Show debug logs in authentication (#325)

Bumps [github.com/int128/oauth2cli](https://github.com/int128/oauth2cli) from 1.11.0 to 1.12.1.
- [Release notes](https://github.com/int128/oauth2cli/releases)
- [Commits](https://github.com/int128/oauth2cli/compare/v1.11.0...v1.12.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,23 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Environment**
+ - OS: [e.g. macOS, Linux]
+ - kubelogin version: [e.g. 1.19.3]
+ - kubectl version: [e.g. 1.19]
+ - OpenID Connect provider: [e.g. Google, Okta]

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.

.github/workflows/system-test.yaml

@@ -1,6 +1,6 @@
 on: [push]
 jobs:
-  acceptance-test:
+  system-test:
     # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
     runs-on: ubuntu-18.04
     steps:
@@ -22,7 +22,8 @@ jobs:
           sudo mv ./kind /usr/local/bin/kind
           kind version
       # https://packages.ubuntu.com/xenial/libnss3-tools
+      - run: sudo apt update
       - run: sudo apt install -y libnss3-tools
       - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
-      - run: make -C acceptance_test -j3 setup
-      - run: make -C acceptance_test test
+      - run: make -C system_test -j3 setup
+      - run: make -C system_test test

.gitignore

@@ -1,5 +1,6 @@
 /.idea
 
+/system_test/output/
 /acceptance_test/output/
 
 /dist/output

README.md

@@ -1,10 +1,10 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) ![acceptance-test](https://github.com/int128/kubelogin/workflows/acceptance-test/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
 
 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
 
 Here is an example of Kubernetes authentication with the Google Identity Platform:
 
-<img alt="screencast" src="https://user-images.githubusercontent.com/321266/70971501-7bcebc80-20e4-11ea-8afc-539dcaea0aa8.gif" width="652" height="455">
+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
 
 Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 When you run kubectl, kubelogin opens the browser and you can log in to the provider.
@@ -46,7 +46,7 @@ users:
       - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
-See [the setup guide](docs/setup.md) for more.
+See [setup guide](docs/setup.md) for more.
 
 
 ### Run
@@ -83,21 +83,26 @@ If the refresh token has expired, kubelogin will perform reauthentication.
 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
 Kubelogin will perform authentication if the token cache file does not exist.
 
-You can dump the claims of token by passing `-v1` option.
+You can dump claims of an ID token by `setup` command.
 
-```
-I0221 21:54:08.151850   28231 get_token.go:104] you got a token: {
+```console
+% kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
+authentication in progress...
+
+## 2. Verify authentication
+
+You got a token with the following claims:
+
+{
   "sub": "********",
   "iss": "https://accounts.google.com",
   "aud": "********",
-  "iat": 1582289639,
-  "exp": 1582293239,
-  "jti": "********",
-  "nonce": "********",
-  "at_hash": "********"
+  ...
 }
 ```
 
+You can verify kubelogin works with your provider using [acceptance test](acceptance_test).
+
 
 ## Usage
 
@@ -323,4 +328,4 @@ make
 ./kubelogin
 ```
 
-See also [the acceptance test](acceptance_test).
+See also [the system test](system_test).

acceptance_test/Makefile

@@ -1,100 +1,31 @@
 CLUSTER_NAME := kubelogin-acceptance-test
 OUTPUT_DIR := $(CURDIR)/output
 
-PATH := $(PATH):$(OUTPUT_DIR)/bin
-export PATH
 KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
 export KUBECONFIG
 
-# run the login script instead of opening chrome
-BROWSER := $(OUTPUT_DIR)/bin/chromelogin
-export BROWSER
-
-.PHONY: test
-test: build
-	# see the setup instruction
-	kubectl oidc-login setup \
-		--oidc-issuer-url=https://dex-server:10443/dex \
-		--oidc-client-id=YOUR_CLIENT_ID \
-		--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--oidc-extra-scope=email \
-		--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# set up the kubeconfig
-	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
-		--exec-command=kubectl \
-		--exec-arg=oidc-login \
-		--exec-arg=get-token \
-		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
-		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--exec-arg=--oidc-extra-scope=email \
-		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# make sure we can access the cluster
-	kubectl --user=oidc cluster-info
-	# switch the current context
-	kubectl config set-context --current --user=oidc
-	# make sure we can access the cluster
-	kubectl cluster-info
-
-.PHONY: setup
-setup: build dex cluster setup-chrome
-
-.PHONY: setup-chrome
-setup-chrome: $(OUTPUT_DIR)/ca.crt
-	# add the dex server certificate to the trust store
-	mkdir -p ~/.pki/nssdb
-	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
-
-# build binaries
-.PHONY: build
-build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
-$(OUTPUT_DIR)/bin/kubectl-oidc_login:
-	go build -o $@ ..
-$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
-	go build -o $@ ./chromelogin
-
-# create a Dex server
-.PHONY: dex
-dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
-	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
-	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
-	docker cp $(OUTPUT_DIR)/server.key dex-server:/
-	docker cp dex.yaml dex-server:/
-	docker start dex-server
-	docker logs dex-server
-
-$(OUTPUT_DIR)/ca.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
-	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
-$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
-	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
-$(OUTPUT_DIR)/server.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
-	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
-$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
-	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
-
 # create a Kubernetes cluster
 .PHONY: cluster
-cluster: dex create-cluster
-	# add the Dex container IP to /etc/hosts of kube-apiserver
-	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
-		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
-	# wait for kube-apiserver oidc initialization
-	# (oidc authenticator will retry oidc discovery every 10s)
-	sleep 10
-
-.PHONY: create-cluster
-create-cluster: $(OUTPUT_DIR)/ca.crt
-	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-acceptance-test-dex-ca.crt
-	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
+cluster:
+	# create a cluster
+	mkdir -p $(OUTPUT_DIR)
+	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
+	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
+	# set up access control
 	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
-	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
+	# set up kubectl
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=$(CURDIR)/../kubelogin \
+		--exec-arg=get-token \
+		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
+		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
+		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
+		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
+		--exec-arg=--oidc-extra-scope=email
+	# switch the default user
+	kubectl config set-context --current --user=oidc
 
 # clean up the resources
 .PHONY: clean
@@ -103,7 +34,9 @@ clean:
 .PHONY: delete-cluster
 delete-cluster:
 	kind delete cluster --name $(CLUSTER_NAME)
-.PHONY: delete-dex
-delete-dex:
-	docker stop dex-server
-	docker rm dex-server
+
+.PHONY: check
+check:
+	docker version
+	kind version
+	kubectl version --client

acceptance_test/README.md

@@ -1,109 +1,75 @@
 # kubelogin/acceptance_test
 
-This is an acceptance test for walkthrough of the OIDC initial setup and plugin behavior using a real Kubernetes cluster and OpenID Connect provider, running on [GitHub Actions](https://github.com/int128/kubelogin/actions?query=workflow%3Aacceptance-test).
-
-It is intended to verify the following points:
-
-- User can set up Kubernetes OIDC authentication and this plugin.
-- User can access a cluster after login.
-
-It performs the test using the following components:
-
-- Kubernetes cluster (Kind)
-- OIDC provider (Dex)
-- Browser (Chrome)
-- kubectl command
+This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
 
 
-## How it works
+## Purpose
 
-Let's take a look at the diagram.
+This test checks the following points:
 
-![diagram](../docs/acceptance-test-diagram.svg)
-
-It prepares the following resources:
-
-1. Generate a pair of CA certificate and TLS server certificate for Dex.
-1. Run Dex on a container.
-1. Create a Kubernetes cluster using Kind.
-1. Mutate `/etc/hosts` of the CI machine to access Dex.
-1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
-
-It performs the test by the following steps:
-
-1. Run kubectl.
-1. kubectl automatically runs kubelogin.
-1. kubelogin automatically runs [chromelogin](chromelogin).
-1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
-1. kubelogin gets an authorization code from the browser.
-1. kubelogin gets a token.
-1. kubectl accesses an API with the token.
-1. kube-apiserver verifies the token by Dex.
-1. Check if kubectl exited with code 0.
+1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
+1. The plugin works with your OIDC provider.
 
 
-## Run locally
+## Getting Started
 
-You need to set up the following components:
+### Prerequisite
+
+You need to build the plugin into the parent directory.
+
+```sh
+make -C ..
+```
+
+You need to set up your provider.
+See [setup guide](../docs/setup.md) for more.
+
+You need to install the following tools:
 
 - Docker
 - Kind
-- Chrome or Chromium
+- kubectl
 
-You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
+You can check if the tools are available.
 
-```
-127.0.0.1 dex-server
+```sh
+make check
 ```
 
-Run the test.
+### 1. Create a cluster
 
-```shell script
-# run the test
-make
+Create a cluster.
+For example, you can create a cluster with Google account authentication.
 
-# clean up
+```sh
+make OIDC_ISSUER_URL=https://accounts.google.com \
+  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
+  OIDC_CLIENT_SECRET=REDACTED \
+  YOUR_EMAIL=REDACTED@gmail.com
+```
+
+It will do the following steps:
+
+1. Create a cluster.
+1. Set up access control. It allows read-only access from your email address.
+1. Set up kubectl to enable the plugin.
+
+You can change kubectl configuration in generated `output/kubeconfig.yaml`.
+
+### 2. Run kubectl
+
+Make sure you can log in to the provider and access the cluster.
+
+```console
+% export KUBECONFIG=$PWD/output/kubeconfig.yaml
+% kubectl get pods -A
+```
+
+### Clean up
+
+To delete the cluster and generated files:
+
+```sh
 make delete-cluster
-make delete-dex
+make clean
 ```
-
-
-## Technical consideration
-
-### Network and DNS
-
-Consider the following issues:
-
-- kube-apiserver runs on the host network of the kind container.
-- kube-apiserver cannot resolve a service name by kube-dns.
-- kube-apiserver cannot access a cluster IP.
-- kube-apiserver can access another container via the Docker network.
-- Chrome requires exactly match of domain name between Dex URL and a server certificate.
-
-Consequently,
-
-- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
-- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
-
-### TLS server certificate
-
-Consider the following issues:
-
-- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
-- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
-- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
-- It is possible to mount a file from the CI machine.
-- It is not possible to issue a certificate using Let's Encrypt in runtime.
-- Chrome requires a valid certificate in `~/.pki/nssdb`.
-
-As a result,
-
-- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
-- kubelogin uses the CA certificate in `output/ca.crt`.
-- Chrome uses the CA certificate in `~/.pki/nssdb`.
-
-### Test environment
-
-- Set the issuer URL to kubectl. See [`kubeconfig_oidc.yaml`](kubeconfig_oidc.yaml).
-- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
-- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.

acceptance_test/cluster.yaml

@@ -1,6 +1,5 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
-# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
 kubeadmConfigPatches:
   - |
     apiVersion: kubeadm.k8s.io/v1beta2
@@ -9,12 +8,6 @@ kubeadmConfigPatches:
       name: config
     apiServer:
       extraArgs:
-        oidc-issuer-url: https://dex-server:10443/dex
-        oidc-client-id: YOUR_CLIENT_ID
+        oidc-issuer-url: OIDC_ISSUER_URL
+        oidc-client-id: OIDC_CLIENT_ID
         oidc-username-claim: email
-        oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
-nodes:
-  - role: control-plane
-    extraMounts:
-      - hostPath: /tmp/kubelogin-acceptance-test-dex-ca.crt
-        containerPath: /usr/local/share/ca-certificates/dex-ca.crt

dist/oidc-login.yaml

@@ -22,8 +22,6 @@ spec:
 
   caveats: |
     You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
-    See https://github.com/int128/kubelogin for more.
-
   version: {{ env "VERSION" }}
   platforms:
     - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip

docs/setup.md

@@ -126,6 +126,9 @@ Variable                | Value
 
 You do not need to set `YOUR_CLIENT_SECRET`.
 
+If you need `groups` claim for access control,
+see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
+
 
 ## 2. Verify authentication
 

go.mod

@@ -7,9 +7,9 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/golang/mock v1.4.3
-	github.com/google/go-cmp v0.4.1
+	github.com/google/go-cmp v0.5.0
 	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.11.0
+	github.com/int128/oauth2cli v1.12.1
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/spf13/cobra v1.0.0
@@ -20,7 +20,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/apimachinery v0.18.3
-	k8s.io/client-go v0.18.3
+	k8s.io/apimachinery v0.18.5
+	k8s.io/client-go v0.18.5
 	k8s.io/klog v1.0.0
 )

go.sum

@@ -82,10 +82,8 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1 h1:/exdXoGamhu5ONeUJH0deniYLWYvQwW66yvlfiiKTu0=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
@@ -115,8 +113,8 @@ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
 github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
-github.com/int128/oauth2cli v1.11.0 h1:yohafseIxX8xESedQOxB3rpuuodDowYiPaTFMpqPP3Q=
-github.com/int128/oauth2cli v1.11.0/go.mod h1:O3Tjuj1cyQCuM11KbH2ffh0O6LRX0+O97Z3InsY0M3g=
+github.com/int128/oauth2cli v1.12.1 h1:F+6sykVdM+0rede+jAJ2RICP3GAsLLGvPjSFLlI0U9Q=
+github.com/int128/oauth2cli v1.12.1/go.mod h1:0Wf2wAxKJNzbkPkUIYNhTjeLn/pqIBDOBAGfwrxGYQw=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
@@ -315,12 +313,12 @@ gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0=
-k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA=
-k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk=
-k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k=
-k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw=
+k8s.io/api v0.18.5 h1:fKbCxr+U3fu7k6jB+QeYPD/c6xKYeSJ2KVWmyUypuWM=
+k8s.io/api v0.18.5/go.mod h1:tN+e/2nbdGKOAH55NMV8oGrMG+3uRlA9GaRfvnCCSNk=
+k8s.io/apimachinery v0.18.5 h1:Lh6tgsM9FMkC12K5T5QjRm7rDs6aQN5JHkA0JomULDM=
+k8s.io/apimachinery v0.18.5/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
+k8s.io/client-go v0.18.5 h1:cLhGZdOmyPhwtt20Lrb7uAqxxB1uvY+NTmNJvno1oKA=
+k8s.io/client-go v0.18.5/go.mod h1:EsiD+7Fx+bRckKWZXnAXRKKetm1WuzPagH4iOSC8x58=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=

pkg/adaptors/oidcclient/oidcclient.go

@@ -48,6 +48,7 @@ type GetTokenByAuthCodeInput struct {
 	PKCEParams             pkce.Params
 	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
+	LocalServerSuccessHTML string
 }
 
 // TokenSet represents an output DTO of
@@ -85,6 +86,8 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		LocalServerBindAddress: in.BindAddress,
 		LocalServerReadyChan:   localServerReadyChan,
 		RedirectURLHostname:    in.RedirectURLHostname,
+		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		Logf:                   c.logger.V(1).Infof,
 	}
 	token, err := oauth2cli.GetToken(ctx, config)
 	if err != nil {

pkg/templates/authcode_browser.go

@@ -0,0 +1,35 @@
+package templates
+
+// AuthCodeBrowserSuccessHTML is the success page on browser based authentication.
+const AuthCodeBrowserSuccessHTML = `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<title>Authenticated</title>
+	<script>
+		window.close()
+	</script>
+	<style>
+		body {
+			background-color: #eee;
+			margin: 0;
+			padding: 0;
+			font-family: sans-serif;
+		}
+		.placeholder {
+			margin: 2em;
+			padding: 2em;
+			background-color: #fff;
+			border-radius: 1em;
+		}
+	</style>
+</head>
+<body>
+	<div class="placeholder">
+		<h1>Authenticated</h1>
+		<p>You have logged in to the cluster. You can close this window.</p>
+	</div>
+</body>
+</html>
+`

pkg/templates/httpserver/httpserver.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/int128/kubelogin/pkg/templates"
+)
+
+func main() {
+	http.HandleFunc("/AuthCodeBrowserSuccessHTML", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("content-type", "text/html")
+		_, _ = w.Write([]byte(templates.AuthCodeBrowserSuccessHTML))
+	})
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("content-type", "text/html")
+		_, _ = w.Write([]byte(`
+<html>
+<body>
+<ul>
+<li><a href="AuthCodeBrowserSuccessHTML">AuthCodeBrowserSuccessHTML</a></li>
+</ul>
+</body>
+</html>
+`))
+	})
+	log.Printf("http://localhost:8000")
+	log.Fatal(http.ListenAndServe("127.0.0.1:8000", nil))
+}

pkg/templates/package.go

@@ -0,0 +1,6 @@
+// Package templates provides templates such as HTML and messages.
+//
+// You can preview HTML pages by running httpserver package.
+//	go run ./httpserver
+//
+package templates

pkg/usecases/authentication/authcode_browser.go

@@ -8,6 +8,7 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/domain/oidc"
 	"github.com/int128/kubelogin/pkg/domain/pkce"
+	"github.com/int128/kubelogin/pkg/templates"
 	"golang.org/x/sync/errgroup"
 	"golang.org/x/xerrors"
 )
@@ -19,7 +20,7 @@ type AuthCode struct {
 }
 
 func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.Interface) (*Output, error) {
-	u.Logger.V(1).Infof("performing the authentication code flow")
+	u.Logger.V(1).Infof("starting the authentication code flow via the browser")
 	state, err := oidc.NewState()
 	if err != nil {
 		return nil, xerrors.Errorf("could not generate a state: %w", err)
@@ -39,6 +40,7 @@ func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.
 		PKCEParams:             p,
 		RedirectURLHostname:    o.RedirectURLHostname,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
+		LocalServerSuccessHTML: templates.AuthCodeBrowserSuccessHTML,
 	}
 	readyChan := make(chan string, 1)
 	defer close(readyChan)
@@ -54,6 +56,7 @@ func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.
 				u.Logger.Printf("Please visit the following URL in your browser: %s", url)
 				return nil
 			}
+			u.Logger.V(1).Infof("opening %s in the browser", url)
 			if err := u.Browser.Open(url); err != nil {
 				u.Logger.Printf(`error: could not open the browser: %s
 
@@ -75,10 +78,12 @@ Please visit the following URL in your browser manually: %s`, err, url)
 			IDTokenClaims: tokenSet.IDTokenClaims,
 			RefreshToken:  tokenSet.RefreshToken,
 		}
+		u.Logger.V(1).Infof("got a token set by the authorization code flow")
 		return nil
 	})
 	if err := eg.Wait(); err != nil {
 		return nil, xerrors.Errorf("authentication error: %w", err)
 	}
+	u.Logger.V(1).Infof("finished the authorization code flow via the browser")
 	return &out, nil
 }

pkg/usecases/authentication/authcode_keyboard.go

@@ -21,7 +21,7 @@ type AuthCodeKeyboard struct {
 }
 
 func (u *AuthCodeKeyboard) Do(ctx context.Context, o *AuthCodeKeyboardOption, client oidcclient.Interface) (*Output, error) {
-	u.Logger.V(1).Infof("performing the authorization code flow with keyboard interactive")
+	u.Logger.V(1).Infof("starting the authorization code flow with keyboard interactive")
 	state, err := oidc.NewState()
 	if err != nil {
 		return nil, xerrors.Errorf("could not generate a state: %w", err)
@@ -41,12 +41,13 @@ func (u *AuthCodeKeyboard) Do(ctx context.Context, o *AuthCodeKeyboardOption, cl
 		RedirectURI:            oobRedirectURI,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	})
-	u.Logger.Printf("Open %s", authCodeURL)
+	u.Logger.Printf("Please visit the following URL in your browser: %s", authCodeURL)
 	code, err := u.Reader.ReadString(authCodeKeyboardPrompt)
 	if err != nil {
 		return nil, xerrors.Errorf("could not read an authorization code: %w", err)
 	}
 
+	u.Logger.V(1).Infof("exchanging the code and token")
 	tokenSet, err := client.ExchangeAuthCode(ctx, oidcclient.ExchangeAuthCodeInput{
 		Code:        code,
 		PKCEParams:  p,
@@ -56,6 +57,7 @@ func (u *AuthCodeKeyboard) Do(ctx context.Context, o *AuthCodeKeyboardOption, cl
 	if err != nil {
 		return nil, xerrors.Errorf("could not exchange the authorization code: %w", err)
 	}
+	u.Logger.V(1).Infof("finished the authorization code flow with keyboard interactive")
 	return &Output{
 		IDToken:       tokenSet.IDToken,
 		IDTokenClaims: tokenSet.IDTokenClaims,

pkg/usecases/authentication/password.go

@@ -16,7 +16,7 @@ type ROPC struct {
 }
 
 func (u *ROPC) Do(ctx context.Context, in *ROPCOption, client oidcclient.Interface) (*Output, error) {
-	u.Logger.V(1).Infof("performing the resource owner password credentials flow")
+	u.Logger.V(1).Infof("starting the resource owner password credentials flow")
 	if in.Username == "" {
 		var err error
 		in.Username, err = u.Reader.ReadString(usernamePrompt)
@@ -35,6 +35,7 @@ func (u *ROPC) Do(ctx context.Context, in *ROPCOption, client oidcclient.Interfa
 	if err != nil {
 		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
 	}
+	u.Logger.V(1).Infof("finished the resource owner password credentials flow")
 	return &Output{
 		IDToken:       tokenSet.IDToken,
 		IDTokenClaims: tokenSet.IDTokenClaims,

system_test/Makefile

@@ -0,0 +1,109 @@
+CLUSTER_NAME := kubelogin-system-test
+OUTPUT_DIR := $(CURDIR)/output
+
+PATH := $(PATH):$(OUTPUT_DIR)/bin
+export PATH
+KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
+export KUBECONFIG
+
+# run the login script instead of opening chrome
+BROWSER := $(OUTPUT_DIR)/bin/chromelogin
+export BROWSER
+
+.PHONY: test
+test: build
+	# see the setup instruction
+	kubectl oidc-login setup \
+		--oidc-issuer-url=https://dex-server:10443/dex \
+		--oidc-client-id=YOUR_CLIENT_ID \
+		--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--oidc-extra-scope=email \
+		--certificate-authority=$(OUTPUT_DIR)/ca.crt
+	# set up the kubeconfig
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=kubectl \
+		--exec-arg=oidc-login \
+		--exec-arg=get-token \
+		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
+		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--exec-arg=--oidc-extra-scope=email \
+		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
+	# make sure we can access the cluster
+	kubectl --user=oidc cluster-info
+	# switch the current context
+	kubectl config set-context --current --user=oidc
+	# make sure we can access the cluster
+	kubectl cluster-info
+
+.PHONY: setup
+setup: build dex cluster setup-chrome
+
+.PHONY: setup-chrome
+setup-chrome: $(OUTPUT_DIR)/ca.crt
+	# add the dex server certificate to the trust store
+	mkdir -p ~/.pki/nssdb
+	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
+
+# build binaries
+.PHONY: build
+build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
+$(OUTPUT_DIR)/bin/kubectl-oidc_login:
+	go build -o $@ ..
+$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
+	go build -o $@ ./chromelogin
+
+# create a Dex server
+.PHONY: dex
+dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
+	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
+	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
+	docker cp $(OUTPUT_DIR)/server.key dex-server:/
+	docker cp dex.yaml dex-server:/
+	docker start dex-server
+	docker logs dex-server
+
+$(OUTPUT_DIR)/ca.key:
+	mkdir -p $(OUTPUT_DIR)
+	openssl genrsa -out $@ 2048
+$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
+	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
+$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
+	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
+$(OUTPUT_DIR)/server.key:
+	mkdir -p $(OUTPUT_DIR)
+	openssl genrsa -out $@ 2048
+$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
+	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
+$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
+	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
+
+# create a Kubernetes cluster
+.PHONY: cluster
+cluster: dex create-cluster
+	# add the Dex container IP to /etc/hosts of kube-apiserver
+	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
+		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
+	# wait for kube-apiserver oidc initialization
+	# (oidc authenticator will retry oidc discovery every 10s)
+	sleep 10
+
+.PHONY: create-cluster
+create-cluster: $(OUTPUT_DIR)/ca.crt
+	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt
+	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
+
+# clean up the resources
+.PHONY: clean
+clean:
+	-rm -r $(OUTPUT_DIR)
+.PHONY: delete-cluster
+delete-cluster:
+	kind delete cluster --name $(CLUSTER_NAME)
+.PHONY: delete-dex
+delete-dex:
+	docker stop dex-server
+	docker rm dex-server

system_test/README.md

@@ -0,0 +1,112 @@
+# kubelogin/system_test
+
+This is an automated test for verifying behavior of the plugin with a real Kubernetes cluster and OIDC provider.
+
+
+## Purpose
+
+This test checks the following points:
+
+1. User can set up Kubernetes OIDC authentication using [setup guide](../docs/setup.md).
+1. User can log in to an OIDC provider on a browser.
+1. User can access the cluster using a token returned from the plugin.
+
+It depends on the following components:
+
+- Kubernetes cluster (Kind)
+- OIDC provider (Dex)
+- Browser (Chrome)
+- kubectl command
+
+
+## How it works
+
+Let's take a look at the diagram.
+
+![diagram](../docs/system-test-diagram.svg)
+
+It prepares the following resources:
+
+1. Generate a pair of CA certificate and TLS server certificate for Dex.
+1. Run Dex on a container.
+1. Create a Kubernetes cluster using Kind.
+1. Mutate `/etc/hosts` of the CI machine to access Dex.
+1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
+
+It performs the test by the following steps:
+
+1. Run kubectl.
+1. kubectl automatically runs kubelogin.
+1. kubelogin automatically runs [chromelogin](chromelogin).
+1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
+1. kubelogin gets an authorization code from the browser.
+1. kubelogin gets a token.
+1. kubectl accesses an API with the token.
+1. kube-apiserver verifies the token by Dex.
+1. Check if kubectl exited with code 0.
+
+
+## Run locally
+
+You need to set up the following components:
+
+- Docker
+- Kind
+- Chrome or Chromium
+
+You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
+
+```
+127.0.0.1 dex-server
+```
+
+Run the test.
+
+```shell script
+# run the test
+make
+
+# clean up
+make delete-cluster
+make delete-dex
+```
+
+
+## Technical consideration
+
+### Network and DNS
+
+Consider the following issues:
+
+- kube-apiserver runs on the host network of the kind container.
+- kube-apiserver cannot resolve a service name by kube-dns.
+- kube-apiserver cannot access a cluster IP.
+- kube-apiserver can access another container via the Docker network.
+- Chrome requires exactly match of domain name between Dex URL and a server certificate.
+
+Consequently,
+
+- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
+- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
+
+### TLS server certificate
+
+Consider the following issues:
+
+- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
+- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
+- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
+- It is possible to mount a file from the CI machine.
+- It is not possible to issue a certificate using Let's Encrypt in runtime.
+- Chrome requires a valid certificate in `~/.pki/nssdb`.
+
+As a result,
+
+- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
+- kubelogin uses the CA certificate in `output/ca.crt`.
+- Chrome uses the CA certificate in `~/.pki/nssdb`.
+
+### Test environment
+
+- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
+- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.

system_test/cluster.yaml

@@ -0,0 +1,20 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
+kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        oidc-issuer-url: https://dex-server:10443/dex
+        oidc-client-id: YOUR_CLIENT_ID
+        oidc-username-claim: email
+        oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
+nodes:
+  - role: control-plane
+    extraMounts:
+      - hostPath: /tmp/kubelogin-system-test-dex-ca.crt
+        containerPath: /usr/local/share/ca-certificates/dex-ca.crt