
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		authResponse, err = httpClient.Do(authRequest)
 		if err != nil {
 			t.Logf("got authorization response with error %v", err)
--- a/test/integration/supervisor_secrets_test.go
+++ b/test/integration/supervisor_secrets_test.go
@ -15,19 +15,19 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestSupervisorSecrets(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	kubeClient := library.NewKubernetesClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
-	supervisorClient := library.NewSupervisorClientset(t)
+	supervisorClient := testlib.NewSupervisorClientset(t)
 	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	defer cancel()
 	// Create our FederationDomain under test.
-	federationDomain := library.CreateTestFederationDomain(ctx, t, "", "", "")
+	federationDomain := testlib.CreateTestFederationDomain(ctx, t, "", "", "")
 	tests := []struct {
 		name        string
@ -75,7 +75,7 @@ func TestSupervisorSecrets(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			// Ensure a secret is created with the FederationDomain's JWKS.
 			var updatedFederationDomain *configv1alpha1.FederationDomain
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				resp, err := supervisorClient.
 					ConfigV1alpha1().
 					FederationDomains(env.SupervisorNamespace).
@ -107,7 +107,7 @@ func TestSupervisorSecrets(t *testing.T) {
 				Secrets(env.SupervisorNamespace).
 				Delete(ctx, test.secretName(updatedFederationDomain), metav1.DeleteOptions{})
 			require.NoError(t, err)
-			library.RequireEventually(t, func(requireEventually *require.Assertions) {
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				var err error
 				secret, err = kubeClient.
 					CoreV1().
--- a/test/integration/supervisor_storage_garbage_collection_test.go
+++ b/test/integration/supervisor_storage_garbage_collection_test.go
@ -16,7 +16,7 @@ import (
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"go.pinniped.dev/internal/crud"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestStorageGarbageCollection(t *testing.T) {
@ -24,8 +24,8 @@ func TestStorageGarbageCollection(t *testing.T) {
 	// and will not impact other tests, or be impacted by other tests, when run in parallel.
 	t.Parallel()
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	client := library.NewKubernetesClientset(t)
+	client := testlib.NewKubernetesClientset(t)
 	secrets := client.CoreV1().Secrets(env.SupervisorNamespace)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@ -55,12 +55,12 @@ func TestStorageGarbageCollection(t *testing.T) {
 	// in practice we should only need to wait about 30 seconds, which is the GC controller's self-imposed
 	// rate throttling time period.
 	slightlyLongerThanGCControllerFullResyncPeriod := 3*time.Minute + 30*time.Second
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		_, err := secrets.Get(ctx, secretAlreadyExpired.Name, metav1.GetOptions{})
 		requireEventually.Truef(k8serrors.IsNotFound(err), "wanted a NotFound error but got %v", err)
 	}, slightlyLongerThanGCControllerFullResyncPeriod, 250*time.Millisecond)
-	library.RequireEventually(t, func(requireEventually *require.Assertions) {
+	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		_, err := secrets.Get(ctx, secretWhichWillExpireBeforeTheTestEnds.Name, metav1.GetOptions{})
 		requireEventually.Truef(k8serrors.IsNotFound(err), "wanted a NotFound error but got %v", err)
 	}, slightlyLongerThanGCControllerFullResyncPeriod, 250*time.Millisecond)
--- a/test/integration/supervisor_storage_test.go
+++ b/test/integration/supervisor_storage_test.go
@ -20,12 +20,12 @@ import (
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/testutil"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestAuthorizeCodeStorage(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
-	client := library.NewKubernetesClientset(t)
+	client := testlib.NewKubernetesClientset(t)
 	const (
 		// randomly generated HMAC authorization code (see below)
--- a/test/integration/supervisor_upstream_test.go
+++ b/test/integration/supervisor_upstream_test.go
@ -11,11 +11,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	t.Run("invalid missing secret and bad issuer", func(t *testing.T) {
 		t.Parallel()
@ -25,7 +25,7 @@ func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
 				SecretName: "does-not-exist",
 			},
 		}
-		upstream := library.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
 		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
 			{
 				Type:    "ClientCredentialsValid",
@ -54,10 +54,10 @@ Get "https://127.0.0.1:444444/issuer/.well-known/openid-configuration": dial tcp
 				AdditionalScopes: []string{"email", "profile"},
 			},
 			Client: v1alpha1.OIDCClient{
-				SecretName: library.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
+				SecretName: testlib.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
 			},
 		}
-		upstream := library.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
 		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
 			{
 				Type:    "ClientCredentialsValid",
@ -86,10 +86,10 @@ oidc: issuer did not match the issuer returned by provider, expected "` + env.Su
 				AdditionalScopes: []string{"email", "profile"},
 			},
 			Client: v1alpha1.OIDCClient{
-				SecretName: library.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
+				SecretName: testlib.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
 			},
 		}
-		upstream := library.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseReady)
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseReady)
 		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
 			{
 				Type:    "ClientCredentialsValid",
--- a/test/integration/whoami_test.go
+++ b/test/integration/whoami_test.go
@ -26,18 +26,18 @@ import (
 	"k8s.io/client-go/util/keyutil"
 	identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 func TestWhoAmI_Kubeadm(t *testing.T) {
 	// use the cluster signing key being available as a proxy for this being a kubeadm cluster
 	// we should add more robust logic around skipping clusters based on vendor
-	_ = library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	_ = testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	whoAmI, err := library.NewConciergeClientset(t).IdentityV1alpha1().WhoAmIRequests().
+	whoAmI, err := testlib.NewConciergeClientset(t).IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
@ -61,12 +61,12 @@ func TestWhoAmI_Kubeadm(t *testing.T) {
 }
 func TestWhoAmI_ServiceAccount_Legacy(t *testing.T) {
-	_ = library.IntegrationEnv(t)
+	_ = testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	kubeClient := library.NewKubernetesClientset(t).CoreV1()
+	kubeClient := testlib.NewKubernetesClientset(t).CoreV1()
 	ns, err := kubeClient.Namespaces().Create(ctx, &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
@ -97,7 +97,7 @@ func TestWhoAmI_ServiceAccount_Legacy(t *testing.T) {
 	}, metav1.CreateOptions{})
 	require.NoError(t, err)
-	library.RequireEventuallyWithoutError(t, func() (bool, error) {
+	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		secret, err = kubeClient.Secrets(ns.Name).Get(ctx, secret.Name, metav1.GetOptions{})
 		if err != nil {
 			return false, err
@ -105,10 +105,10 @@ func TestWhoAmI_ServiceAccount_Legacy(t *testing.T) {
 		return len(secret.Data[corev1.ServiceAccountTokenKey]) > 0, nil
 	}, time.Minute, time.Second)
-	saConfig := library.NewAnonymousClientRestConfig(t)
+	saConfig := testlib.NewAnonymousClientRestConfig(t)
 	saConfig.BearerToken = string(secret.Data[corev1.ServiceAccountTokenKey])
-	whoAmI, err := library.NewKubeclient(t, saConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	whoAmI, err := testlib.NewKubeclient(t, saConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
@ -134,12 +134,12 @@ func TestWhoAmI_ServiceAccount_Legacy(t *testing.T) {
 }
 func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
-	_ = library.IntegrationEnv(t)
+	_ = testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	kubeClient := library.NewKubernetesClientset(t).CoreV1()
+	kubeClient := testlib.NewKubernetesClientset(t).CoreV1()
 	ns, err := kubeClient.Namespaces().Create(ctx, &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
@ -193,12 +193,12 @@ func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
 	}, metav1.CreateOptions{})
 	require.NoError(t, err)
-	saBadAudConfig := library.NewAnonymousClientRestConfig(t)
+	saBadAudConfig := testlib.NewAnonymousClientRestConfig(t)
 	saBadAudConfig.BearerToken = tokenRequestBadAudience.Status.Token
-	_, badAudErr := library.NewKubeclient(t, saBadAudConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	_, badAudErr := testlib.NewKubeclient(t, saBadAudConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
-	require.True(t, errors.IsUnauthorized(badAudErr), library.Sdump(badAudErr))
+	require.True(t, errors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
 	tokenRequest, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
 		Spec: authenticationv1.TokenRequestSpec{
@ -213,10 +213,10 @@ func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
 	}, metav1.CreateOptions{})
 	require.NoError(t, err)
-	saTokenReqConfig := library.NewAnonymousClientRestConfig(t)
+	saTokenReqConfig := testlib.NewAnonymousClientRestConfig(t)
 	saTokenReqConfig.BearerToken = tokenRequest.Status.Token
-	whoAmITokenReq, err := library.NewKubeclient(t, saTokenReqConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	whoAmITokenReq, err := testlib.NewKubeclient(t, saTokenReqConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
@ -248,12 +248,12 @@ func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
 func TestWhoAmI_CSR(t *testing.T) {
 	// use the cluster signing key being available as a proxy for this not being an EKS cluster
 	// we should add more robust logic around skipping clusters based on vendor
-	_ = library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+	_ = testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	kubeClient := library.NewKubernetesClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
@ -305,11 +305,11 @@ func TestWhoAmI_CSR(t *testing.T) {
 	crtPEM, err := csr.WaitForCertificate(ctx, kubeClient, csrName, csrUID)
 	require.NoError(t, err)
-	csrConfig := library.NewAnonymousClientRestConfig(t)
+	csrConfig := testlib.NewAnonymousClientRestConfig(t)
 	csrConfig.CertData = crtPEM
 	csrConfig.KeyData = keyPEM
-	whoAmI, err := library.NewKubeclient(t, csrConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	whoAmI, err := testlib.NewKubeclient(t, csrConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
@ -333,14 +333,14 @@ func TestWhoAmI_CSR(t *testing.T) {
 }
 func TestWhoAmI_Anonymous(t *testing.T) {
-	_ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
+	_ = testlib.IntegrationEnv(t).WithCapability(testlib.AnonymousAuthenticationSupported)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	anonymousConfig := library.NewAnonymousClientRestConfig(t)
+	anonymousConfig := testlib.NewAnonymousClientRestConfig(t)
-	whoAmI, err := library.NewKubeclient(t, anonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	whoAmI, err := testlib.NewKubeclient(t, anonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
@ -363,12 +363,12 @@ func TestWhoAmI_Anonymous(t *testing.T) {
 }
 func TestWhoAmI_ImpersonateDirectly(t *testing.T) {
-	_ = library.IntegrationEnv(t)
+	_ = testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	impersonationConfig := library.NewClientConfig(t)
+	impersonationConfig := testlib.NewClientConfig(t)
 	impersonationConfig.Impersonate = rest.ImpersonationConfig{
 		UserName: "solaire",
 		// need to impersonate system:authenticated directly to support older clusters otherwise we will get RBAC errors below
@ -379,7 +379,7 @@ func TestWhoAmI_ImpersonateDirectly(t *testing.T) {
 		},
 	}
-	whoAmI, err := library.NewKubeclient(t, impersonationConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	whoAmI, err := testlib.NewKubeclient(t, impersonationConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
@ -406,12 +406,12 @@ func TestWhoAmI_ImpersonateDirectly(t *testing.T) {
 		whoAmI,
 	)
-	impersonationAnonymousConfig := library.NewClientConfig(t)
+	impersonationAnonymousConfig := testlib.NewClientConfig(t)
 	impersonationAnonymousConfig.Impersonate.UserName = "system:anonymous"
 	// need to impersonate system:unauthenticated directly to support older clusters otherwise we will get RBAC errors below
 	impersonationAnonymousConfig.Impersonate.Groups = []string{"system:unauthenticated"}
-	whoAmIAnonymous, err := library.NewKubeclient(t, impersonationAnonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
+	whoAmIAnonymous, err := testlib.NewKubeclient(t, impersonationAnonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err)
--- a/test/testlib/access.go
+++ b/test/testlib/access.go
@ -1,7 +1,7 @@
 // Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import (
 	"context"
--- a/test/testlib/assertions.go
+++ b/test/testlib/assertions.go
@ -1,7 +1,7 @@
 // Copyright 2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import (
 	"context"
--- a/test/testlib/browsertest/browsertest.go
+++ b/test/testlib/browsertest/browsertest.go
@ -12,7 +12,7 @@ import (
 	"github.com/sclevine/agouti"
 	"github.com/stretchr/testify/require"
-	"go.pinniped.dev/test/library"
+	"go.pinniped.dev/test/testlib"
 )
 const (
@ -25,7 +25,7 @@ const (
 // in a mode that ignore certificate errors.
 func Open(t *testing.T) *agouti.Page {
 	t.Logf("opening browser driver")
-	env := library.IntegrationEnv(t)
+	env := testlib.IntegrationEnv(t)
 	caps := agouti.NewCapabilities()
 	if env.Proxy != "" {
 		t.Logf("configuring Chrome to use proxy %q", env.Proxy)
@ -59,7 +59,7 @@ func Open(t *testing.T) *agouti.Page {
 func WaitForVisibleElements(t *testing.T, page *agouti.Page, selectors ...string) {
 	t.Helper()
-	library.RequireEventuallyf(t,
+	testlib.RequireEventuallyf(t,
 		func(requireEventually *require.Assertions) {
 			for _, sel := range selectors {
 				vis, err := page.First(sel).Visible()
@ -78,7 +78,7 @@ func WaitForVisibleElements(t *testing.T, page *agouti.Page, selectors ...string
 // to occur and times out, failing the test, if it never does.
 func WaitForURL(t *testing.T, page *agouti.Page, pat *regexp.Regexp) {
 	var lastURL string
-	library.RequireEventuallyf(t,
+	testlib.RequireEventuallyf(t,
 		func(requireEventually *require.Assertions) {
 			url, err := page.URL()
 			if url != lastURL {
@ -97,7 +97,7 @@ func WaitForURL(t *testing.T, page *agouti.Page, pat *regexp.Regexp) {
 // LoginToUpstream expects the page to be redirected to one of several known upstream IDPs.
 // It knows how to enter the test username/password and submit the upstream login form.
-func LoginToUpstream(t *testing.T, page *agouti.Page, upstream library.TestOIDCUpstream) {
+func LoginToUpstream(t *testing.T, page *agouti.Page, upstream testlib.TestOIDCUpstream) {
 	t.Helper()
 	type config struct {
--- a/test/testlib/cli.go
+++ b/test/testlib/cli.go
@ -1,7 +1,7 @@
 // Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import (
 	"io/ioutil"
--- a/test/testlib/client.go
+++ b/test/testlib/client.go
@ -1,7 +1,7 @@
 // Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import (
 	"context"
--- a/test/testlib/env.go
+++ b/test/testlib/env.go
@ -1,7 +1,7 @@
 // Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import (
 	"encoding/base64"
--- a/test/testlib/iotest.go
+++ b/test/testlib/iotest.go
@ -1,7 +1,7 @@
 // Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import (
 	"fmt"
--- a/test/testlib/iplookup.go
+++ b/test/testlib/iplookup.go
@ -3,7 +3,7 @@
 // +build !go1.14
-package library
+package testlib
 import (
 	"context"
--- a/test/testlib/iplookup_go1.14.go
+++ b/test/testlib/iplookup_go1.14.go
@ -3,7 +3,7 @@
 // +build go1.14
-package library
+package testlib
 import (
 	"context"
--- a/test/testlib/skip.go
+++ b/test/testlib/skip.go
@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import "testing"
--- a/test/testlib/spew.go
+++ b/test/testlib/spew.go
@ -1,7 +1,7 @@
 // Copyright 2020 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-package library
+package testlib
 import "github.com/davecgh/go-spew/spew"