Enforce aliases for 'k8s.io/apimachinery/pkg/util/errors' and 'k8s.io/apimachinery/pkg/api/errors'

.golangci.yaml

@@ -48,6 +48,7 @@ linters:
     - fatcontext
     # - canonicalheader Can't do this one since it alerts on valid headers such as X-XSS-Protection
     - spancheck
+    - importas
 
 issues:
   exclude-dirs:
@@ -91,3 +92,11 @@ linters-settings:
     - end
     - record-error
     - set-status
+  importas:
+    no-unaliased: true # All packages explicitly listed below must be aliased
+    no-extra-aliases: false # Allow other aliases than the ones explicitly listed below
+    alias:
+    - pkg: k8s.io/apimachinery/pkg/util/errors
+      alias: utilerrors
+    - pkg: k8s.io/apimachinery/pkg/api/errors
+      alias: apierrors

cmd/pinniped/cmd/whoami.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -12,7 +12,7 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
@@ -99,7 +99,7 @@ func runWhoami(output io.Writer, getClientset getConciergeClientsetFunc, flags *
 	whoAmI, err := clientset.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	if err != nil {
 		hint := ""
-		if errors.IsNotFound(err) {
+		if apierrors.IsNotFound(err) {
 			hint = " (is the Pinniped WhoAmI API running and healthy?)"
 		}
 		return fmt.Errorf("could not complete WhoAmIRequest%s: %w", hint, err)

cmd/pinniped/cmd/whoami_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/clientcmd"
@@ -273,7 +273,7 @@ func TestWhoami(t *testing.T) {
 		},
 		{
 			name:          "calling API fails because WhoAmI API is not installed",
-			callingAPIErr: errors.NewNotFound(identityv1alpha1.SchemeGroupVersion.WithResource("whoamirequests").GroupResource(), "whatever"),
+			callingAPIErr: apierrors.NewNotFound(identityv1alpha1.SchemeGroupVersion.WithResource("whoamirequests").GroupResource(), "whatever"),
 			wantError:     true,
 			wantStderr:    "Error: could not complete WhoAmIRequest (is the Pinniped WhoAmI API running and healthy?): whoamirequests.identity.concierge.pinniped.dev \"whatever\" not found\n",
 		},

internal/clientcertissuer/issuer.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package clientcertissuer
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"time"
 
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 
 	"go.pinniped.dev/internal/constable"
 )
@@ -48,7 +48,7 @@ func (c ClientCertIssuers) IssueClientCertPEM(username string, groups []string,
 		errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err))
 	}
 
-	if err := errors.NewAggregate(errs); err != nil {
+	if err := utilerrors.NewAggregate(errs); err != nil {
 		return nil, nil, err
 	}
 

internal/concierge/apiserver/apiserver.go

@@ -11,7 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 
@@ -105,7 +105,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 			),
 		)
 	}
-	if err := errors.NewAggregate(errs); err != nil {
+	if err := utilerrors.NewAggregate(errs); err != nil {
 		return nil, fmt.Errorf("could not install API groups: %w", err)
 	}
 

internal/concierge/impersonator/impersonator.go

@@ -26,7 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/httpstream"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -349,7 +349,7 @@ func newInternal(
 		if listener != nil {
 			errs = append(errs, listener.Close())
 		}
-		return nil, errors.NewAggregate(errs)
+		return nil, utilerrors.NewAggregate(errs)
 	}
 	return result, nil
 }

internal/concierge/impersonator/impersonator_test.go

@@ -21,7 +21,7 @@ import (
 	"github.com/stretchr/testify/require"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -1010,7 +1010,7 @@ func TestImpersonator(t *testing.T) {
 
 			probeBody, errProbe := rc.Get().AbsPath("/probe").DoRaw(ctx)
 			if tt.anonymousAuthDisabled {
-				require.True(t, errors.IsUnauthorized(errProbe), errProbe)
+				require.True(t, apierrors.IsUnauthorized(errProbe), errProbe)
 				require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(probeBody))
 			} else {
 				require.NoError(t, errProbe)
@@ -1019,7 +1019,7 @@ func TestImpersonator(t *testing.T) {
 
 			notTCRBody, errNotTCR := rc.Get().Resource("tokencredentialrequests").DoRaw(ctx)
 			if tt.anonymousAuthDisabled {
-				require.True(t, errors.IsUnauthorized(errNotTCR), errNotTCR)
+				require.True(t, apierrors.IsUnauthorized(errNotTCR), errNotTCR)
 				require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(notTCRBody))
 			} else {
 				require.NoError(t, errNotTCR)
@@ -1028,7 +1028,7 @@ func TestImpersonator(t *testing.T) {
 
 			ducksBody, errDucks := rc.Get().Resource("ducks").DoRaw(ctx)
 			if tt.anonymousAuthDisabled {
-				require.True(t, errors.IsUnauthorized(errDucks), errDucks)
+				require.True(t, apierrors.IsUnauthorized(errDucks), errDucks)
 				require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(ducksBody))
 			} else {
 				require.NoError(t, errDucks)
@@ -1046,7 +1046,7 @@ func TestImpersonator(t *testing.T) {
 			require.NoError(t, err)
 
 			_, errBadCert := tcrBadCert.PinnipedConcierge.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{}, metav1.CreateOptions{})
-			require.True(t, errors.IsUnauthorized(errBadCert), errBadCert)
+			require.True(t, apierrors.IsUnauthorized(errBadCert), errBadCert)
 			require.EqualError(t, errBadCert, "Unauthorized")
 		})
 	}

internal/controller/apicerts/apiservice_updater.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apicerts
@@ -6,7 +6,7 @@ package apicerts
 import (
 	"fmt"
 
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
@@ -53,7 +53,7 @@ func NewAPIServiceUpdaterController(
 func (c *apiServiceUpdaterController) Sync(ctx controllerlib.Context) error {
 	// Try to get the secret from the informer cache.
 	certSecret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err)
 	}

internal/controller/apicerts/certs_expirer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apicerts
@@ -10,7 +10,7 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -74,7 +74,7 @@ func NewCertsExpirerController(
 // Sync implements controller.Syncer.Sync.
 func (c *certsExpirerController) Sync(ctx controllerlib.Context) error {
 	secret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err)
 	}

internal/controller/apicerts/certs_manager.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apicerts
@@ -8,7 +8,7 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -83,7 +83,7 @@ func NewCertsManagerController(
 func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
 	// Try to get the secret from the informer cache.
 	_, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err)
 	}

internal/controller/apicerts/certs_observer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apicerts
@@ -6,7 +6,7 @@ package apicerts
 import (
 	"fmt"
 
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
@@ -50,7 +50,7 @@ func NewCertsObserverController(
 func (c *certsObserverController) Sync(_ controllerlib.Context) error {
 	// Try to get the secret from the informer cache.
 	certSecret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err)
 	}

internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go

@@ -21,7 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	errorsutil "k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
@@ -229,7 +229,7 @@ func (c *jwtCacheFillerController) Sync(ctx controllerlib.Context) error {
 	//   object. The controller simply must wait for a user to correct before running again.
 	// - Other errors, such as networking errors, etc. are the types of errors that should return here
 	//   and signal the controller to retry the sync loop. These may be corrected by machines.
-	return errorsutil.NewAggregate(errs)
+	return utilerrors.NewAggregate(errs)
 }
 
 func (c *jwtCacheFillerController) extractValueAsJWTAuthenticator(value authncache.Value) *cachedJWTAuthenticator {

internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go

@@ -14,9 +14,9 @@ import (
 
 	k8sauthv1beta1 "k8s.io/api/authentication/v1beta1"
 	"k8s.io/apimachinery/pkg/api/equality"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	errorsutil "k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	k8snetutil "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
@@ -95,7 +95,7 @@ type webhookCacheFillerController struct {
 // Sync implements controllerlib.Syncer.
 func (c *webhookCacheFillerController) Sync(ctx controllerlib.Context) error {
 	obj, err := c.webhooks.Lister().Get(ctx.Key.Name)
-	if err != nil && errors.IsNotFound(err) {
+	if err != nil && apierrors.IsNotFound(err) {
 		c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted")
 		return nil
 	}
@@ -141,7 +141,7 @@ func (c *webhookCacheFillerController) Sync(ctx controllerlib.Context) error {
 	//   object. The controller simply must wait for a user to correct before running again.
 	// - other errors, such as networking errors, etc. are the types of errors that should return here
 	//   and signal the controller to retry the sync loop. These may be corrected by machines.
-	return errorsutil.NewAggregate(errs)
+	return utilerrors.NewAggregate(errs)
 }
 
 // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle

internal/controller/impersonatorconfig/impersonator_config.go

@@ -19,9 +19,8 @@ import (
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/errors"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -221,7 +220,7 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error
 // recover on a following sync.
 func strategyReasonForError(err error) v1alpha1.StrategyReason {
 	switch {
-	case k8serrors.IsConflict(err), k8serrors.IsAlreadyExists(err):
+	case apierrors.IsConflict(err), apierrors.IsAlreadyExists(err):
 		return v1alpha1.PendingStrategyReason
 	default:
 		return v1alpha1.ErrorDuringSetupStrategyReason
@@ -442,7 +441,7 @@ func (c *impersonatorConfigController) shouldHaveClusterIPService(config *v1alph
 
 func (c *impersonatorConfigController) serviceExists(serviceName string) (bool, *corev1.Service, error) {
 	service, err := c.servicesInformer.Lister().Services(c.namespace).Get(serviceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if notFound {
 		return false, nil, nil
 	}
@@ -454,7 +453,7 @@ func (c *impersonatorConfigController) serviceExists(serviceName string) (bool,
 
 func (c *impersonatorConfigController) tlsSecretExists() (bool, *corev1.Secret, error) {
 	secret, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.tlsSecretName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if notFound {
 		return false, nil, nil
 	}
@@ -481,7 +480,7 @@ func (c *impersonatorConfigController) ensureImpersonatorIsStarted(syncCtx contr
 			// and we'll have a chance to restart the server.
 			close(c.errorCh) // We don't want ensureImpersonatorIsStopped to block on reading this channel.
 			stoppingErr := c.ensureImpersonatorIsStopped(false)
-			return errors.NewAggregate([]error{runningErr, stoppingErr})
+			return utilerrors.NewAggregate([]error{runningErr, stoppingErr})
 		default:
 			// Seems like it is still running, so nothing to do.
 			return nil
@@ -581,7 +580,7 @@ func (c *impersonatorConfigController) ensureLoadBalancerIsStopped(ctx context.C
 			ResourceVersion: &service.ResourceVersion,
 		},
 	})
-	return utilerrors.FilterOut(err, k8serrors.IsNotFound)
+	return utilerrors.FilterOut(err, apierrors.IsNotFound)
 }
 
 func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx context.Context, config *v1alpha1.ImpersonationProxySpec) error {
@@ -626,7 +625,7 @@ func (c *impersonatorConfigController) ensureClusterIPServiceIsStopped(ctx conte
 			ResourceVersion: &service.ResourceVersion,
 		},
 	})
-	return utilerrors.FilterOut(err, k8serrors.IsNotFound)
+	return utilerrors.FilterOut(err, apierrors.IsNotFound)
 }
 
 func (c *impersonatorConfigController) createOrUpdateService(ctx context.Context, desiredService *corev1.Service) error {
@@ -654,7 +653,7 @@ func (c *impersonatorConfigController) createOrUpdateService(ctx context.Context
 
 	// Get the Service from the informer, and create it if it does not already exist.
 	existingService, err := c.servicesInformer.Lister().Services(c.namespace).Get(desiredService.Name)
-	if k8serrors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		log.Info("creating service for impersonation proxy")
 		_, err := c.k8sClient.CoreV1().Services(c.namespace).Create(ctx, desiredService, metav1.CreateOptions{})
 		return err
@@ -755,7 +754,7 @@ func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretNa
 
 func (c *impersonatorConfigController) ensureTLSSecret(ctx context.Context, nameInfo *certNameInfo, ca *certauthority.CA) error {
 	secretFromInformer, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.tlsSecretName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if !notFound && err != nil {
 		return err
 	}
@@ -898,12 +897,12 @@ func (c *impersonatorConfigController) ensureTLSSecretIsCreatedAndLoaded(ctx con
 
 func (c *impersonatorConfigController) ensureCASecretIsCreated(ctx context.Context) (*certauthority.CA, error) {
 	caSecret, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.caSecretName)
-	if err != nil && !k8serrors.IsNotFound(err) {
+	if err != nil && !apierrors.IsNotFound(err) {
 		return nil, err
 	}
 
 	var impersonationCA *certauthority.CA
-	if k8serrors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		impersonationCA, err = c.createCASecret(ctx)
 	} else {
 		crtBytes := caSecret.Data[caCrtKey]
@@ -972,7 +971,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig(
 
 func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer() (*certNameInfo, error) {
 	lb, err := c.servicesInformer.Lister().Services(c.namespace).Get(c.generatedLoadBalancerServiceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if notFound {
 		// We aren't ready and will try again later in this case.
 		return &certNameInfo{ready: false}, nil
@@ -1006,7 +1005,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer()
 
 func (c *impersonatorConfigController) findTLSCertificateNameFromClusterIPService() (*certNameInfo, error) {
 	clusterIP, err := c.servicesInformer.Lister().Services(c.namespace).Get(c.generatedClusterIPServiceName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if notFound {
 		// We aren't ready and will try again later in this case.
 		return &certNameInfo{ready: false}, nil
@@ -1103,7 +1102,7 @@ func (c *impersonatorConfigController) ensureTLSSecretIsRemoved(ctx context.Cont
 	})
 	// it is okay if we tried to delete and we got a not found error. This probably means
 	// another instance of the concierge got here first so there's nothing to delete.
-	return utilerrors.FilterOut(err, k8serrors.IsNotFound)
+	return utilerrors.FilterOut(err, apierrors.IsNotFound)
 }
 
 func (c *impersonatorConfigController) clearTLSSecret() {

internal/controller/impersonatorconfig/impersonator_config_test.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package impersonatorconfig
@@ -25,7 +25,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -3542,7 +3542,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			it.Before(func() {
 				addNodeWithRoleToTracker("worker", kubeAPIClient)
 				kubeAPIClient.PrependReactor("create", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) {
-					return true, nil, k8serrors.NewAlreadyExists(
+					return true, nil, apierrors.NewAlreadyExists(
 						action.GetResource().GroupResource(),
 						action.(coretesting.CreateAction).GetObject().(*corev1.Service).Name,
 					)

internal/controller/kubecertagent/kubecertagent.go

@@ -19,7 +19,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -396,7 +396,7 @@ func (c *agentController) createOrUpdateDeployment(ctx controllerlib.Context, ne
 
 	// Try to get the existing Deployment, if it exists.
 	existingDeployment, err := c.agentDeployments.Lister().Deployments(expectedDeployment.Namespace).Get(expectedDeployment.Name)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf("could not get deployments: %w", err)
 	}

internal/controller/kubecertagent/kubecertagent_test.go

@@ -15,7 +15,7 @@ import (
 	"go.uber.org/mock/gomock"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -1267,7 +1267,7 @@ func hasDeploymentSynced(client kubernetes.Interface, kubeInformers informers.Sh
 			cachedDep, cachedErr := kubeInformers.Apps().V1().Deployments().Lister().Deployments("concierge").
 				Get("pinniped-concierge-kube-cert-agent")
 
-			if errors.IsNotFound(realErr) && errors.IsNotFound(cachedErr) {
+			if apierrors.IsNotFound(realErr) && apierrors.IsNotFound(cachedErr) {
 				return
 			}
 

internal/controller/kubecertagent/legacypodcleaner.go

@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package kubecertagent
@@ -7,7 +7,7 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	corev1informers "k8s.io/client-go/informers/core/v1"
@@ -44,7 +44,7 @@ func NewLegacyPodCleanerController(
 				// avoid blind writes to the API
 				agentPod, err := podClient.Get(ctx.Context, ctx.Key.Name, metav1.GetOptions{})
 				if err != nil {
-					if k8serrors.IsNotFound(err) {
+					if apierrors.IsNotFound(err) {
 						return nil
 					}
 					return fmt.Errorf("could not get legacy agent pod: %w", err)
@@ -56,7 +56,7 @@ func NewLegacyPodCleanerController(
 						ResourceVersion: &agentPod.ResourceVersion,
 					},
 				}); err != nil {
-					if k8serrors.IsNotFound(err) {
+					if apierrors.IsNotFound(err) {
 						return nil
 					}
 					return fmt.Errorf("could not delete legacy agent pod: %w", err)

internal/controller/kubecertagent/legacypodcleaner_test.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/informers"
@@ -111,7 +111,7 @@ func TestLegacyPodCleanerController(t *testing.T) {
 			},
 			addKubeReactions: func(clientset *kubefake.Clientset) {
 				clientset.PrependReactor("delete", "*", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) {
-					return true, nil, k8serrors.NewNotFound(action.GetResource().GroupResource(), "")
+					return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "")
 				})
 			},
 			wantDistinctErrors: []string{""},
@@ -129,7 +129,7 @@ func TestLegacyPodCleanerController(t *testing.T) {
 			},
 			addKubeReactions: func(clientset *kubefake.Clientset) {
 				clientset.PrependReactor("get", "*", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) {
-					return true, nil, k8serrors.NewNotFound(action.GetResource().GroupResource(), "")
+					return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "")
 				})
 			},
 			wantDistinctErrors: []string{""},

internal/controller/kubecertagent/pod_command_executor_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/client-go/rest"
 
 	"go.pinniped.dev/internal/crypto/ptls"
@@ -38,7 +38,7 @@ func TestSecureTLS(t *testing.T) {
 	podCommandExecutor := NewPodCommandExecutor(client.JSONConfig, client.Kubernetes)
 
 	got, err := podCommandExecutor.Exec(context.Background(), "podNamespace", "podName", "containerName", "command", "arg1", "arg2")
-	require.Equal(t, &errors.StatusError{}, err)
+	require.Equal(t, &apierrors.StatusError{}, err)
 	require.Empty(t, got)
 
 	require.True(t, sawRequest)

internal/controller/supervisorconfig/federation_domain_watcher.go

@@ -13,11 +13,11 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
-	errorsutil "k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/clock"
 
@@ -185,7 +185,7 @@ func (c *federationDomainWatcherController) Sync(ctx controllerlib.Context) erro
 		}
 	}
 
-	return errorsutil.NewAggregate(errs)
+	return utilerrors.NewAggregate(errs)
 }
 
 func (c *federationDomainWatcherController) processAllFederationDomains(
@@ -454,7 +454,7 @@ func (c *federationDomainWatcherController) findIDPsUIDByObjectRef(objectRef cor
 	switch {
 	case err == nil:
 		idpResourceUID = foundIDP.GetUID()
-	case errors.IsNotFound(err):
+	case apierrors.IsNotFound(err):
 		return "", false, nil
 	default:
 		return "", false, err // unexpected error from the informer

internal/controller/supervisorconfig/generator/federation_domain_secrets.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package generator
@@ -9,7 +9,7 @@ import (
 	"reflect"
 
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -75,7 +75,7 @@ func NewFederationDomainSecretsController(
 
 func (c *federationDomainSecretsController) Sync(ctx controllerlib.Context) error {
 	federationDomain, err := c.federationDomainInformer.Lister().FederationDomains(ctx.Key.Namespace).Get(ctx.Key.Name)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf(
 			"failed to get %s/%s FederationDomain: %w",
@@ -149,7 +149,7 @@ func (c *federationDomainSecretsController) secretNeedsUpdate(
 ) (bool, *corev1.Secret, error) {
 	// This FederationDomain says it has a secret associated with it. Let's try to get it from the cache.
 	secret, err := c.secretInformer.Lister().Secrets(federationDomain.Namespace).Get(secretName)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return false, nil, fmt.Errorf("cannot get secret: %w", err)
 	}
@@ -174,7 +174,7 @@ func (c *federationDomainSecretsController) createOrUpdateSecret(
 	secretClient := c.kubeClient.CoreV1().Secrets((*newSecret).Namespace)
 	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		oldSecret, err := secretClient.Get(ctx, (*newSecret).Name, metav1.GetOptions{})
-		notFound := k8serrors.IsNotFound(err)
+		notFound := apierrors.IsNotFound(err)
 		if err != nil && !notFound {
 			return fmt.Errorf("failed to get secret %s/%s: %w", (*newSecret).Namespace, (*newSecret).Name, err)
 		}

internal/controller/supervisorconfig/generator/federation_domain_secrets_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -553,7 +553,7 @@ func TestFederationDomainSecretsControllerSync(t *testing.T) {
 				once := sync.Once{}
 				c.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
 					var err error
-					once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) })
+					once.Do(func() { err = apierrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) })
 					return true, nil, err
 				})
 			},
@@ -606,7 +606,7 @@ func TestFederationDomainSecretsControllerSync(t *testing.T) {
 				once := sync.Once{}
 				c.PrependReactor("update", "federationdomains", func(_ kubetesting.Action) (bool, runtime.Object, error) {
 					var err error
-					once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) })
+					once.Do(func() { err = apierrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) })
 					return true, nil, err
 				})
 			},

internal/controller/supervisorconfig/generator/supervisor_secrets.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package generator provides a supervisorSecretsController that can ensure existence of a generated secret.
@@ -11,7 +11,7 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -75,7 +75,7 @@ func NewSupervisorSecretsController(
 // Sync implements controllerlib.Syncer.Sync().
 func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
 	secret, err := c.secretInformer.Lister().Secrets(ctx.Key.Namespace).Get(ctx.Key.Name)
-	isNotFound := k8serrors.IsNotFound(err)
+	isNotFound := apierrors.IsNotFound(err)
 	if !isNotFound && err != nil {
 		return fmt.Errorf("failed to list secret %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err)
 	}
@@ -115,7 +115,7 @@ func (c *supervisorSecretsController) updateSecret(ctx context.Context, newSecre
 	secrets := c.kubeClient.CoreV1().Secrets((*newSecret).Namespace)
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		currentSecret, err := secrets.Get(ctx, secretName, metav1.GetOptions{})
-		isNotFound := k8serrors.IsNotFound(err)
+		isNotFound := apierrors.IsNotFound(err)
 		if !isNotFound && err != nil {
 			return fmt.Errorf("failed to get secret: %w", err)
 		}

internal/controller/supervisorconfig/generator/supervisor_secrets_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -306,7 +306,7 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
 				client.PrependReactor("update", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
 					var err error
 					once.Do(func() {
-						err = k8serrors.NewConflict(secretsGVR.GroupResource(), generatedSecretName, errors.New("some error"))
+						err = apierrors.NewConflict(secretsGVR.GroupResource(), generatedSecretName, errors.New("some error"))
 					})
 					return true, nil, err
 				})
@@ -363,7 +363,7 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
 			},
 			apiClient: func(t *testing.T, client *kubernetesfake.Clientset) {
 				client.PrependReactor("get", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
-					return true, nil, k8serrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName)
+					return true, nil, apierrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName)
 				})
 				client.PrependReactor("create", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
 					return true, nil, nil
@@ -382,7 +382,7 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
 			},
 			apiClient: func(t *testing.T, client *kubernetesfake.Clientset) {
 				client.PrependReactor("get", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
-					return true, nil, k8serrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName)
+					return true, nil, apierrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName)
 				})
 				client.PrependReactor("create", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
 					return true, nil, errors.New("some create error")

internal/controller/supervisorconfig/jwks_writer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisorconfig
@@ -14,7 +14,7 @@ import (
 
 	"github.com/go-jose/go-jose/v3"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	corev1informers "k8s.io/client-go/informers/core/v1"
@@ -110,7 +110,7 @@ func NewJWKSWriterController(
 // Sync implements controllerlib.Syncer.
 func (c *jwksWriterController) Sync(ctx controllerlib.Context) error {
 	federationDomain, err := c.federationDomainInformer.Lister().FederationDomains(ctx.Key.Namespace).Get(ctx.Key.Name)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return fmt.Errorf(
 			"failed to get %s/%s FederationDomain: %w",
@@ -176,7 +176,7 @@ func (c *jwksWriterController) secretNeedsUpdate(federationDomain *configv1alpha
 
 	// This FederationDomain says it has a secret associated with it. Let's try to get it from the cache.
 	secret, err := c.secretInformer.Lister().Secrets(federationDomain.Namespace).Get(federationDomain.Status.Secrets.JWKS.Name)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		return false, fmt.Errorf("cannot get secret: %w", err)
 	}
@@ -254,7 +254,7 @@ func (c *jwksWriterController) createOrUpdateSecret(
 	secretClient := c.kubeClient.CoreV1().Secrets(newSecret.Namespace)
 	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		oldSecret, err := secretClient.Get(ctx, newSecret.Name, metav1.GetOptions{})
-		notFound := k8serrors.IsNotFound(err)
+		notFound := apierrors.IsNotFound(err)
 		if err != nil && !notFound {
 			return fmt.Errorf("cannot get secret: %w", err)
 		}

internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package oidcclientwatcher
@@ -9,7 +9,7 @@ import (
 	"strings"
 
 	"k8s.io/apimachinery/pkg/api/equality"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	corev1informers "k8s.io/client-go/informers/core/v1"
@@ -94,7 +94,7 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error {
 
 		secret, err := c.secretInformer.Lister().Secrets(oidcClient.Namespace).Get(correspondingSecretName)
 		if err != nil {
-			if !k8serrors.IsNotFound(err) {
+			if !apierrors.IsNotFound(err) {
 				// Anything other than a NotFound error is unexpected when reading from an informer.
 				return fmt.Errorf("failed to get %s/%s secret: %w", oidcClient.Namespace, correspondingSecretName, err)
 			}

internal/controller/supervisorconfig/tls_cert_observer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisorconfig
@@ -10,7 +10,7 @@ import (
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 
@@ -112,7 +112,7 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
 	if err != nil {
 		c.issuerTLSCertSetter.SetDefaultTLSCert(nil)
 		// It's okay if the default TLS cert Secret is not found (it is not required).
-		if !k8serrors.IsNotFound(err) {
+		if !apierrors.IsNotFound(err) {
 			// For any other error, log a message which is visible at the default log level.
 			plog.Error("error loading TLS certificate from Secret for Supervisor default TLS cert", err,
 				"defaultCertSecretName", c.defaultTLSCertificateSecretName,

internal/federationdomain/clientregistry/clientregistry.go

@@ -12,7 +12,7 @@ import (
 
 	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/ory/fosite"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
@@ -95,7 +95,7 @@ func (m *ClientManager) GetClient(ctx context.Context, id string) (fosite.Client
 
 	// Try to look up an OIDCClient with the given client ID (which will be the Name of the OIDCClient).
 	oidcClient, err := m.oidcClientsClient.Get(ctx, id, metav1.GetOptions{})
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, fosite.ErrNotFound.WithDescription("no such client")
 	}
 	if err != nil {

internal/fositestorage/accesstoken/accesstoken.go

@@ -11,7 +11,7 @@ import (
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/oauth2"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/internal/constable"
@@ -114,7 +114,7 @@ func (a *accessTokenStorage) getSession(ctx context.Context, signature string) (
 	session := newValidEmptyAccessTokenSession()
 	rv, err := a.storage.Get(ctx, signature, session)
 
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}
 

internal/fositestorage/authorizationcode/authorizationcode.go

@@ -12,7 +12,7 @@ import (
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/oauth2"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/internal/constable"
@@ -130,7 +130,7 @@ func (a *authorizeCodeStorage) InvalidateAuthorizeCodeSession(ctx context.Contex
 
 	session.Active = false
 	if _, err := a.storage.Update(ctx, signature, rv, session); err != nil {
-		if errors.IsConflict(err) {
+		if apierrors.IsConflict(err) {
 			return &errSerializationFailureWithCause{cause: err}
 		}
 		return err
@@ -143,7 +143,7 @@ func (a *authorizeCodeStorage) getSession(ctx context.Context, signature string)
 	session := NewValidEmptyAuthorizeCodeSession()
 	rv, err := a.storage.Get(ctx, signature, session)
 
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}
 

internal/fositestorage/openidconnect/openidconnect.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/internal/constable"
@@ -104,7 +104,7 @@ func (a *openIDConnectRequestStorage) getSession(ctx context.Context, signature
 	session := newValidEmptyOIDCSession()
 	rv, err := a.storage.Get(ctx, signature, session)
 
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}
 

internal/fositestorage/pkce/pkce.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/pkce"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/internal/constable"
@@ -87,7 +87,7 @@ func (a *pkceStorage) getSession(ctx context.Context, signature string) (*sessio
 	session := newValidEmptyPKCESession()
 	rv, err := a.storage.Get(ctx, signature, session)
 
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}
 

internal/fositestorage/refreshtoken/refreshtoken.go

@@ -11,7 +11,7 @@ import (
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/oauth2"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/internal/constable"
@@ -120,7 +120,7 @@ func (a *refreshTokenStorage) getSession(ctx context.Context, signature string)
 	session := newValidEmptyRefreshTokenSession()
 	rv, err := a.storage.Get(ctx, signature, session)
 
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}
 

internal/groupsuffix/groupsuffix.go

@@ -10,7 +10,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/validation"
 
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
@@ -189,5 +189,5 @@ func Validate(apiGroupSuffix string) error {
 		errs = append(errs, constable.Error(errorString))
 	}
 
-	return errors.NewAggregate(errs)
+	return utilerrors.NewAggregate(errs)
 }

internal/kubeclient/middleware.go

@@ -12,7 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
 type Middleware interface {
@@ -119,7 +119,7 @@ func (r *request) mutateRequest(obj Object) (*mutationResult, error) {
 			errs = append(errs, err)
 		}
 	}
-	if err := errors.NewAggregate(errs); err != nil {
+	if err := utilerrors.NewAggregate(errs); err != nil {
 		return nil, fmt.Errorf("request mutation failed: %w", err)
 	}
 
@@ -148,7 +148,7 @@ func (r *request) mutateResponse(obj Object) (bool, error) {
 			errs = append(errs, err)
 		}
 	}
-	if err := errors.NewAggregate(errs); err != nil {
+	if err := utilerrors.NewAggregate(errs); err != nil {
 		return false, fmt.Errorf("response mutation failed: %w", err)
 	}
 

internal/localuserauthenticator/localuserauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package localuserauthenticator provides a authentication webhook program.
@@ -27,7 +27,7 @@ import (
 
 	"golang.org/x/crypto/bcrypt"
 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8sinformers "k8s.io/client-go/informers"
 	corev1informers "k8s.io/client-go/informers/core/v1"
@@ -114,7 +114,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
 	defer func() { _ = req.Body.Close() }()
 
 	secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	if err != nil && !notFound {
 		plog.Debug("could not get secret", "err", err)
 		rsp.WriteHeader(http.StatusInternalServerError)

internal/oidcclientsecretstorage/oidcclientsecretstorage.go

@@ -9,7 +9,7 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -56,7 +56,7 @@ func New(secrets corev1client.SecretInterface) *OIDCClientSecretStorage {
 func (s *OIDCClientSecretStorage) Get(ctx context.Context, oidcClientUID types.UID) (string, []string, error) {
 	clientSecret := &storedClientSecret{}
 	rv, err := s.storage.Get(ctx, uidToName(oidcClientUID), clientSecret)
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return "", nil, nil
 	}
 	if err != nil {
@@ -107,7 +107,7 @@ func (s *OIDCClientSecretStorage) Set(ctx context.Context, resourceVersion, oidc
 // Returns nil,nil when the corev1.Secret was not found, as this is not an error for a client to not have any secrets yet.
 func (s *OIDCClientSecretStorage) GetStorageSecret(ctx context.Context, oidcClientUID types.UID) (*corev1.Secret, error) {
 	secret, err := s.secrets.Get(ctx, s.GetName(oidcClientUID), metav1.GetOptions{})
-	if errors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return nil, nil
 	}
 	if err != nil {

internal/supervisor/apiserver/apiserver.go

@@ -13,7 +13,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -109,7 +109,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 			),
 		)
 	}
-	if err := errors.NewAggregate(errs); err != nil {
+	if err := utilerrors.NewAggregate(errs); err != nil {
 		return nil, fmt.Errorf("could not install API groups: %w", err)
 	}
 

internal/testutil/fakekubeapi/fakekubeapi.go

@@ -32,7 +32,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/errors"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	kubescheme "k8s.io/client-go/kubernetes/scheme"
 	restclient "k8s.io/client-go/rest"
 	aggregatorclientscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
@@ -127,7 +127,7 @@ func decodeObj(r *http.Request) (runtime.Object, error) {
 		}
 		errs = append(errs, err)
 	}
-	return nil, errors.NewAggregate(errs)
+	return nil, utilerrors.NewAggregate(errs)
 }
 
 func tryDecodeObj(

test/integration/concierge_credentialrequest_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 
@@ -176,7 +176,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t *
 	)
 
 	require.Error(t, err)
-	statusError, isStatus := err.(*errors.StatusError)
+	statusError, isStatus := err.(*apierrors.StatusError)
 	require.True(t, isStatus, testlib.Sdump(err))
 
 	require.Equal(t, 1, len(statusError.ErrStatus.Details.Causes))

test/integration/concierge_impersonation_proxy_test.go

@@ -39,7 +39,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme"
@@ -537,7 +537,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// Make sure that the deleted ConfigMap shows up in the informer's cache.
 			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 				_, err := informer.Lister().ConfigMaps(namespaceName).Get("configmap-3")
-				requireEventually.Truef(k8serrors.IsNotFound(err), "expected a NotFound error from get, got %v", err)
+				requireEventually.Truef(apierrors.IsNotFound(err), "expected a NotFound error from get, got %v", err)
 
 				list, err := informer.Lister().ConfigMaps(namespaceName).List(configMapLabels.AsSelector())
 				requireEventually.NoError(err)
@@ -579,7 +579,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			// request similar to the one above, except that it will also have an impersonation header.
 			_, err = nestedImpersonationClient.Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{})
 			// this user is not allowed to impersonate other users
-			require.True(t, k8serrors.IsForbidden(err), err)
+			require.True(t, apierrors.IsForbidden(err), err)
 			require.EqualError(t, err, fmt.Sprintf(
 				`users "other-user-to-impersonate" is forbidden: `+
 					`User "%s" cannot impersonate resource "users" in API group "" at the cluster scope: `+
@@ -628,7 +628,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 				refreshCredential).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 				Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 			// this user should not be able to impersonate extra
-			require.True(t, k8serrors.IsForbidden(err), err)
+			require.True(t, apierrors.IsForbidden(err), err)
 			require.EqualError(t, err, fmt.Sprintf(
 				`userextras.authentication.k8s.io "with a dangerous value" is forbidden: `+
 					`User "%s" cannot impersonate resource "userextras/some-fancy-key" in API group "authentication.k8s.io" at the cluster scope: `+
@@ -688,7 +688,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 			_, err = nestedImpersonationClient.Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{})
 			// the impersonated user lacks the RBAC to perform this call
-			require.True(t, k8serrors.IsForbidden(err), err)
+			require.True(t, apierrors.IsForbidden(err), err)
 			require.EqualError(t, err, fmt.Sprintf(
 				`secrets "%s" is forbidden: User "other-user-to-impersonate" cannot get resource "secrets" in API group "" in the namespace "%s": `+
 					`decision made by impersonation-proxy.concierge.pinniped.dev`,
@@ -731,8 +731,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 			_, err := nestedImpersonationClient.Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{})
 			require.EqualError(t, err, "Internal error occurred: unimplemented functionality - unable to act as current user")
-			require.True(t, k8serrors.IsInternalError(err), err)
-			require.Equal(t, &k8serrors.StatusError{
+			require.True(t, apierrors.IsInternalError(err), err)
+			require.Equal(t, &apierrors.StatusError{
 				ErrStatus: metav1.Status{
 					Status: metav1.StatusFailure,
 					Code:   http.StatusInternalServerError,
@@ -768,8 +768,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			msg := `Internal Server Error: "/api/v1/namespaces/foo/secrets/bar": requested [{UID  some-awesome-uid  authentication.k8s.io/v1  }] without impersonating a user`
 			full := fmt.Sprintf(`an error on the server (%q) has prevented the request from succeeding (get secrets bar)`, msg)
 			require.EqualError(t, errUID, full)
-			require.True(t, k8serrors.IsInternalError(errUID), errUID)
-			require.Equal(t, &k8serrors.StatusError{
+			require.True(t, apierrors.IsInternalError(errUID), errUID)
+			require.Equal(t, &apierrors.StatusError{
 				ErrStatus: metav1.Status{
 					Status: metav1.StatusFailure,
 					Code:   http.StatusInternalServerError,
@@ -804,8 +804,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 			_, err := testlib.NewKubeclient(t, nestedImpersonationUID).Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{})
 			require.EqualError(t, err, "Internal error occurred: unimplemented functionality - unable to act as current user")
-			require.True(t, k8serrors.IsInternalError(err), err)
-			require.Equal(t, &k8serrors.StatusError{
+			require.True(t, apierrors.IsInternalError(err), err)
+			require.Equal(t, &apierrors.StatusError{
 				ErrStatus: metav1.Status{
 					Status: metav1.StatusFailure,
 					Code:   http.StatusInternalServerError,
@@ -833,7 +833,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			_, err := nestedImpersonationClient.IdentityV1alpha1().WhoAmIRequests().
 				Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 			// this SA is not yet allowed to impersonate SAs
-			require.True(t, k8serrors.IsForbidden(err), err)
+			require.True(t, apierrors.IsForbidden(err), err)
 			require.EqualError(t, err, fmt.Sprintf(
 				`serviceaccounts "root-ca-cert-publisher" is forbidden: `+
 					`User "%s" cannot impersonate resource "serviceaccounts" in API group "" in the namespace "kube-system": `+
@@ -910,7 +910,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					whoAmI,
 				)
 			} else {
-				require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
+				require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err))
 			}
 
 			// Test using a service account token.
@@ -941,7 +941,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			expectedGroups := []string{"system:serviceaccounts", "system:serviceaccounts:" + namespaceName, "system:authenticated"}
 
 			_, tokenRequestProbeErr := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{}, metav1.CreateOptions{})
-			if k8serrors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" {
+			if apierrors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" {
 				return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
 			}
 
@@ -979,7 +979,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 			_, badAudErr := impersonationProxySABadAudPinnipedConciergeClient.IdentityV1alpha1().WhoAmIRequests().
 				Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
-			require.True(t, k8serrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
+			require.True(t, apierrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
 
 			tokenRequest, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{
 				Spec: authenticationv1.TokenRequestSpec{
@@ -1385,7 +1385,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 								Authenticator: corev1.TypedLocalObjectReference{APIGroup: ptr.To("anything.pinniped.dev")},
 							},
 						}, metav1.CreateOptions{})
-					require.True(t, k8serrors.IsInvalid(err), testlib.Sdump(err))
+					require.True(t, apierrors.IsInvalid(err), testlib.Sdump(err))
 					require.Equal(t, `.login.concierge.pinniped.dev "" is invalid: spec.token.value: Required value: token must be supplied`, err.Error())
 					require.Equal(t, &loginv1alpha1.TokenCredentialRequest{}, tkr)
 				})
@@ -1409,7 +1409,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					require.Equal(t, "ok", string(healthz))
 
 					healthzLog, errHealthzLog := impersonationProxyAdminRestClientAsAnonymous.Get().AbsPath("/healthz/log").DoRaw(ctx)
-					require.True(t, k8serrors.IsForbidden(errHealthzLog), "%s\n%s", testlib.Sdump(errHealthzLog), string(healthzLog))
+					require.True(t, apierrors.IsForbidden(errHealthzLog), "%s\n%s", testlib.Sdump(errHealthzLog), string(healthzLog))
 					require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/healthz/log\": decision made by impersonation-proxy.concierge.pinniped.dev","reason":"Forbidden","details":{},"code":403}`+"\n", string(healthzLog))
 				})
 			})
@@ -1440,7 +1440,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 					pod, err := impersonationProxyAnonymousClient.Kubernetes.CoreV1().Pods(metav1.NamespaceSystem).
 						Get(ctx, "does-not-matter", metav1.GetOptions{})
-					require.True(t, k8serrors.IsForbidden(err), testlib.Sdump(err))
+					require.True(t, apierrors.IsForbidden(err), testlib.Sdump(err))
 					require.EqualError(t, err, `pods "does-not-matter" is forbidden: User "system:anonymous" cannot get resource "pods" in API group "" in the namespace "kube-system": `+
 						`decision made by impersonation-proxy.concierge.pinniped.dev`, testlib.Sdump(err))
 					require.Equal(t, &corev1.Pod{}, pod)
@@ -1479,7 +1479,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 					parallelIfNotEKS(t)
 
 					healthz, err := impersonationProxyAnonymousRestClient.Get().AbsPath("/healthz").DoRaw(ctx)
-					require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
+					require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err))
 					require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(healthz))
 				})
 
@@ -1492,7 +1492,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 					pod, err := impersonationProxyAnonymousClient.Kubernetes.CoreV1().Pods(metav1.NamespaceSystem).
 						Get(ctx, "does-not-matter", metav1.GetOptions{})
-					require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
+					require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err))
 					require.Equal(t, &corev1.Pod{}, pod)
 				})
 
@@ -1505,7 +1505,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 					whoAmI, err := impersonationProxyAnonymousClient.PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 						Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
-					require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err))
+					require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err))
 					require.Equal(t, &identityv1alpha1.WhoAmIRequest{}, whoAmI)
 				})
 			})
@@ -1537,7 +1537,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 
 		// sanity check default expected error message
 		_, err := impersonationProxySSRRClient.Create(ctx, invalidSSRR, metav1.CreateOptions{})
-		require.True(t, k8serrors.IsBadRequest(err), testlib.Sdump(err))
+		require.True(t, apierrors.IsBadRequest(err), testlib.Sdump(err))
 		require.EqualError(t, err, "no namespace on request")
 
 		// remove the impersonation proxy SA's permissions
@@ -1581,11 +1581,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			case errCreate == nil:
 				return false, fmt.Errorf("unexpected nil error for test user create invalid SSRR")
 
-			case k8serrors.IsBadRequest(errCreate) && errCreate.Error() == "no namespace on request":
+			case apierrors.IsBadRequest(errCreate) && errCreate.Error() == "no namespace on request":
 				t.Log("waiting for impersonation proxy service account to lose impersonate permissions")
 				return false, nil // RBAC change has not rolled out yet
 
-			case k8serrors.IsForbidden(errCreate) && errCreate.Error() ==
+			case apierrors.IsForbidden(errCreate) && errCreate.Error() ==
 				`users "`+env.TestUser.ExpectedUsername+`" is forbidden: User "`+saFullName+
 					`" cannot impersonate resource "users" in API group "" at the cluster scope`:
 				return true, nil // expected RBAC error
@@ -1968,7 +1968,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		// when we disable the impersonator.
 		testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 			_, err := adminClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{})
-			requireEventually.Truef(k8serrors.IsNotFound(err), "expected NotFound error, got %v", err)
+			requireEventually.Truef(apierrors.IsNotFound(err), "expected NotFound error, got %v", err)
 		}, 2*time.Minute, time.Second)
 
 		// Check that the generated CA cert Secret was not deleted by the controller because it's supposed to keep this
@@ -2301,7 +2301,7 @@ func updateCredentialIssuer(ctx context.Context, t *testing.T, env *testlib.Test
 
 func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *testlib.TestEnv, client kubernetes.Interface) (bool, error) {
 	service, err := client.CoreV1().Services(env.ConciergeNamespace).Get(ctx, impersonationProxyLoadBalancerName(env), metav1.GetOptions{})
-	if k8serrors.IsNotFound(err) {
+	if apierrors.IsNotFound(err) {
 		return false, nil
 	}
 	if err != nil {

test/integration/concierge_jwtauthenticator_status_test.go

@@ -11,7 +11,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
@@ -339,7 +339,7 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 			t.Cleanup(func() {
 				// delete if it exists
 				delErr := jwtAuthenticatorClient.Delete(ctx, tt.jwtAuthenticator.Name, metav1.DeleteOptions{})
-				if !errors.IsNotFound(delErr) {
+				if !apierrors.IsNotFound(delErr) {
 					require.NoError(t, delErr)
 				}
 			})

test/integration/concierge_kubecertagent_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/utils/ptr"
@@ -133,7 +133,7 @@ func TestLegacyPodCleaner_Parallel(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 		defer cancel()
 		err := kubeClient.CoreV1().Pods(pod.Namespace).Delete(ctx, pod.Name, metav1.DeleteOptions{GracePeriodSeconds: ptr.To[int64](0)})
-		if !k8serrors.IsNotFound(err) {
+		if !apierrors.IsNotFound(err) {
 			require.NoError(t, err, "failed to clean up fake legacy agent pod")
 		}
 	})
@@ -141,7 +141,7 @@ func TestLegacyPodCleaner_Parallel(t *testing.T) {
 	// Expect the legacy-pod-cleaner controller to delete the pod.
 	testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
 		_, err := kubeClient.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
-		if k8serrors.IsNotFound(err) {
+		if apierrors.IsNotFound(err) {
 			t.Logf("fake legacy agent pod %s/%s was deleted as expected", pod.Namespace, pod.Name)
 			return true, nil
 		}

test/integration/concierge_webhookauthenticator_status_test.go

@@ -9,7 +9,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
@@ -250,7 +250,7 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
 			t.Cleanup(func() {
 				// delete if it exists
 				delErr := webhookAuthenticatorClient.Delete(ctx, tt.webhookAuthenticator.Name, metav1.DeleteOptions{})
-				if !errors.IsNotFound(delErr) {
+				if !apierrors.IsNotFound(delErr) {
 					require.NoError(t, delErr)
 				}
 			})

test/integration/concierge_whoami_test.go

@@ -18,7 +18,7 @@ import (
 	certificatesv1 "k8s.io/api/certificates/v1"
 	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/cert"
@@ -173,7 +173,7 @@ func TestWhoAmI_ServiceAccount_TokenRequest_Parallel(t *testing.T) {
 	require.NoError(t, err)
 
 	_, tokenRequestProbeErr := coreV1client.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{}, metav1.CreateOptions{})
-	if errors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" {
+	if apierrors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" {
 		return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
 	}
 
@@ -210,7 +210,7 @@ func TestWhoAmI_ServiceAccount_TokenRequest_Parallel(t *testing.T) {
 
 	_, badAudErr := testlib.NewKubeclient(t, saBadAudConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
-	require.True(t, errors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
+	require.True(t, apierrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
 
 	tokenRequest, err := coreV1client.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
 		Spec: authenticationv1.TokenRequestSpec{

test/integration/kubeclient_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 
@@ -98,7 +98,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 		defer cancel()
 		err := regularAggregationClient.ApiregistrationV1().APIServices().Delete(ctx, parentAPIService.Name, metav1.DeleteOptions{})
-		if errors.IsNotFound(err) {
+		if apierrors.IsNotFound(err) {
 			return
 		}
 		require.NoError(t, err)
@@ -310,7 +310,7 @@ func isEventuallyDeleted(t *testing.T, f func() error) {
 		switch {
 		case err == nil:
 			return false, nil
-		case errors.IsNotFound(err):
+		case apierrors.IsNotFound(err):
 			return true, nil
 		default:
 			return false, err

test/integration/supervisor_discovery_test.go

@@ -19,7 +19,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
@@ -376,7 +376,7 @@ func temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(
 
 	// Also remove the supervisor's default TLS cert
 	originalSecret, err := kubeClient.CoreV1().Secrets(ns).Get(ctx, defaultTLSCertSecretName, metav1.GetOptions{})
-	notFound := k8serrors.IsNotFound(err)
+	notFound := apierrors.IsNotFound(err)
 	require.False(t, err != nil && !notFound, "unexpected error when getting %s", defaultTLSCertSecretName)
 	if notFound {
 		originalSecret = nil

test/integration/supervisor_federationdomain_status_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/ptr"
@@ -914,7 +914,7 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 			t.Cleanup(func() {
 				// Delete it if it exists.
 				delErr := fdClient.Delete(ctx, tt.fd.Name, metav1.DeleteOptions{})
-				if !k8serrors.IsNotFound(delErr) {
+				if !apierrors.IsNotFound(delErr) {
 					require.NoError(t, delErr)
 				}
 			})

test/integration/supervisor_oidc_client_test.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 
@@ -393,7 +393,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) {
 			},
 			fixWant: func(t *testing.T, err error, want string) string {
 				// sort the error causes and use that to rebuild a sorted error message
-				statusErr := &errors.StatusError{}
+				statusErr := &apierrors.StatusError{}
 				require.ErrorAs(t, err, &statusErr)
 				require.Len(t, statusErr.ErrStatus.Details.Causes, 4)
 				out := make([]string, 0, len(statusErr.ErrStatus.Details.Causes))

test/integration/supervisor_oidcclientsecret_test.go

@@ -15,7 +15,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/yaml"
 
@@ -916,7 +916,7 @@ func TestCreateOIDCClientSecretRequest_Parallel(t *testing.T) {
 					_, err := kubeClient.CoreV1().Secrets(oidcClient.Namespace).
 						Get(cleanupCtx, oidcclientsecretstorage.New(nil).GetName(oidcClient.UID), metav1.GetOptions{})
 					requireEventually.Error(err, "deleting OIDCClient should result in deleting storage secrets")
-					requireEventually.True(k8serrors.IsNotFound(err),
+					requireEventually.True(apierrors.IsNotFound(err),
 						"deleting OIDCClient should result in deleting storage secrets")
 				}, 2*time.Minute, 250*time.Millisecond)
 			})
@@ -984,7 +984,7 @@ func TestCreateOIDCClientSecretRequest_Parallel(t *testing.T) {
 					Get(ctx, oidcclientsecretstorage.New(nil).GetName(oidcClient.UID), metav1.GetOptions{})
 				if !hasSecretBeenGenerated {
 					require.Error(t, getStorageSecretError, "expected not found error")
-					require.True(t, k8serrors.IsNotFound(getStorageSecretError), "expected not found error")
+					require.True(t, apierrors.IsNotFound(getStorageSecretError), "expected not found error")
 					// no storage secret was created, so no reason to continue making assertions
 					continue
 				}

test/integration/supervisor_storage_garbage_collection_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
@@ -54,12 +54,12 @@ func TestStorageGarbageCollection_Parallel(t *testing.T) {
 	slightlyLongerThanGCControllerFullResyncPeriod := 3*time.Minute + 30*time.Second
 	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		_, err := secrets.Get(ctx, secretAlreadyExpired.Name, metav1.GetOptions{})
-		requireEventually.Truef(k8serrors.IsNotFound(err), "wanted a NotFound error but got %v", err)
+		requireEventually.Truef(apierrors.IsNotFound(err), "wanted a NotFound error but got %v", err)
 	}, slightlyLongerThanGCControllerFullResyncPeriod, 250*time.Millisecond)
 
 	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		_, err := secrets.Get(ctx, secretWhichWillExpireBeforeTheTestEnds.Name, metav1.GetOptions{})
-		requireEventually.Truef(k8serrors.IsNotFound(err), "wanted a NotFound error but got %v", err)
+		requireEventually.Truef(apierrors.IsNotFound(err), "wanted a NotFound error but got %v", err)
 	}, slightlyLongerThanGCControllerFullResyncPeriod, 250*time.Millisecond)
 
 	// The unexpired secret should not have been deleted within the timeframe of this test run.
@@ -96,7 +96,7 @@ func updateSecretEveryTwoSeconds(stopCh chan struct{}, errCh chan error, secrets
 		case updateErr == nil:
 			// continue to next update
 
-		case k8serrors.IsConflict(updateErr), k8serrors.IsNotFound(updateErr):
+		case apierrors.IsConflict(updateErr), apierrors.IsNotFound(updateErr):
 			select {
 			case _, ok := <-stopCh:
 				if !ok { // stopCh is closed meaning that test is already finished so these errors are expected
@@ -121,7 +121,7 @@ func createSecret(ctx context.Context, t *testing.T, secrets corev1client.Secret
 		ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 		defer cancel()
 		err := secrets.Delete(ctx, secret.Name, metav1.DeleteOptions{})
-		notFound := k8serrors.IsNotFound(err)
+		notFound := apierrors.IsNotFound(err)
 		if !notFound {
 			// it's okay if the Secret was already deleted, but other errors are cleanup failures
 			require.NoError(t, err)

test/integration/supervisor_storage_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/ory/fosite/compose"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"go.pinniped.dev/internal/federationdomain/clientregistry"
@@ -85,7 +85,7 @@ func TestAuthorizeCodeStorage(t *testing.T) {
 	// trying to create the session again fails because it already exists
 	err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request)
 	require.Error(t, err)
-	require.True(t, errors.IsAlreadyExists(err))
+	require.True(t, apierrors.IsAlreadyExists(err))
 
 	// check that the data stored in Kube matches what we put in
 	initialSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})

test/testlib/client.go

@@ -19,7 +19,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -33,7 +33,7 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
-	supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
 	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 
@@ -80,13 +80,13 @@ func NewKubernetesClientset(t *testing.T) kubernetes.Interface {
 	return NewKubeclient(t, NewClientConfig(t)).Kubernetes
 }
 
-func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface {
+func NewSupervisorClientset(t *testing.T) pinnipedsupervisorclientset.Interface {
 	t.Helper()
 
 	return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor
 }
 
-func NewAnonymousSupervisorClientset(t *testing.T) supervisorclientset.Interface {
+func NewAnonymousSupervisorClientset(t *testing.T) pinnipedsupervisorclientset.Interface {
 	t.Helper()
 
 	return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisor
@@ -380,7 +380,7 @@ func CreateTestFederationDomain(
 		deleteCtx, cancel := context.WithTimeout(context.Background(), time.Minute)
 		defer cancel()
 		err := federationDomainsClient.Delete(deleteCtx, federationDomain.Name, metav1.DeleteOptions{})
-		notFound := k8serrors.IsNotFound(err)
+		notFound := apierrors.IsNotFound(err)
 		// It's okay if it is not found, because it might have been deleted by another part of this test.
 		if !notFound {
 			require.NoErrorf(t, err, "could not cleanup test FederationDomain %s/%s", federationDomain.Namespace, federationDomain.Name)
@@ -609,7 +609,7 @@ func CreateTestOIDCIdentityProviderWithObjectMeta(t *testing.T, spec idpv1alpha1
 	t.Cleanup(func() {
 		t.Logf("cleaning up test OIDCIdentityProvider %s/%s", created.Namespace, created.Name)
 		err := upstreams.Delete(context.Background(), created.Name, metav1.DeleteOptions{})
-		notFound := k8serrors.IsNotFound(err)
+		notFound := apierrors.IsNotFound(err)
 		// It's okay if it is not found, because it might have been deleted by another part of this test.
 		if !notFound {
 			require.NoErrorf(t, err, "could not cleanup test OIDCIdentityProvider %s/%s", created.Namespace, created.Name)