diff --git a/.gitignore b/.gitignore
index ab430bda6..4d1df9312 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,8 +22,3 @@
 
 # Hugo temp file
 .hugo_build.lock
-
-# deploy_carvel is an ephemeral directory generated when certain scripts are executed.
-# this directory will be created and populated with files that can be applied to a
-# kubernetes cluster (specifically kind) in order to deploy Pinniped in an alternative way.
-deploy_carvel
diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml
index 4807cfc02..2721e27d0 100644
--- a/deploy/concierge/values.yaml
+++ b/deploy/concierge/values.yaml
@@ -1,9 +1,9 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values-schema
 ---
-#@schema/desc "Name of pinniped-concierge."
+#@schema/desc "Used to help determine the names of various resources and labels."
 app_name: pinniped-concierge
 
 #@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
@@ -57,13 +57,14 @@ image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm
 #@schema/nullable
 discovery_url: https://example.com
 
-
 #@ api_serving_certificate_desc = "Specify the duration and renewal interval for the API serving certificate. \
 #@ The defaults are set to expire the cert about every 30 days, and to rotate it \
-#@ about every 25 days."
+#@ about every 25 days. Specify this as an integer or as a string which contains an integer value."
 #@schema/desc api_serving_certificate_desc
+#@schema/type any=True
 api_serving_certificate_duration_seconds: 2592000
 #@schema/desc api_serving_certificate_desc
+#@schema/type any=True
 api_serving_certificate_renew_before_seconds: 2160000
 
 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
@@ -90,7 +91,6 @@ run_as_group: 65532
 #@schema/desc api_group_suffix_desc
 api_group_suffix: pinniped.dev
 
-
 #@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
 impersonation_proxy_spec:
   #! options are "auto", "disabled" or "enabled".
@@ -117,10 +117,8 @@ impersonation_proxy_spec:
     #! None does not provision either and assumes that you have set the external_endpoint
     #! and set up your own ingress to connect to the impersonation proxy.
     #@schema/desc "Options are 'LoadBalancer', 'ClusterIP' and 'None'."
-    #@schema/nullable
     type: LoadBalancer
     #@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
-    #@schema/nullable
     annotations:
       {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
     #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."
diff --git a/deploy/local-user-authenticator/values.yaml b/deploy/local-user-authenticator/values.yaml
index c05913049..df991aa7b 100644
--- a/deploy/local-user-authenticator/values.yaml
+++ b/deploy/local-user-authenticator/values.yaml
@@ -3,7 +3,6 @@
 
 #@data/values-schema
 ---
-
 #@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_repo: projects.registry.vmware.com/pinniped/pinniped-server
 #@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml
index 1af809217..217f8680a 100644
--- a/deploy/supervisor/values.yaml
+++ b/deploy/supervisor/values.yaml
@@ -1,9 +1,9 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values-schema
 ---
-#@schema/desc "Name of pinniped-supervisor."
+#@schema/desc "Used to help determine the names of various resources and labels."
 app_name: pinniped-supervisor
 
 #@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
@@ -18,9 +18,9 @@ into_namespace: my-preexisting-namespace
 #@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
 #@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
 #@ The app can be uninstalled either by: \
-#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
-#@    resources that were dynamically created by controllers at runtime \
-#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
+#@ 1.) deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
+#@ resources that were dynamically created by controllers at runtime, \
+#@ or, 2.) deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
 #@schema/desc custom_labels_desc
 #@schema/type any=True
 custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
@@ -61,19 +61,19 @@ deprecated_service_http_nodeport_nodeport: 31234
 #@schema/desc "will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
 #@schema/nullable
 deprecated_service_http_loadbalancer_port: 8443
-#@schema/desc "#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/desc "will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
 #@schema/nullable
 deprecated_service_http_clusterip_port: 8443
-#@schema/desc "#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/desc "when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
 #@schema/nullable
 service_https_nodeport_port: 31243
-#@schema/desc "#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
+#@schema/desc "the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
 #@schema/nullable
 service_https_nodeport_nodeport: 31243
-#@schema/desc "#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/desc "when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
 #@schema/nullable
 service_https_loadbalancer_port: 8443
-#@schema/desc "#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/desc "when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
 #@schema/nullable
 service_https_clusterip_port: 8443
 #@ service_loadbalancer_ip_desc="The `loadBalancerIP` value of the LoadBalancer Service. \
@@ -94,9 +94,9 @@ log_level: info
 #@schema/nullable
 deprecated_log_format: json
 
-#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+#@schema/desc "specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
 run_as_user: 65532
-#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+#@schema/desc "specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
 run_as_group: 65532
 
 #@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
@@ -114,8 +114,8 @@ api_group_suffix: pinniped.dev
 #@schema/desc https_proxy_desc
 #@schema/nullable
 https_proxy: http://proxy.example.com
-#@schema/desc "do not proxy Kubernetes endpoints"
-no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
+#@schema/desc "Endpoints that should not use the proxy."
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
 
 #! Control the HTTP and HTTPS listeners of the Supervisor.
 #!
diff --git a/hack/kind-down.sh b/hack/kind-down.sh
index 59ea0d0a0..1f510e2c6 100755
--- a/hack/kind-down.sh
+++ b/hack/kind-down.sh
@@ -1,18 +1,29 @@
 #!/usr/bin/env bash
 
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
 
-ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${ROOT}"
 
 if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
   reg_name='kind-registry.local'
-  docker network disconnect "kind" "${reg_name}" || true
-  docker stop "${reg_name}" || true
-  docker rm "${reg_name}" || true
+
+  # If the container is running...
+  if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" == 'true' ]; then
+    # Disconnect it from the kind network, if it was connected.
+    if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" != 'null' ]; then
+      docker network disconnect "kind" "${reg_name}" >/dev/null
+    fi
+
+    echo "Stopping container $reg_name ..."
+    docker stop "${reg_name}" >/dev/null
+
+    # Delete it.
+    docker rm "${reg_name}" >/dev/null
+  fi
 fi
 
 kind delete cluster --name pinniped
diff --git a/hack/kind-up.sh b/hack/kind-up.sh
index d92524a2b..d626e581b 100755
--- a/hack/kind-up.sh
+++ b/hack/kind-up.sh
@@ -8,45 +8,47 @@ set -euo pipefail
 ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${ROOT}"
 
-
 if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
-  # create registry container unless it already exists
+  # Create registry container unless it already exists.
   reg_name='kind-registry.local'
   reg_port='5000'
   if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+    echo "Running the registry:2 docker image..."
     docker run \
-      -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
+      --detach \
+      --restart=always \
+      --publish "127.0.0.1:${reg_port}:5000" \
+      --name "${reg_name}" \
       registry:2
   fi
 fi
 
-
 use_contour_registry=""
-if [[ "${PINNIPED_USE_CONTOUR:-}" != ""  ]]; then
+if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
   echo "Adding Contour port mapping to Kind config."
   use_contour_registry="--file=${ROOT}/hack/lib/kind-config/contour-overlay.yaml"
 fi
 
-
 use_kind_registry=""
-if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != ""  ]]; then
+if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
   echo "Adding local registry to Kind config."
   use_kind_registry="--file=${ROOT}/hack/lib/kind-config/kind-registry-overlay.yaml"
 fi
 
-$(ytt ${use_kind_registry} ${use_contour_registry} --file=${ROOT}/hack/lib/kind-config/single-node.yaml >/tmp/kind-config.yaml)
+# Do not quote ${use_kind_registry} ${use_contour_registry} in this command because they might be empty.
+ytt ${use_kind_registry} ${use_contour_registry} --file="${ROOT}"/hack/lib/kind-config/single-node.yaml >/tmp/kind-config.yaml
+
 # To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.28.0`.
 # To debug the kind config, add this option to the command below: `-v 10`
 kind create cluster --config /tmp/kind-config.yaml --name pinniped
 
-
 if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
-  # connect the registry to the cluster network if not already connected
-  if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+  # Connect the registry to the cluster network if not already connected.
+  if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" == 'null' ]; then
     docker network connect "kind" "${reg_name}"
   fi
 
-  # Document the local registry
+  # Configure kind to use the local registry.
   # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
   cat <<EOF | kubectl apply -f -
 apiVersion: v1
diff --git a/hack/lib/carvel_packages/README.md b/hack/lib/carvel_packages/README.md
deleted file mode 100644
index aaa61f050..000000000
--- a/hack/lib/carvel_packages/README.md
+++ /dev/null
@@ -1,10 +0,0 @@
-# Deployment via Carvel Packages
-
-The Carvel Package deployment method can be exercised via the following invocation:
-
-```bash
-PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
-  --clean \
-  --alternate-deploy ./hack/noop.sh \
-  --post-install ./hack/build-carvel-packages.sh
-```
diff --git a/hack/lib/carvel_packages/build.sh b/hack/lib/carvel_packages/build.sh
index c3a3bb7e3..d068fb7e1 100755
--- a/hack/lib/carvel_packages/build.sh
+++ b/hack/lib/carvel_packages/build.sh
@@ -1,21 +1,16 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 #
 # This script can be used in conjunction with prepare-for-integration-tests.sh.
 # When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
-# the integration tests script will create a local docker registry and configure kind to use the registry
-# and will build the Pinniped binary and container image.
-# This script will then create Carvel Packages for supervisor,concierge and local-user-authenticator.
+# the prepare-for-integration-tests.sh script will create a local docker registry and configure kind to use the registry.
+# This script will build the Pinniped binary and container image.
+# This script will then create Carvel Packages for supervisor, concierge, and local-user-authenticator.
 # It will also create a Carvel PackageRepository.
-# The PackageRepository will be installed on the kind cluster, then PackageInstall resources
-# will be created to deploy an instance of each of the packages on the cluster.
-# Once this script has completed, Pinniped can be interacted with as if it had been deployed in the usual way,
-# for example by running tests or by preparing supervisor for manual interactions:
-#  source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration -run  /TestE2EFullIntegration_Browser
-#  hack/prepare-supervisor-on-kind.sh --oidc
+# The PackageRepository will be installed on the kind cluster.
 #
 # Example usage:
 #   PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
@@ -53,15 +48,17 @@ function check_dependency() {
   fi
 }
 
-# this script is best invoked from the root directory
-# it is designed to be passed as --pre-install flag to hack/prepare-for-integration-tests.sh
+# This script is best invoked from the root directory.
+# It is designed to be passed as --pre-install flag to hack/prepare-for-integration-tests.sh.
 hack_lib_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${hack_lib_path}/../../" || exit 1
 
-# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
-# - app: unimportant, but always first
-# - tag: uuidgen in hack/prepare-for-integration-tests.sh
-#        if this script is run standalone, then auto-fill with a unique value
+# Check for dependencies
+check_dependency kbld "Please install kbld. e.g. 'brew tap vmware-tanzu/carvel && brew install kbld' for MacOS"
+check_dependency imgpkg "Please install imgpkg. e.g. 'brew tap vmware-tanzu/carvel && brew install imgpkg' for MacOS"
+check_dependency vendir "Please install vendir. e.g. 'brew tap vmware-tanzu/carvel && brew install vendir' for MacOS"
+
+# Expected arguments.
 app=${1:-"app-argument-not-provided"}
 tag=${2:-"tag-argument-not-provided"}
 registry=${3:-"registry-argument-not-provided"}
@@ -77,10 +74,8 @@ if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" == "" ]]; then
   exit 1
 fi
 
-
 pinniped_package_version="${tag}" # ie, "0.25.0"
 registry_repo="$registry/$repo"
-registry_repo_tag="${registry_repo}:${tag}"
 
 api_group_suffix="pinniped.dev"
 
@@ -91,15 +86,13 @@ package_repo_prefix="${registry_repo}/package" # + $resource_name + ":" + $tag
 package_repository_repo="pinniped-package-repository"
 package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
 
-
-dest_dir="deploy_carvel"
 carvel_package_src="hack/lib/carvel_packages"
-template_src_dir="${carvel_package_src}/tpl"
-
+template_src_dir="${carvel_package_src}/templates"
 
+dest_dir="deploy_carvel_tmp"
 # clean the root carvel package directory
 rm -rf "${dest_dir}"
-mkdir "${dest_dir}"
+mkdir -p "${dest_dir}"
 
 # Generate the OpenAPI v3 Schema files, imgpkg images.yml files
 declare -a packages_to_build=("local-user-authenticator" "pinniped-concierge" "pinniped-supervisor")
@@ -110,7 +103,6 @@ do
 
   # sources
   resource_package_template_source_dir="${template_src_dir}/${resource_name}"
-  resource_ytt_config_file_source_dir="deploy/${resource_name}" # copy from original ytt templates
   # destinations
   resource_destination_dir="${dest_dir}/${resource_name}"
   resource_config_destination_dir="${resource_destination_dir}/config"
@@ -143,8 +135,8 @@ do
   imgpkg push --bundle "${package_repo_tag}" --file "${resource_destination_dir}"
 
   log_note "Generating PackageRepository Package entry for ${resource_name}"
-  # publish package versions to package repository
-  packages_dir="deploy_carvel/package_repository/packages/"
+  # Publish package versions to package repository.
+  packages_dir="${dest_dir}/package_repository/packages/"
   package_repository_dir="${packages_dir}/${resource_qualified_name}"
   mkdir -p "${packages_dir}"
   rm -rf "${package_repository_dir}"
@@ -160,11 +152,11 @@ do
 done
 
 log_note "Generating .imgpkg/images.yml for  Pinniped PackageRepository bundle..."
-mkdir -p "deploy_carvel/package_repository/.imgpkg"
-kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml"
+mkdir -p "${dest_dir}/package_repository/.imgpkg"
+kbld --file "${dest_dir}/package_repository/packages/" --imgpkg-lock-output "${dest_dir}/package_repository/.imgpkg/images.yml"
 
 log_note "Pushing Pinniped PackageRepository bundle.... "
-imgpkg push --bundle "${package_repository_repo_tag}" --file "deploy_carvel/package_repository"
+imgpkg push --bundle "${package_repository_repo_tag}" --file "${dest_dir}/package_repository"
 
 # manually validate the package bundle by pulling it from the registry and examining its contents:
 # imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}"
diff --git a/hack/lib/carvel_packages/deploy.sh b/hack/lib/carvel_packages/deploy.sh
index 9282671c1..c5cde2773 100755
--- a/hack/lib/carvel_packages/deploy.sh
+++ b/hack/lib/carvel_packages/deploy.sh
@@ -1,21 +1,13 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 #
 # This script can be used in conjunction with prepare-for-integration-tests.sh.
 # When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
-# the integration tests script will create a local docker registry and configure kind to use the registry
-# and will build the Pinniped binary and container image.
-# This script will then create Carvel Packages for supervisor,concierge and local-user-authenticator.
-# It will also create a Carvel PackageRepository.
-# The PackageRepository will be installed on the kind cluster, then PackageInstall resources
-# will be created to deploy an instance of each of the packages on the cluster.
-# Once this script has completed, Pinniped can be interacted with as if it had been deployed in the usual way,
-# for example by running tests or by preparing supervisor for manual interactions:
-#  source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration -run  /TestE2EFullIntegration_Browser
-#  hack/prepare-supervisor-on-kind.sh --oidc
+# the prepare-for-integration-tests.sh script will create a local docker registry and configure kind to use the registry.
+# This script will deploy the Carvel Packages for supervisor, concierge, or local-user-authenticator.
 #
 # Example usage:
 #   PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
@@ -53,15 +45,12 @@ function check_dependency() {
   fi
 }
 
-# this script is best invoked from the root directory
-# it is designed to be passed as --pre-install flag to hack/prepare-for-integration-tests.sh
+# This script is best invoked from the root directory.
+# It is designed to be passed as --alternate-deploy flag to hack/prepare-for-integration-tests.sh.
 hack_lib_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "$hack_lib_path/../../" || exit 1
 
-# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
-# - app: unimportant, but always first
-# - tag: uuidgen in hack/prepare-for-integration-tests.sh
-#        if this script is run standalone, then auto-fill with a unique value
+# Expected arguments.
 app=${1:-"app-argument-not-provided"}
 tag=${2:-"tag-argument-not-provided"}
 registry=${3:-"registry-argument-not-provided"}
@@ -80,35 +69,28 @@ if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" == "" ]]; then
   exit 1
 fi
 
-
 pinniped_package_version="${tag}" # ie, "0.25.0"
-
 registry_repo="$registry/$repo"
-registry_repo_tag="${registry_repo}:${tag}"
-
-api_group_suffix="pinniped.dev"
-
-# Package prefix for concierge, supervisor, local-user-authenticator
-package_repo_prefix="${registry_repo}/package" # + $resource_name + ":" + $tag
 
 # Pinniped Package repository
 package_repository_repo="pinniped-package-repository"
 package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
 
+# Use the same directory as build.sh.
+dest_dir="deploy_carvel_tmp"
 
-# deploy kapp-controller onto kind cluster
+# Deploy kapp-controller onto kind cluster.
 log_note "Installing kapp-controller on cluster..."
 KAPP_CONTROLLER_GLOBAL_NAMESPACE="kapp-controller-packaging-global"
 kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml" -y
 
-# ensure this directory exists though this script will run several times
-mkdir -p "deploy_carvel/install"
+# Ensure this directory exists though this script will run several times.
+mkdir -p "${dest_dir}/install"
 
 log_note "Deploying Pinniped PackageRepository..."
 pinniped_package_repository_name="pinniped-package-repository"
-pinniped_package_repository_file="deploy_carvel/install/packagerepository.${pinniped_package_version}.yml"
-echo -n "" > "${pinniped_package_repository_file}"
-cat <<EOT >> "${pinniped_package_repository_file}"
+pinniped_package_repository_file="${dest_dir}/install/packagerepository.${pinniped_package_version}.yml"
+cat <<EOT > "${pinniped_package_repository_file}"
 ---
 apiVersion: packaging.carvel.dev/v1alpha1
 kind: PackageRepository
@@ -124,20 +106,18 @@ EOT
 kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_package_repository_file}" -y
 kapp inspect --app "${pinniped_package_repository_name}" --tree
 
-
 resource_name="${app}"
 
 log_note "Creating RBAC for ${resource_name} PackageInstall..."
 
 namespace="${resource_name}-install-ns"
 pinniped_package_rbac_prefix="pinniped-package-rbac-${resource_name}"
-pinniped_package_rbac_file="deploy_carvel/install/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
-echo -n "" > "${pinniped_package_rbac_file}"
-# NOTE: this script is for development purposes running on a local kind cluster.
+pinniped_package_rbac_file="${dest_dir}/install/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
+# NOTE: This script is for development purposes running on a local kind cluster.
 # For any other use case, the generated artifacts should be properly reviewed.
 # For example, the RBAC generated here should be adjusted to conform to the
 # principle of LEAST privilege.
-cat <<EOF >> "${pinniped_package_rbac_file}"
+cat <<EOF > "${pinniped_package_rbac_file}"
 ---
 apiVersion: v1
 kind: Namespace
@@ -176,12 +156,11 @@ EOF
 
 kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y
 
-
 log_note "Creating ${resource_name} PackageInstall..."
 NAMESPACE="${resource_name}-install-ns"
 PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
 RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
-PACKAGE_INSTALL_FILE_NAME="deploy_carvel/install/${resource_name}-pkginstall.yml"
+PACKAGE_INSTALL_FILE_NAME="${dest_dir}/install/${resource_name}-pkginstall.yml"
 SECRET_NAME="${resource_name}-package-install-secret"
 
 log_note "Generating ${PACKAGE_INSTALL_FILE_NAME}..."
@@ -211,7 +190,6 @@ KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
 log_note "Deploying ${KAPP_CONTROLLER_APP_NAME}..."
 kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
 
-
 log_note "Verifying PackageInstall resources..."
 kubectl get PackageInstall -A | grep pinniped
 kubectl get secret -A | grep pinniped
diff --git a/hack/lib/carvel_packages/tpl/local-user-authenticator/build.yml b/hack/lib/carvel_packages/templates/local-user-authenticator/build.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/local-user-authenticator/build.yml
rename to hack/lib/carvel_packages/templates/local-user-authenticator/build.yml
diff --git a/hack/lib/carvel_packages/tpl/local-user-authenticator/metadata.yml b/hack/lib/carvel_packages/templates/local-user-authenticator/metadata.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/local-user-authenticator/metadata.yml
rename to hack/lib/carvel_packages/templates/local-user-authenticator/metadata.yml
diff --git a/hack/lib/carvel_packages/tpl/local-user-authenticator/package-template.yml b/hack/lib/carvel_packages/templates/local-user-authenticator/package-template.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/local-user-authenticator/package-template.yml
rename to hack/lib/carvel_packages/templates/local-user-authenticator/package-template.yml
diff --git a/hack/lib/carvel_packages/tpl/local-user-authenticator/release_notes.txt b/hack/lib/carvel_packages/templates/local-user-authenticator/release_notes.txt
similarity index 100%
rename from hack/lib/carvel_packages/tpl/local-user-authenticator/release_notes.txt
rename to hack/lib/carvel_packages/templates/local-user-authenticator/release_notes.txt
diff --git a/hack/lib/carvel_packages/tpl/local-user-authenticator/vendir.yml b/hack/lib/carvel_packages/templates/local-user-authenticator/vendir.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/local-user-authenticator/vendir.yml
rename to hack/lib/carvel_packages/templates/local-user-authenticator/vendir.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-concierge/build.yml b/hack/lib/carvel_packages/templates/pinniped-concierge/build.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-concierge/build.yml
rename to hack/lib/carvel_packages/templates/pinniped-concierge/build.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-concierge/metadata.yml b/hack/lib/carvel_packages/templates/pinniped-concierge/metadata.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-concierge/metadata.yml
rename to hack/lib/carvel_packages/templates/pinniped-concierge/metadata.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-concierge/package-template.yml b/hack/lib/carvel_packages/templates/pinniped-concierge/package-template.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-concierge/package-template.yml
rename to hack/lib/carvel_packages/templates/pinniped-concierge/package-template.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-concierge/release_notes.txt b/hack/lib/carvel_packages/templates/pinniped-concierge/release_notes.txt
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-concierge/release_notes.txt
rename to hack/lib/carvel_packages/templates/pinniped-concierge/release_notes.txt
diff --git a/hack/lib/carvel_packages/tpl/pinniped-concierge/vendir.yml b/hack/lib/carvel_packages/templates/pinniped-concierge/vendir.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-concierge/vendir.yml
rename to hack/lib/carvel_packages/templates/pinniped-concierge/vendir.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-supervisor/build.yml b/hack/lib/carvel_packages/templates/pinniped-supervisor/build.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-supervisor/build.yml
rename to hack/lib/carvel_packages/templates/pinniped-supervisor/build.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-supervisor/metadata.yml b/hack/lib/carvel_packages/templates/pinniped-supervisor/metadata.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-supervisor/metadata.yml
rename to hack/lib/carvel_packages/templates/pinniped-supervisor/metadata.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-supervisor/package-template.yml b/hack/lib/carvel_packages/templates/pinniped-supervisor/package-template.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-supervisor/package-template.yml
rename to hack/lib/carvel_packages/templates/pinniped-supervisor/package-template.yml
diff --git a/hack/lib/carvel_packages/tpl/pinniped-supervisor/release_notes.txt b/hack/lib/carvel_packages/templates/pinniped-supervisor/release_notes.txt
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-supervisor/release_notes.txt
rename to hack/lib/carvel_packages/templates/pinniped-supervisor/release_notes.txt
diff --git a/hack/lib/carvel_packages/tpl/pinniped-supervisor/vendir.yml b/hack/lib/carvel_packages/templates/pinniped-supervisor/vendir.yml
similarity index 100%
rename from hack/lib/carvel_packages/tpl/pinniped-supervisor/vendir.yml
rename to hack/lib/carvel_packages/templates/pinniped-supervisor/vendir.yml
diff --git a/hack/lib/carvel_packages/tpl/.gitignore b/hack/lib/carvel_packages/tpl/.gitignore
deleted file mode 100644
index d6ba8ff17..000000000
--- a/hack/lib/carvel_packages/tpl/.gitignore
+++ /dev/null
@@ -1,12 +0,0 @@
-# package_repository/packages/{pkg}/ contains specific SHAs of images
-# we are using 0.0.0- to indicate dev versions of images
-*0.0.0*
-
-# installation artifacts will be generated here
-deploy/
-
-# images.yml files contain specific SHAs of images
-concierge/.imgpkg/images.yml
-supervisor/.imgpkg/images.yml
-local-user-authenticator/.imgpkg/images.yml
-package_repository/.imgpkg/images.yml
diff --git a/hack/lib/kind-config/kind-registry-overlay.yaml b/hack/lib/kind-config/kind-registry-overlay.yaml
index e4901dec0..506134d7b 100644
--- a/hack/lib/kind-config/kind-registry-overlay.yaml
+++ b/hack/lib/kind-config/kind-registry-overlay.yaml
@@ -2,7 +2,7 @@
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:overlay", "overlay")
-#@overlay/match by=overlay.all
+#@overlay/match by=overlay.subset({"kind": "Cluster"}), expects=1
 ---
 #@overlay/match missing_ok=True
 containerdConfigPatches:
diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh
index 034f0611c..b1f353087 100755
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -6,15 +6,13 @@
 #
 # This script can be used to prepare a kind cluster and deploy the app.
 # You can call this script again to redeploy the app.
-# It will also output instructions on how to run the integration.
+# It will also output instructions on how to run the integration tests.
 #
-# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
-# the script will create a local docker registry and configure kind to use the registry.  When building
-# and installing Pinniped normally this is unnecessary. However, if an alternative build and install approach
-# is taken, such as via a Carvel packaging mechanism, a local registry might be needed (for example, the
-# kbld tool requires a registry to resolve images to shas).
-#
-# Example usage:
+# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value, then
+# this script will create a local registry and configure kind to use that registry. This is normally unnecessary.
+# However, if an alternative build and deploy approach is used, such as via a Carvel packaging mechanism, then a local
+# registry could be needed (e.g. the kbld tool requires a registry to resolve images to shas).
+# For example, to alternatively build and deploy Pinniped as a Carvel package, use:
 #   PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
 #
 set -euo pipefail
@@ -62,10 +60,6 @@ get_active_directory_vars="" # specify a filename for a script to get AD related
 alternate_deploy="undefined"
 pre_install="undefined"
 
-# supported variable style:
-#  --dockerfile-path ./foo.sh
-# unsupported variable style (using = will fail the script):
-#  --dockerfile-path=./foo.sh
 while (("$#")); do
   case "$1" in
   -h | --help)
@@ -148,13 +142,13 @@ if [[ "$help" == "yes" ]]; then
   log_note "   $me [flags]"
   log_note
   log_note "Flags:"
-  log_note "   -h, --help:                                        print this usage"
-  log_note "   -c, --clean:                                       destroy the current kind cluster and make a new one"
-  log_note "   -g, --api-group-suffix:                            deploy Pinniped with an alternate API group suffix"
-  log_note "   -s, --skip-build:                                  reuse the most recently built image of the app instead of building"
-  log_note "   -a, --get-active-directory-vars:                   specify a script that exports active directory environment variables"
-  log_note "       --alternate-deploy:                            specify an alternate deploy script to install all components of Pinniped"
-  log_note "       --pre-install:                                 specify an pre-install script such as a build script"
+  log_note "   -h, --help:                      print this usage"
+  log_note "   -c, --clean:                     destroy the current kind cluster and make a new one"
+  log_note "   -g, --api-group-suffix:          deploy Pinniped with an alternate API group suffix"
+  log_note "   -s, --skip-build:                reuse the most recently built image of the app instead of building"
+  log_note "   -a, --get-active-directory-vars: specify a script that exports active directory environment variables"
+  log_note "       --alternate-deploy:          specify an alternate deploy script to install all components of Pinniped"
+  log_note "       --pre-install:               specify an pre-install script such as a build script"
   exit 1
 fi
 
@@ -217,7 +211,6 @@ repo="test/build"
 registry_repo="$registry_with_port/$repo"
 tag="0.0.0-$(uuidgen)" # always a new tag to force K8s to reload the image on redeploy
 
-
 if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
   etc_hosts_local_registry_missing=no
   if ! grep -q "$registry" /etc/hosts; then
@@ -251,7 +244,7 @@ registry_repo_tag="${registry_repo}:${tag}"
 if [[ "$do_build" == "yes" ]]; then
   # Rebuild the code
   testing_version="${KUBE_GIT_VERSION:-}"
-  if [[ "$dockerfile_path"  != "" ]]; then
+  if [[ "$dockerfile_path" != "" ]]; then
     log_note "Docker building the app with dockerfile $dockerfile_path and KUBE_GIT_VERSION='$testing_version'"
     DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --file "$dockerfile_path" --build-arg "KUBE_GIT_VERSION=$testing_version"
   else
@@ -262,51 +255,40 @@ if [[ "$do_build" == "yes" ]]; then
 fi
 
 if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
-  # if registry used, push to the registry
+  # If registry used, push to the registry.
   log_note "Loading the app's container image into the local registry ($registry_with_port)..."
   docker push "$registry_repo_tag"
 else
-  # otherwise side-load directly
+  # Otherwise, side-load directly.
   log_note "Loading the app's container image into the kind cluster..."
   kind load docker-image "$registry_repo_tag" --name pinniped
 fi
 
-
-#
-# Call a pre-install script
-# simplifies passing the $tag which may be necessary if the current local build is to be
-# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
-# running it after the above also allows appending to the environment variable file
-if [ "$pre_install" != "undefined" ] ; then
-  log_note "The pre-install script will be called with $tag..."
-  $pre_install pre-install-script $tag $registry_with_port $repo
+if [ "$pre_install" != "undefined" ]; then
+  log_note "Calling the pre-install script with args: $tag $registry_with_port $repo ..."
+  $pre_install pre-install-script "$tag" $registry_with_port $repo
 fi
 
-
 #
 # Deploy local-user-authenticator
 #
 manifest=/tmp/pinniped-local-user-authenticator.yaml
-data_values_path="/tmp/local-user-authenticator"
-data_values_file="${data_values_path}/values.yml"
-mkdir -p "${data_values_path}"
-cat <<EOF > "$data_values_file"
+data_values_file=/tmp/local-user-authenticator-values.yml
+cat <<EOF >"$data_values_file"
 ---
 image_repo: $registry_repo
 image_tag: $tag
 EOF
 
 if [ "$alternate_deploy" != "undefined" ]; then
-    $alternate_deploy local-user-authenticator $tag $registry_with_port $repo $data_values_file
+  log_note "The local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag $registry_with_port $repo $data_values_file ..."
+  $alternate_deploy local-user-authenticator "$tag" $registry_with_port $repo $data_values_file
 else
   log_note "Deploying the local-user-authenticator app to the cluster using kapp..."
   pushd deploy/local-user-authenticator >/dev/null
-
-  ytt --file . --data-values-file "$data_values_file"  >"$manifest"
-
+  ytt --file . --data-values-file "$data_values_file" >"$manifest"
   kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
   kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
-
   popd >/dev/null
 fi
 
@@ -324,16 +306,15 @@ ytt --file . \
   --data-value "pinny_ldap_password=$ldap_test_password" \
   --data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \
   >"$manifest"
-
 kapp deploy --yes --app tools --diff-changes --file "$manifest"
 kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
-
 popd >/dev/null
 
 #
 # Deploy the Pinniped Supervisor
 #
 manifest=/tmp/pinniped-supervisor.yaml
+data_values_file=/tmp/supervisor-values.yml
 supervisor_app_name="pinniped-supervisor"
 supervisor_namespace="supervisor"
 supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
@@ -341,10 +322,7 @@ log_level="debug"
 service_https_nodeport_port="443"
 service_https_nodeport_nodeport="31243"
 service_https_clusterip_port="443"
-data_values_path="/tmp/supervisor"
-data_values_file="${data_values_path}/values.yml"
-mkdir -p "${data_values_path}"
-cat <<EOF > "$data_values_file"
+cat <<EOF >"$data_values_file"
 ---
 app_name: $supervisor_app_name
 namespace: $supervisor_namespace
@@ -359,14 +337,12 @@ service_https_clusterip_port: $service_https_clusterip_port
 EOF
 
 if [ "$alternate_deploy" != "undefined" ]; then
-    log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
-    $alternate_deploy pinniped-supervisor $tag $registry_with_port $repo $data_values_file
+  log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag $registry_with_port $repo $data_values_file ..."
+  $alternate_deploy pinniped-supervisor "$tag" $registry_with_port $repo $data_values_file
 else
   log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..."
   pushd deploy/supervisor >/dev/null
-
-  ytt --file . --data-values-file "$data_values_file"  >"$manifest"
-
+  ytt --file . --data-values-file "$data_values_file" >"$manifest"
   kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
   kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
   popd >/dev/null
@@ -376,16 +352,14 @@ fi
 # Deploy the Pinniped Concierge
 #
 manifest=/tmp/pinniped-concierge.yaml
+data_values_file=/tmp/concierge-values.yml
 concierge_app_name="pinniped-concierge"
 concierge_namespace="concierge"
 webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
 discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
 concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
 log_level="debug"
-data_values_path="/tmp/concierge"
-data_values_file="${data_values_path}/values.yml"
-mkdir -p "${data_values_path}"
-cat <<EOF > "$data_values_file"
+cat <<EOF >"$data_values_file"
 ---
 app_name: $concierge_app_name
 namespace: $concierge_namespace
@@ -398,23 +372,19 @@ discovery_url: $discovery_url
 EOF
 
 if [ "$alternate_deploy" != "undefined" ]; then
-    log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..."
-    $alternate_deploy pinniped-concierge $tag $registry_with_port $repo $data_values_file
+  log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag $registry_with_port $repo $data_values_file ..."
+  $alternate_deploy pinniped-concierge "$tag" $registry_with_port $repo $data_values_file
 else
   log_note "Deploying the Pinniped Concierge app to the cluster using kapp..."
   pushd deploy/concierge >/dev/null
-
-  ytt --file . --data-values-file "$data_values_file"  >"$manifest"
-
+  ytt --file . --data-values-file "$data_values_file" >"$manifest"
   kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
   kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
   popd >/dev/null
 fi
 
-
 #
-# Test user for the authenticator
-# the authenticator may be deployed in alternative ways (ex. carvel package) but regardless we need a test user.
+# Create a test user in the local-user-authenticator and get its CA bundle.
 #
 log_note "Creating test user for local-user-authenticator..."
 test_username="test-username"
@@ -429,9 +399,6 @@ kubectl create secret generic "$test_username" \
   --output yaml |
   kubectl apply -f -
 
-#
-# Regardless of how the local-user-authenticator is installed, we need the webhook bundle in the environment file.
-#
 webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
 
 #
@@ -450,9 +417,7 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index
 kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
 pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
 
-env_file_name="/tmp/integration-test-env"
-
-cat <<EOF >"$env_file_name"
+cat <<EOF >/tmp/integration-test-env
 # The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
 export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
 export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
@@ -524,7 +489,6 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
 export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
 EOF
 
-
 #
 # Print instructions for next steps.
 #
@@ -532,7 +496,7 @@ log_note
 log_note "🚀 Ready to run integration tests! For example..."
 log_note "    cd $pinniped_path"
 log_note "    ulimit -n 512"
-log_note "    source $env_file_name && go test -v -race -count 1 -timeout 0 ./test/integration"
+log_note '    source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
 log_note
 log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
 log_note "    hack/integration-test-env-goland.sh | pbcopy"
@@ -546,4 +510,3 @@ if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
 else
   log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
 fi
-log_note