Remove plog.Logr, make plog.TestZapr private, and CLI logs do not need a name

Co-authored-by: Ryan Richard <richardry@vmware.com>
2025-12-23 06:15:47 +00:00 · 2024-06-11 17:27:45 -05:00
parent 9296d95084
commit 011d6ba71b
10 changed files with 334 additions and 340 deletions
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -193,7 +193,7 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	ctx, cancel := context.WithTimeout(ctx, flags.timeout)
 	defer cancel()

-	// the log statements in this file assume that Info logs are unconditionally printed so we set the global level to info
+	// the log statements in this file assume that Info logs are unconditionally printed, so we set the global level to info
 	if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, plog.LogSpec{Level: plog.LevelInfo, Format: plog.FormatCLI}); err != nil {
 		return err
 	}
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@@ -297,7 +297,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
 				}
 			},
 			wantError: true,
@@ -321,7 +321,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
 				}
 			},
 			wantError: true,
@@ -345,7 +345,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
 				}
 			},
 			wantError: true,
@@ -367,7 +367,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
 				}
 			},
 			conciergeReactions: []kubetesting.Reactor{
@@ -407,7 +407,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
 				}
 			},
 			wantError: true,
@@ -429,7 +429,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
 				}
 			},
 			wantError: true,
@@ -455,11 +455,11 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupAuthenticator","message":"found JWTAuthenticator","name":"test-authenticator-1"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupAuthenticator","message":"found JWTAuthenticator","name":"test-authenticator-2"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupAuthenticator","message":"found WebhookAuthenticator","name":"test-authenticator-3"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupAuthenticator","message":"found WebhookAuthenticator","name":"test-authenticator-4"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  found JWTAuthenticator  {"name": "test-authenticator-1"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  found JWTAuthenticator  {"name": "test-authenticator-2"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  found WebhookAuthenticator  {"name": "test-authenticator-3"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  found WebhookAuthenticator  {"name": "test-authenticator-4"}`,
 				}
 			},
 			wantError: true,
@@ -492,8 +492,8 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.logStrategies","message":"found CredentialIssuer strategy","type":"SomeType","status":"Error","reason":"SomeReason","message":"Some message"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  found CredentialIssuer strategy  {"type": "SomeType", "status": "Error", "reason": "SomeReason", "message": "Some message"}`,
 				}
 			},
 			wantError: true,
@@ -553,9 +553,9 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in impersonation proxy mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://impersonation-endpoint"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in impersonation proxy mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://impersonation-endpoint"}`,
 				}
 			},
 			wantError: true,
@@ -578,11 +578,11 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered WebhookAuthenticator","name":"test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered WebhookAuthenticator  {"name": "test-authenticator"}`,
 				}
 			},
 			wantError: true,
@@ -631,13 +631,13 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"some-test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "some-test-audience"}`,
 				}
 			},
 			wantError: true,
@@ -670,14 +670,14 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryResponse: happyOIDCDiscoveryResponse,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"some-test-audience.pinniped.dev-invalid-substring"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "some-test-audience.pinniped.dev-invalid-substring"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -702,13 +702,13 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryResponse: happyOIDCDiscoveryResponse,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -733,14 +733,14 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -765,11 +765,11 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered WebhookAuthenticator","name":"test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered WebhookAuthenticator  {"name": "test-authenticator"}`,
 				}
 			},
 			wantError: true,
@@ -806,14 +806,14 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryStatusCode: http.StatusBadRequest,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -842,14 +842,14 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -877,14 +877,14 @@ func TestGetKubeconfig(t *testing.T) {
 			idpsDiscoveryStatusCode: http.StatusBadRequest,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -916,14 +916,14 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -952,14 +952,14 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -985,14 +985,14 @@ func TestGetKubeconfig(t *testing.T) {
 			idpsDiscoveryResponse: "this is not valid JSON",
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -1022,13 +1022,13 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
 				}
 			},
 			wantError: true,
@@ -1061,12 +1061,12 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
 				}
 			},
 			wantError: true,
@@ -1099,14 +1099,14 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantError: true,
@@ -1384,7 +1384,9 @@ func TestGetKubeconfig(t *testing.T) {
 					base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
 			},
 			wantLogs: func(_ string, _ string) []string {
-				return []string{`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.selectUpstreamIDPFlow","message":"multiple client flows found, selecting first value as default","idpName":"some-ldap-idp","idpType":"ldap","selectedFlow":"cli_password","availableFlows":["cli_password","flow2"]}`}
+				return []string{
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  multiple client flows found, selecting first value as default  {"idpName": "some-ldap-idp", "idpType": "ldap", "selectedFlow": "cli_password", "availableFlows": ["cli_password","flow2"]}`,
+				}
 			},
 		},
 		{
@@ -1404,11 +1406,11 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered WebhookAuthenticator","name":"test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered WebhookAuthenticator  {"name": "test-authenticator"}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -1468,11 +1470,11 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered WebhookAuthenticator","name":"test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered WebhookAuthenticator  {"name": "test-authenticator"}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -1532,14 +1534,14 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -1732,13 +1734,13 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://impersonation-proxy-endpoint.test"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":1}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://impersonation-proxy-endpoint.test"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -1840,14 +1842,14 @@ func TestGetKubeconfig(t *testing.T) {
 			oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in impersonation proxy mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://impersonation-proxy-endpoint.test"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in impersonation proxy mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://impersonation-proxy-endpoint.test"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -1917,14 +1919,14 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -1996,14 +1998,14 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2073,14 +2075,14 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2146,14 +2148,14 @@ func TestGetKubeconfig(t *testing.T) {
 			idpsDiscoveryStatusCode: http.StatusBadRequest, // IDPs endpoint shouldn't be called by this test
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2226,14 +2228,14 @@ func TestGetKubeconfig(t *testing.T) {
 			idpsDiscoveryStatusCode: http.StatusBadRequest, // IDP discovery endpoint shouldn't be called by this test
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2311,16 +2313,16 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.pinnipedSupervisorDiscovery.func1","message":"removed scope from --oidc-scopes list because it is not supported by this Supervisor","scope":"username"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.pinnipedSupervisorDiscovery.func1","message":"removed scope from --oidc-scopes list because it is not supported by this Supervisor","scope":"groups"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  removed scope from --oidc-scopes list because it is not supported by this Supervisor  {"scope": "username"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  removed scope from --oidc-scopes list because it is not supported by this Supervisor  {"scope": "groups"}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2399,16 +2401,16 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.pinnipedSupervisorDiscovery.func1","message":"removed scope from --oidc-scopes list because it is not supported by this Supervisor","scope":"username"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.pinnipedSupervisorDiscovery.func1","message":"removed scope from --oidc-scopes list because it is not supported by this Supervisor","scope":"groups"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  removed scope from --oidc-scopes list because it is not supported by this Supervisor  {"scope": "username"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  removed scope from --oidc-scopes list because it is not supported by this Supervisor  {"scope": "groups"}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2489,14 +2491,14 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2567,14 +2569,14 @@ func TestGetKubeconfig(t *testing.T) {
 			idpsDiscoveryStatusCode: http.StatusNotFound,        // should not get called by the client in this case
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -2650,14 +2652,14 @@ func TestGetKubeconfig(t *testing.T) {
 			}`),
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered JWTAuthenticator","name":"test-authenticator"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC issuer","issuer":"` + issuerURL + `"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC audience","audience":"test-audience"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered OIDC CA bundle","roots":1}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered JWTAuthenticator  {"name": "test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC issuer  {"issuer": "` + issuerURL + `"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC audience  {"audience": "test-audience"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered OIDC CA bundle  {"roots": 1}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -3152,11 +3154,11 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantLogs: func(issuerCABundle string, issuerURL string) []string {
 				return []string{
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.lookupCredentialIssuer","message":"discovered CredentialIssuer","name":"test-credential-issuer"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge operating in TokenCredentialRequest API mode"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge endpoint","endpoint":"https://fake-server-url-value"}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverConciergeParams","message":"discovered Concierge certificate authority bundle","roots":0}`,
-					`{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"cmd/kubeconfig.go:<line>$cmd.discoverAuthenticatorParams","message":"discovered WebhookAuthenticator","name":"test-authenticator"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered CredentialIssuer  {"name": "test-credential-issuer"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge operating in TokenCredentialRequest API mode`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge endpoint  {"endpoint": "https://fake-server-url-value"}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered Concierge certificate authority bundle  {"roots": 0}`,
+					`2099-08-08T13:57:36.123456Z  info  cmd/kubeconfig.go:<line>  discovered WebhookAuthenticator  {"name": "test-authenticator"}`,
 				}
 			},
 			wantStdout: func(issuerCABundle string, issuerURL string) string {
@@ -3259,7 +3261,7 @@ func TestGetKubeconfig(t *testing.T) {
 					}
 					return fake, nil
 				},
-				log: plog.TestLogger(t, &log),
+				log: plog.TestConsoleLogger(t, &log),
 			})
 			require.NotNil(t, cmd)

--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@@ -176,9 +176,8 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin

 	// If the hidden --debug-session-cache option is passed, log all the errors from the session cache.
 	if flags.debugSessionCache {
-		logger := plog.WithName("session")
 		sessionOptions = append(sessionOptions, filesession.WithErrorReporter(func(err error) {
-			logger.Error("error during session cache operation", err)
+			pLogger.Error("error during session cache operation", err)
 		}))
 	}
 	sessionCache := filesession.New(flags.sessionCachePath, sessionOptions...)
@@ -186,7 +185,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 	// Initialize the login handler.
 	opts := []oidcclient.Option{
 		deps.optionsFactory.WithContext(cmd.Context()),
-		deps.optionsFactory.WithLoginLogger(plog.New()),
+		deps.optionsFactory.WithLoginLogger(pLogger),
 		deps.optionsFactory.WithScopes(flags.scopes),
 		deps.optionsFactory.WithSessionCache(sessionCache),
 	}
@@ -339,8 +338,7 @@ func SetLogLevel(ctx context.Context, lookupEnv func(string) (string, bool)) (pl
 			return nil, err
 		}
 	}
-	logger := plog.New().WithName("pinniped-login")
-	return logger, nil
+	return plog.New(), nil
 }

 /*
--- a/cmd/pinniped/cmd/login_oidc_test.go
+++ b/cmd/pinniped/cmd/login_oidc_test.go
@@ -274,8 +274,8 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 4,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_oidc.go:268  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:288  No concierge configured, skipping token credential exchange`,
+				nowStr + `  cmd/login_oidc.go:267  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  cmd/login_oidc.go:287  No concierge configured, skipping token credential exchange`,
 			},
 		},
 		{
@@ -319,10 +319,10 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 12,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_oidc.go:268  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:278  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:286  Successfully exchanged token for cluster credential.`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:293  caching cluster credential for future use.`,
+				nowStr + `  cmd/login_oidc.go:267  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  cmd/login_oidc.go:277  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  cmd/login_oidc.go:285  Successfully exchanged token for cluster credential.`,
+				nowStr + `  cmd/login_oidc.go:292  caching cluster credential for future use.`,
 			},
 		},
 	}
--- a/cmd/pinniped/cmd/login_static_test.go
+++ b/cmd/pinniped/cmd/login_static_test.go
@@ -147,7 +147,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				Error: could not complete Concierge credential exchange: some concierge error
 			`),
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_static.go:159  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  cmd/login_static.go:159  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
 			},
 		},
 		{
--- a/internal/plog/config_test.go
+++ b/internal/plog/config_test.go
@@ -55,7 +55,7 @@ func TestFormat(t *testing.T) {
  "duration": "1h1m0s"
 }`, wd, getLineNumberOfCaller()-11), scanner.Text())

-	Logr().WithName("burrito").Error(errInvalidLogLevel, "wee", "a", "b")
+	New().WithName("burrito").Error("wee", errInvalidLogLevel, "a", "b")
 	require.True(t, scanner.Scan())
 	require.NoError(t, scanner.Err())
 	require.JSONEq(t, fmt.Sprintf(`
@@ -69,7 +69,7 @@ func TestFormat(t *testing.T) {
  "logger": "burrito"
 }`, wd, getLineNumberOfCaller()-12), scanner.Text())

-	Logr().V(klogLevelWarning).Info("hey") // note that this fails to set the custom warning key because it is not via plog
+	New().Info("hey")
 	require.True(t, scanner.Scan())
 	require.NoError(t, scanner.Err())
 	require.JSONEq(t, fmt.Sprintf(`
@@ -108,7 +108,7 @@ func TestFormat(t *testing.T) {
 	Trace("should not be logged", "for", "sure")
 	require.Empty(t, buf.String())

-	Logr().V(klogLevelAll).Info("also should not be logged", "open", "close")
+	New().All("also should not be logged", "open", "close")
 	require.Empty(t, buf.String())

 	ctx = AddZapOverridesToContext(ctx, t, &buf, nil, fakeClock, zap.AddStacktrace(LevelInfo))
@@ -151,7 +151,7 @@ testing.tRunner
 	require.Equal(t, fmt.Sprintf(nowStr+`  plog/config_test.go:%d  something happened  {"error": "invalid log format, valid choices are the empty string or 'json'", "an": "item"}`,
 		getLineNumberOfCaller()-4), scanner.Text())

-	Logr().WithName("burrito").Error(errInvalidLogLevel, "wee", "a", "b", "slightly less than a year", 363*24*time.Hour, "slightly more than 2 years", 2*367*24*time.Hour)
+	New().WithName("burrito").Error("wee", errInvalidLogLevel, "a", "b", "slightly less than a year", 363*24*time.Hour, "slightly more than 2 years", 2*367*24*time.Hour)
 	require.True(t, scanner.Scan())
 	require.NoError(t, scanner.Err())
 	require.Equal(t, fmt.Sprintf(nowStr+`  burrito  plog/config_test.go:%d  wee  {"a": "b", "slightly less than a year": "363d", "slightly more than 2 years": "2y4d", "error": "invalid log level, valid choices are the empty string, info, debug, trace and all"}`,
--- a/internal/plog/global.go
+++ b/internal/plog/global.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package plog
@@ -54,12 +54,6 @@ func init() {
 	}
 }

-// Deprecated: Use New instead.  This is meant for old code only.
-// New provides a more ergonomic API and correctly responds to global log config change.
-func Logr() logr.Logger {
-	return globalLogger
-}
-
 func Setup() func() {
 	logs.InitLogs()
 	return func() {
--- a/internal/plog/plog.go
+++ b/internal/plog/plog.go
@@ -190,7 +190,7 @@ func (p pLogger) withLogrMod(mod func(logr.Logger) logr.Logger) Logger {
 }

 func (p pLogger) logr() logr.Logger {
-	l := Logr() // grab the current global logger and its current config
+	l := globalLogger // grab the current global logger and its current config
 	for _, mod := range p.mods {
 		l = mod(l) // and then update it with all modifications
 	}
--- a/internal/plog/testing.go
+++ b/internal/plog/testing.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package plog
@@ -63,11 +63,19 @@ func TestLogger(t *testing.T, w io.Writer) Logger {
 	t.Helper()

 	return New().withLogrMod(func(l logr.Logger) logr.Logger {
-		return l.WithSink(TestZapr(t, w).GetSink())
+		return l.WithSink(testZapr(t, w, "json").GetSink())
 	})
 }

-func TestZapr(t *testing.T, w io.Writer) logr.Logger {
+func TestConsoleLogger(t *testing.T, w io.Writer) Logger {
+	t.Helper()
+
+	return New().withLogrMod(func(l logr.Logger) logr.Logger {
+		return l.WithSink(testZapr(t, w, "console").GetSink())
+	})
+}
+
+func testZapr(t *testing.T, w io.Writer, encoding string) logr.Logger {
 	t.Helper()

 	now, err := time.Parse(time.RFC3339Nano, "2099-08-08T13:57:36.123456789Z")
@@ -86,7 +94,10 @@ func TestZapr(t *testing.T, w io.Writer) logr.Logger {
 				if idx := strings.LastIndexByte(trimmed, ':'); idx != -1 {
 					trimmed = trimmed[:idx+1] + "<line>"
 				}
-				enc.AppendString(trimmed + funcEncoder(caller))
+				if encoding != "console" {
+					trimmed += funcEncoder(caller)
+				}
+				enc.AppendString(trimmed)
 			}
 		},
 		clocktesting.NewFakeClock(now),       // have the clock be static during tests
@@ -94,7 +105,7 @@ func TestZapr(t *testing.T, w io.Writer) logr.Logger {
 	)

 	// there is no buffering so we can ignore flush
-	zl, _, err := newLogr(ctx, "json", 0)
+	zl, _, err := newLogr(ctx, encoding, 0)
 	require.NoError(t, err)

 	return zl
--- a/internal/registry/clientsecretrequest/rest_test.go
+++ b/internal/registry/clientsecretrequest/rest_test.go
@@ -4,10 +4,8 @@
 package clientsecretrequest

 import (
-	"bytes"
 	"context"
 	"encoding/hex"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -15,6 +13,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/go-logr/logr"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -32,7 +31,6 @@ import (
 	supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
-	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/testutil"
 )

@@ -111,17 +109,17 @@ func TestCreate(t *testing.T) {
 	fakeTimeNowFunc := func() metav1.Time { return fakeNow }

 	tests := []struct {
-		name              string
-		args              args
-		seedOIDCClients   []*supervisorconfigv1alpha1.OIDCClient
-		seedHashes        func(storage *oidcclientsecretstorage.OIDCClientSecretStorage)
-		addReactors       func(*kubefake.Clientset, *supervisorfake.Clientset)
-		fakeByteGenerator io.Reader
-		fakeHasher        byteHasher
-		want              runtime.Object
-		wantErrStatus     *metav1.Status
-		wantHashes        *wantHashes
-		wantLogLines      []string
+		name                  string
+		args                  args
+		seedOIDCClients       []*supervisorconfigv1alpha1.OIDCClient
+		seedHashes            func(storage *oidcclientsecretstorage.OIDCClientSecretStorage)
+		addReactors           func(*kubefake.Clientset, *supervisorfake.Clientset)
+		fakeByteGenerator     io.Reader
+		fakeHasher            byteHasher
+		want                  runtime.Object
+		wantErrStatus         *metav1.Status
+		wantHashes            *wantHashes
+		wantLogStepSubstrings []string
 	}{
 		{
 			name: "wrong type of request object provided",
@@ -138,7 +136,7 @@ func TestCreate(t *testing.T) {
 				Reason: metav1.StatusReasonBadRequest,
 				Code:   http.StatusBadRequest,
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:not an OIDCClientSecretRequest`,
 				`END`,
@@ -173,7 +171,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:dryRun not supported`,
 				`END`,
@@ -196,7 +194,7 @@ func TestCreate(t *testing.T) {
 				Reason:  metav1.StatusReasonBadRequest,
 				Code:    http.StatusBadRequest,
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:namespace must be some-namespace on OIDCClientSecretRequest, was wrong-namespace`,
 				`END`,
@@ -227,7 +225,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:validation webhook,msg:Internal error occurred: some-error-here`,
 				`END`,
@@ -255,7 +253,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:no namespace information found in request context`,
 				`END`,
@@ -279,7 +277,7 @@ func TestCreate(t *testing.T) {
 				Reason:  metav1.StatusReasonBadRequest,
 				Code:    http.StatusBadRequest,
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:the namespace of the provided object does not match the namespace sent on the request`,
 				`END`,
@@ -317,7 +315,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:[metadata.generateName: Invalid value: "foo": generateName is not supported, metadata.name: Required value: name or generateName is required]`,
 				`END`,
@@ -351,7 +349,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:metadata.name: Invalid value: "client.oauth.pinniped.dev-": must not equal 'client.oauth.pinniped.dev-'`,
 				`END`,
@@ -385,7 +383,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:metadata.name: Invalid value: "does-not-contain-the-prefix": must start with 'client.oauth.pinniped.dev-'`,
 				`END`,
@@ -419,7 +417,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:metadata.name: Invalid value: "client.oauth.pinniped.dev-contains/invalid/characters": may not contain '/'`,
 				`END`,
@@ -464,7 +462,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`failureType:request validation,msg:[metadata.generateName: Invalid value: "no-generate-allowed": generateName is not supported, metadata.name: Invalid value: "multiple/errors/aggregated": must start with 'client.oauth.pinniped.dev-', metadata.name: Invalid value: "multiple/errors/aggregated": may not contain '/']`,
 				`END`,
@@ -498,7 +496,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`failureType:oidcClientsClient.Get,msg:oidcclients.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-oidc-client-does-not-exist-404" not found`,
@@ -531,7 +529,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`failureType:oidcClientsClient.Get,msg:unexpected error darn`,
@@ -570,7 +568,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -610,7 +608,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -653,7 +651,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -706,7 +704,7 @@ func TestCreate(t *testing.T) {
 					fakeBcryptRandomBytes,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -775,7 +773,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 3,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -841,7 +839,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 1,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -907,7 +905,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 1,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -969,7 +967,7 @@ func TestCreate(t *testing.T) {
 				Reason:  metav1.StatusReasonBadRequest,
 				Code:    http.StatusBadRequest,
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1036,7 +1034,7 @@ func TestCreate(t *testing.T) {
 				Reason:  metav1.StatusReasonBadRequest,
 				Code:    http.StatusBadRequest,
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1086,7 +1084,7 @@ func TestCreate(t *testing.T) {
 					Name:  "client.oauth.pinniped.dev-some-client",
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1140,7 +1138,7 @@ func TestCreate(t *testing.T) {
 					Name:  "client.oauth.pinniped.dev-some-client",
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1188,7 +1186,7 @@ func TestCreate(t *testing.T) {
 					}},
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1235,7 +1233,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 0,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1279,7 +1277,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 0,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1343,7 +1341,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 2,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1405,7 +1403,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 1,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1474,7 +1472,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 1,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1544,7 +1542,7 @@ func TestCreate(t *testing.T) {
 					TotalClientSecrets: 1,
 				},
 			},
-			wantLogLines: []string{
+			wantLogStepSubstrings: []string{
 				`"create"`,
 				`"validateRequest"`,
 				`oidcClientsClient.Get`,
@@ -1559,9 +1557,8 @@ func TestCreate(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// t.Parallel() should not be used because we are mutating the global logger.
-			var log bytes.Buffer
-			logger := plog.TestZapr(t, &log)
-			klog.SetLogger(logger)
+			logger := testutil.NewTranscriptLogger(t) //nolint:staticcheck  // old test with lots of log statements
+			klog.SetLogger(logr.New(logger))
 			originalKLogLevel := testutil.GetGlobalKlogLevel()
 			// trace.Log() utility will only log at level 2 or above, so set that for this test.
 			testutil.SetGlobalKlogLevel(t, 2) //nolint:staticcheck // old test of code using trace.Log()
@@ -1648,7 +1645,7 @@ func TestCreate(t *testing.T) {
 				require.Empty(t, secrets.Items)
 			}

-			requireLogLinesContain(t, log.String(), tt.wantLogLines)
+			requireExactlyOneLogLineWithMultipleSteps(t, logger, tt.wantLogStepSubstrings)
 		})
 	}
 }
@@ -1659,18 +1656,10 @@ func (r readerAlwaysErrors) Read(_ []byte) (n int, err error) {
 	return 0, errors.New("always errors")
 }

-func requireLogLinesContain(t *testing.T, fullLog string, wantLines []string) {
-	if len(wantLines) == 0 {
-		require.Empty(t, fullLog)
-		return
-	}
-	var jsonLog map[string]any
-	err := json.Unmarshal([]byte(fullLog), &jsonLog)
-	require.NoError(t, err)
-	require.Contains(t, jsonLog, "message")
-	message := jsonLog["message"]
-	require.IsType(t, "type of string", message)
-	lines := strings.Split(strings.TrimSpace(message.(string)), "\n")
+func requireExactlyOneLogLineWithMultipleSteps(t *testing.T, logger *testutil.TranscriptLogger, wantLines []string) {
+	transcript := logger.Transcript()
+	require.Len(t, transcript, 1)
+	lines := strings.Split(strings.TrimSpace(transcript[0].Message), "\n")

 	require.Lenf(t, lines, len(wantLines), "actual log lines length should match expected length, actual lines:\n\n%s", strings.Join(lines, "\n"))
 	for i := range wantLines {