diff --git a/hack/debug-ldapidentityprovider.sh b/hack/debug-ldapidentityprovider.sh
index 1ef6bc354..69d1b6742 100755
--- a/hack/debug-ldapidentityprovider.sh
+++ b/hack/debug-ldapidentityprovider.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -62,9 +62,6 @@ while (("$#")); do
     ;;
   -*)
     log_error "Unsupported flag $1" >&2
-    if [[ "$1" == *"active-directory"* ]]; then
-      log_error "Did you mean --get-active-directory-vars?"
-    fi
     exit 1
     ;;
   *)
diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh
index 24a6acec4..711f0dc0c 100755
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -15,6 +15,9 @@
 # For example, to alternatively build and deploy Pinniped as a Carvel package, use:
 #   PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
 #
+# Set PINNIPED_USE_CONTOUR=1 when running this script to cause the kind cluster created by this script to be
+# ready for using PINNIPED_USE_CONTOUR=1 with subsequent hack scripts, e.g. prepare-supervisor-on-kind.sh.
+#
 set -euo pipefail
 
 pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
@@ -109,9 +112,6 @@ while (("$#")); do
     ;;
   -*)
     log_error "Unsupported flag $1" >&2
-    if [[ "$1" == *"active-directory"* ]]; then
-      log_error "Did you mean --get-active-directory-vars?"
-    fi
     exit 1
     ;;
   *)
diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh
index 0bd24c43f..3a56ea268 100755
--- a/hack/prepare-supervisor-on-kind.sh
+++ b/hack/prepare-supervisor-on-kind.sh
@@ -28,7 +28,7 @@
 #   PINNIPED_USE_CONTOUR=1 hack/prepare-for-integration-tests.sh -c
 #   PINNIPED_USE_CONTOUR=1 hack/prepare-supervisor-on-kind.sh --oidc --ldap
 #
-# Depends on `step` which can be installed by `brew install step` on MacOS.
+# This script depends on `step` which can be installed by `brew install step` on MacOS.
 #
 
 set -euo pipefail
@@ -69,11 +69,11 @@ while (("$#")); do
     shift
     ;;
   --github)
+    # This assumes that you used the --get-github-vars flag with hack/prepare-for-integration-tests.sh.
     use_github_upstream=yes
     shift
     ;;
   --ad)
-    # Use an ActiveDirectoryIdentityProvider.
     # This assumes that you used the --get-active-directory-vars flag with hack/prepare-for-integration-tests.sh.
     use_ad_upstream=yes
     shift
@@ -499,6 +499,7 @@ fi
 
 # Make a JWTAuthenticator which respects JWTs from the Supervisor's issuer.
 # The issuer URL must be accessible from within the cluster for OIDC discovery.
+echo "Creating JWTAuthenticator..."
 cat <<EOF | kubectl apply -f -
 apiVersion: authentication.concierge.pinniped.dev/v1alpha1
 kind: JWTAuthenticator
@@ -511,9 +512,8 @@ spec:
     certificateAuthorityData: $certificateAuthorityData
 EOF
 
-echo "Waiting for JWTAuthenticator to initialize or update..."
-# Sleeping is a race, but that's probably good enough for the purposes of this script.
-sleep 5
+echo "Waiting for JWTAuthenticator to be ready..."
+kubectl wait --for=condition=Ready jwtauthenticator my-jwt-authenticator --timeout 60s
 
 # Compile the CLI.
 echo "Building the Pinniped CLI..."
@@ -566,11 +566,12 @@ if [[ "${PINNIPED_USE_CONTOUR:-}" == "" && ("$use_oidc_upstream" == "yes" || "$u
   echo "    open -a \"Google Chrome\" --args --proxy-server=\"$proxy_server\""
   echo "Note that Chrome must be fully quit before being started with --proxy-server."
   echo "Then open the login URL shown below in that new Chrome window."
-  echo
-  echo "When prompted for username and password, use these values:"
-  echo
 fi
 
+echo
+echo "When prompted for username and password, use these values:"
+echo
+
 if [[ "$use_oidc_upstream" == "yes" ]]; then
   echo "    OIDC Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
   echo "    OIDC Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
@@ -599,22 +600,22 @@ fi
 # Once the CLI has cached your tokens, it will automatically refresh your short-lived credentials whenever
 # they expire, so you should not be prompted to log in again for the rest of the day.
 if [[ "$use_oidc_upstream" == "yes" ]]; then
-  echo "To log in using OIDC, run:"
+  echo "To log in using OIDC:"
   echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-oidc.yaml"
   echo
 fi
 if [[ "$use_ldap_upstream" == "yes" ]]; then
-  echo "To log in using LDAP, run:"
+  echo "To log in using LDAP:"
   echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ldap.yaml"
   echo
 fi
 if [[ "$use_ad_upstream" == "yes" ]]; then
-  echo "To log in using AD, run:"
+  echo "To log in using AD:"
   echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ad.yaml"
   echo
 fi
 if [[ "$use_github_upstream" == "yes" ]]; then
-  echo "To log in using GitHub, run:"
+  echo "To log in using GitHub:"
   echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-github.yaml"
   echo
 fi
diff --git a/hack/prepare-webhook-on-kind.sh b/hack/prepare-webhook-on-kind.sh
index ccd3cd215..4e56be52b 100755
--- a/hack/prepare-webhook-on-kind.sh
+++ b/hack/prepare-webhook-on-kind.sh
@@ -19,22 +19,33 @@ cd "$ROOT"
 source /tmp/integration-test-env
 
 # Create WebhookAuthenticator.
+echo "Creating WebhookAuthenticator..."
 cat <<EOF | kubectl apply -f - 1>&2
 kind: WebhookAuthenticator
 apiVersion: authentication.concierge.pinniped.dev/v1alpha1
 metadata:
-  name: my-webhook
+  name: my-webhook-authenticator
 spec:
   endpoint: ${PINNIPED_TEST_WEBHOOK_ENDPOINT}
   tls:
     certificateAuthorityData: ${PINNIPED_TEST_WEBHOOK_CA_BUNDLE}
 EOF
 
+echo "Waiting for WebhookAuthenticator to be ready..."
+kubectl wait --for=condition=Ready webhookauthenticator my-webhook-authenticator --timeout 60s
+
+# Compile the CLI.
+echo "Building the Pinniped CLI..."
+go build ./cmd/pinniped
+
 # Use the CLI to get a kubeconfig that will use this WebhookAuthenticator.
-go build -o /tmp/pinniped ./cmd/pinniped
+echo "Generating webhook kubeconfig..."
 /tmp/pinniped get kubeconfig \
   --concierge-authenticator-type webhook \
-  --concierge-authenticator-name my-webhook \
-  --static-token "$PINNIPED_TEST_USER_TOKEN" >/tmp/kubeconfig-with-webhook-auth.yaml
+  --concierge-authenticator-name my-webhook-authenticator \
+  --static-token "$PINNIPED_TEST_USER_TOKEN" >kubeconfig-webhook.yaml
 
-echo "export KUBECONFIG=/tmp/kubeconfig-with-webhook-auth.yaml"
+echo
+echo "To log in using webhook:"
+echo "PINNIPED_DEBUG=true ./pinniped whoami --kubeconfig ./kubeconfig-webhook.yaml"
+echo