Update feature_request.md

Co-authored-by: Renovate Bot <bot@renovateapp.com>

.circleci/config.yml

@@ -3,7 +3,7 @@ version: 2.1
 jobs:
   test:
     docker:
-      - image: cimg/go:1.14.7
+      - image: cimg/go:1.15.2
     steps:
       - checkout
       - restore_cache:

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,17 +7,14 @@ assignees: ''
 
 ---
 
-**Describe the bug**
-A clear and concise description of what the bug is.
+## Describe the issue
+A clear and concise description of what the issue is.
 
-**To Reproduce**
-Steps to reproduce the behavior.
+## To reproduce
+A console log or steps to reproduce the issue.
 
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Environment**
- - OS: [e.g. macOS, Linux]
- - kubelogin version: [e.g. 1.19.3]
- - kubectl version: [e.g. 1.19]
- - OpenID Connect provider: [e.g. Google, Okta]
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google

.github/ISSUE_TEMPLATE/feature_request.md

@@ -7,11 +7,9 @@ assignees: ''
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
+## Purpose of the feature (why)
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 
-**Describe alternatives you've considered**
+## Your idea (how)
 A clear and concise description of any alternative solutions or features you've considered.

.github/workflows/system-test.yaml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: 1.14
+          go-version: 1.15
         id: go
       - uses: actions/checkout@v2
       - uses: actions/cache@v2
@@ -24,6 +24,6 @@ jobs:
       # https://packages.ubuntu.com/xenial/libnss3-tools
       - run: sudo apt update
       - run: sudo apt install -y libnss3-tools
+      - run: mkdir -p ~/.pki/nssdb
       - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
-      - run: make -C system_test -j3 setup
-      - run: make -C system_test test
+      - run: make -C system_test -j3

.gitignore

@@ -1,6 +1,5 @@
 /.idea
 
-/system_test/output/
 /acceptance_test/output/
 
 /dist/output

README.md

@@ -61,7 +61,7 @@ kubectl get pods
 ```
 
 Kubectl executes kubelogin before calling the Kubernetes APIs.
-Kubelogin automatically opens the browser and you can log in to the provider.
+Kubelogin automatically opens the browser, and you can log in to the provider.
 
 <img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
 

docs/usage.md

@@ -18,6 +18,9 @@ Flags:
       --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
       --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
       --skip-open-browser                               [authcode] Do not open the browser automatically
+      --authentication-timeout-sec int                  [authcode] Timeout of authentication in seconds (default 180)
+      --local-server-cert string                        [authcode] Certificate path for the local server
+      --local-server-key string                         [authcode] Certificate key path for the local server
       --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
       --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
       --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
@@ -43,6 +46,18 @@ Global Flags:
 
 ## Options
 
+### Authentication timeout
+
+By default, you need to log in to your provider in the browser within 3 minutes.
+This prevents a process from remaining forever.
+You can change the timeout by the following flag:
+
+```yaml
+      - --authentication-timeout-sec=60
+```
+
+For now this timeout works only for the authorization code flow.
+
 ### Extra scopes
 
 You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
@@ -52,7 +67,7 @@ You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
       - --oidc-extra-scope=profile
 ```
 
-### CA Certificate
+### CA certificate
 
 You can use your self-signed certificate for the provider.
 
@@ -61,12 +76,11 @@ You can use your self-signed certificate for the provider.
       - --certificate-authority-data=LS0t...
 ```
 
-### HTTP Proxy
+### HTTP proxy
 
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
 
-
 ## Authentication flows
 
 Kubelogin support the following flows:
@@ -92,6 +106,13 @@ You can change the listening address.
       - --listen-address=127.0.0.1:23456
 ```
 
+You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
+
+```yaml
+      - --local-server-cert=localhost.crt
+      - --local-server-key=localhost.key
+```
+
 You can change the hostname of redirect URI from the default value `localhost`.
 
 ```yaml

go.mod

@@ -21,7 +21,7 @@ require (
 	google.golang.org/protobuf v1.25.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/apimachinery v0.19.0
-	k8s.io/client-go v0.19.0
+	k8s.io/apimachinery v0.19.2
+	k8s.io/client-go v0.19.2
 	k8s.io/klog v1.0.0
 )

go.sum

@@ -570,6 +570,7 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0 h1:UhZDfRO8JRQru4/+LlLE0BRKGF8L+PICnvYZmx/fEGA=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
@@ -602,12 +603,9 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.19.0 h1:XyrFIJqTYZJ2DU7FBE/bSPz7b1HvbVBuBf07oeo6eTc=
-k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
-k8s.io/apimachinery v0.19.0 h1:gjKnAda/HZp5k4xQYjL0K/Yb66IvNqjthCb03QlKpaQ=
-k8s.io/apimachinery v0.19.0/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
-k8s.io/client-go v0.19.0 h1:1+0E0zfWFIWeyRhQYWzimJOyAk2UT7TiARaLNwJCf7k=
-k8s.io/client-go v0.19.0/go.mod h1:H9E/VT95blcFQnlyShFgnFT9ZnJOAceiUHM3MlRC+mU=
+k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI=
+k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
+k8s.io/client-go v0.19.2/go.mod h1:S5wPhCqyDNAlzM9CnEdgTGV4OqhsW3jGO1UM1epwfJA=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=

integration_test/credetial_plugin_test.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -32,15 +31,7 @@ import (
 func TestCredentialPlugin(t *testing.T) {
 	timeout := 3 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
-	tokenCacheDir, err := ioutil.TempDir("", "kube")
-	if err != nil {
-		t.Fatalf("could not create a cache dir: %s", err)
-	}
-	defer func() {
-		if err := os.RemoveAll(tokenCacheDir); err != nil {
-			t.Errorf("could not clean up the cache dir: %s", err)
-		}
-	}()
+	tokenCacheDir := t.TempDir()
 
 	for name, tc := range map[string]struct {
 		keyPair keypair.KeyPair
@@ -340,6 +331,38 @@ func TestCredentialPlugin(t *testing.T) {
 		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
+	t.Run("RedirectURLHTTPS", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "https://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{
+				TLSConfig:    keypair.Server.TLSConfig,
+				BodyContains: "Authenticated",
+			}),
+			now:    now,
+			stdout: &stdout,
+			args: []string{
+				"--local-server-cert", keypair.Server.CertPath,
+				"--local-server-key", keypair.Server.KeyPath,
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
 	t.Run("ExtraParams", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)

integration_test/kubeconfig/kubeconfig.go

@@ -2,8 +2,8 @@ package kubeconfig
 
 import (
 	"html/template"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"gopkg.in/yaml.v2"
@@ -22,7 +22,7 @@ type Values struct {
 // Create creates a kubeconfig file and returns path to it.
 func Create(t *testing.T, v *Values) string {
 	t.Helper()
-	f, err := ioutil.TempFile("", "kubeconfig")
+	f, err := os.Create(filepath.Join(t.TempDir(), "kubeconfig"))
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/adaptors/cmd/authentication.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"strings"
+	"time"
 
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
@@ -15,7 +16,10 @@ type authenticationOptions struct {
 	GrantType                  string
 	ListenAddress              []string
 	ListenPort                 []int // deprecated
+	AuthenticationTimeoutSec   int
 	SkipOpenBrowser            bool
+	LocalServerCertFile        string
+	LocalServerKeyFile         string
 	OpenURLAfterAuthentication string
 	RedirectURLHostname        string
 	AuthRequestExtraParams     map[string]string
@@ -54,6 +58,9 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 		panic(err)
 	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
+	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
+	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
 	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
@@ -67,6 +74,9 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
 			BindAddress:                o.determineListenAddress(),
 			SkipOpenBrowser:            o.SkipOpenBrowser,
+			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
+			LocalServerCertFile:        o.LocalServerCertFile,
+			LocalServerKeyFile:         o.LocalServerKeyFile,
 			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
 			RedirectURLHostname:        o.RedirectURLHostname,
 			AuthRequestExtraParams:     o.AuthRequestExtraParams,

pkg/adaptors/cmd/cmd.go

@@ -26,6 +26,8 @@ type Interface interface {
 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
 var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
 
+const defaultAuthenticationTimeoutSec = 180
+
 // Cmd provides interaction with command line interface (CLI).
 type Cmd struct {
 	Root     *Root

pkg/adaptors/cmd/cmd_test.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"testing"
+	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
@@ -29,8 +30,9 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         defaultListenAddress,
-							RedirectURLHostname: "localhost",
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
 						},
 					},
 				},
@@ -44,8 +46,9 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							RedirectURLHostname: "localhost",
+							BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
 						},
 					},
 				},
@@ -61,8 +64,9 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							RedirectURLHostname: "localhost",
+							BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
 						},
 					},
 				},
@@ -80,6 +84,9 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--authentication-timeout-sec", "10",
+					"--local-server-cert", "/path/to/local-server-cert",
+					"--local-server-key", "/path/to/local-server-key",
 					"--open-url-after-authentication", "https://example.com/success.html",
 					"--username", "USER",
 					"--password", "PASS",
@@ -95,6 +102,9 @@ func TestCmd_Run(t *testing.T) {
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							SkipOpenBrowser:            true,
+							AuthenticationTimeout:      10 * time.Second,
+							LocalServerCertFile:        "/path/to/local-server-cert",
+							LocalServerKeyFile:         "/path/to/local-server-key",
 							OpenURLAfterAuthentication: "https://example.com/success.html",
 							RedirectURLHostname:        "localhost",
 						},
@@ -201,8 +211,9 @@ func TestCmd_Run(t *testing.T) {
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
-							RedirectURLHostname: "localhost",
+							BindAddress:           []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
 						},
 					},
 				},
@@ -223,6 +234,9 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--authentication-timeout-sec", "10",
+					"--local-server-cert", "/path/to/local-server-cert",
+					"--local-server-key", "/path/to/local-server-key",
 					"--open-url-after-authentication", "https://example.com/success.html",
 					"--oidc-auth-request-extra-params", "ttl=86400",
 					"--oidc-auth-request-extra-params", "reauth=true",
@@ -242,6 +256,9 @@ func TestCmd_Run(t *testing.T) {
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							SkipOpenBrowser:            true,
+							AuthenticationTimeout:      10 * time.Second,
+							LocalServerCertFile:        "/path/to/local-server-cert",
+							LocalServerKeyFile:         "/path/to/local-server-key",
 							OpenURLAfterAuthentication: "https://example.com/success.html",
 							RedirectURLHostname:        "localhost",
 							AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},

pkg/adaptors/oidcclient/oidcclient.go

@@ -50,6 +50,8 @@ type GetTokenByAuthCodeInput struct {
 	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
 	LocalServerSuccessHTML string
+	LocalServerCertFile    string
+	LocalServerKeyFile     string
 }
 
 type client struct {
@@ -80,6 +82,8 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		LocalServerReadyChan:   localServerReadyChan,
 		RedirectURLHostname:    in.RedirectURLHostname,
 		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		LocalServerCertFile:    in.LocalServerCertFile,
+		LocalServerKeyFile:     in.LocalServerKeyFile,
 		Logf:                   c.logger.V(1).Infof,
 	}
 	token, err := oauth2cli.GetToken(ctx, config)

pkg/adaptors/tokencache/tokencache_test.go

@@ -2,7 +2,6 @@ package tokencache
 
 import (
 	"io/ioutil"
-	"os"
 	"path/filepath"
 	"testing"
 
@@ -13,15 +12,7 @@ func TestRepository_FindByKey(t *testing.T) {
 	var r Repository
 
 	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
+		dir := t.TempDir()
 		key := Key{
 			IssuerURL:      "YOUR_ISSUER",
 			ClientID:       "YOUR_CLIENT_ID",
@@ -55,16 +46,7 @@ func TestRepository_Save(t *testing.T) {
 	var r Repository
 
 	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-
+		dir := t.TempDir()
 		key := Key{
 			IssuerURL:      "YOUR_ISSUER",
 			ClientID:       "YOUR_CLIENT_ID",

pkg/usecases/authentication/authcode/browser.go

@@ -2,6 +2,7 @@ package authcode
 
 import (
 	"context"
+	"time"
 
 	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
@@ -15,9 +16,12 @@ import (
 type BrowserOption struct {
 	SkipOpenBrowser            bool
 	BindAddress                []string
+	AuthenticationTimeout      time.Duration
 	OpenURLAfterAuthentication string
 	RedirectURLHostname        string
 	AuthRequestExtraParams     map[string]string
+	LocalServerCertFile        string
+	LocalServerKeyFile         string
 }
 
 // Browser provides the authentication code flow using the browser.
@@ -52,7 +56,11 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, client oidcclient.In
 		RedirectURLHostname:    o.RedirectURLHostname,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 		LocalServerSuccessHTML: successHTML,
+		LocalServerCertFile:    o.LocalServerCertFile,
+		LocalServerKeyFile:     o.LocalServerKeyFile,
 	}
+	ctx, cancel := context.WithTimeout(ctx, o.AuthenticationTimeout)
+	defer cancel()
 	readyChan := make(chan string, 1)
 	var out *oidc.TokenSet
 	var eg errgroup.Group

pkg/usecases/authentication/authcode/browser_test.go

@@ -31,6 +31,9 @@ func TestBrowser_Do(t *testing.T) {
 		o := &BrowserOption{
 			BindAddress:                []string{"127.0.0.1:8000"},
 			SkipOpenBrowser:            true,
+			AuthenticationTimeout:      10 * time.Second,
+			LocalServerCertFile:        "/path/to/local-server-cert",
+			LocalServerKeyFile:         "/path/to/local-server-key",
 			OpenURLAfterAuthentication: "https://example.com/success.html",
 			RedirectURLHostname:        "localhost",
 			AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
@@ -52,6 +55,12 @@ func TestBrowser_Do(t *testing.T) {
 				if diff := cmp.Diff(o.AuthRequestExtraParams, in.AuthRequestExtraParams); diff != "" {
 					t.Errorf("AuthRequestExtraParams mismatch (-want +got):\n%s", diff)
 				}
+				if diff := cmp.Diff(o.LocalServerKeyFile, in.LocalServerKeyFile); diff != "" {
+					t.Errorf("LocalServerKeyFile mismatch (-want +got):\n%s", diff)
+				}
+				if diff := cmp.Diff(o.LocalServerCertFile, in.LocalServerCertFile); diff != "" {
+					t.Errorf("LocalServerCertFile mismatch (-want +got):\n%s", diff)
+				}
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
 			Return(&oidc.TokenSet{
@@ -82,7 +91,8 @@ func TestBrowser_Do(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		o := &BrowserOption{
-			BindAddress: []string{"127.0.0.1:8000"},
+			BindAddress:           []string{"127.0.0.1:8000"},
+			AuthenticationTimeout: 10 * time.Second,
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().SupportedPKCEMethods()

pkg/usecases/authentication/authentication_test.go

@@ -129,8 +129,9 @@ func TestAuthentication_Do(t *testing.T) {
 		in := Input{
 			GrantOptionSet: GrantOptionSet{
 				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:     []string{"127.0.0.1:8000"},
-					SkipOpenBrowser: true,
+					BindAddress:           []string{"127.0.0.1:8000"},
+					SkipOpenBrowser:       true,
+					AuthenticationTimeout: 10 * time.Second,
 				},
 			},
 			IssuerURL:    "https://issuer.example.com",

pkg/usecases/setup/stage2.go

@@ -2,6 +2,7 @@ package setup
 
 import (
 	"context"
+	"path/filepath"
 	"strings"
 	"text/template"
 
@@ -38,8 +39,9 @@ Run the following command:
 	  --exec-command=kubectl \
 	  --exec-arg=oidc-login \
 	  --exec-arg=get-token \
-{{- range .Args }}
-	  --exec-arg={{ . }} \
+{{- range $index, $arg := .Args }}
+	  {{- if $index}} \{{end}}
+	  --exec-arg={{ $arg }}
 {{- end }}
 
 ## 6. Verify cluster access
@@ -141,6 +143,20 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 		if in.GrantOptionSet.AuthCodeBrowserOption.SkipOpenBrowser {
 			args = append(args, "--skip-open-browser")
 		}
+		if in.GrantOptionSet.AuthCodeBrowserOption.LocalServerCertFile != "" {
+			// Resolve the absolute path for the cert files so the user doesn't have to know
+			// to use one when running setup.
+			certpath, err := filepath.Abs(in.GrantOptionSet.AuthCodeBrowserOption.LocalServerCertFile)
+			if err != nil {
+				panic(err)
+			}
+			keypath, err := filepath.Abs(in.GrantOptionSet.AuthCodeBrowserOption.LocalServerKeyFile)
+			if err != nil {
+				panic(err)
+			}
+			args = append(args, "--local-server-cert="+certpath)
+			args = append(args, "--local-server-key="+keypath)
+		}
 	}
 	args = append(args, in.ListenAddressArgs...)
 	if in.GrantOptionSet.ROPCOption != nil {

system_test/.gitignore

@@ -0,0 +1,6 @@
+/bin/
+
+/cert/ca.*
+/cert/server.*
+
+/cluster/kubeconfig.yaml

system_test/Makefile

@@ -1,109 +1,37 @@
-CLUSTER_NAME := kubelogin-system-test
-OUTPUT_DIR := $(CURDIR)/output
+CERT_DIR := cert
 
-PATH := $(PATH):$(OUTPUT_DIR)/bin
-export PATH
-KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
-export KUBECONFIG
-
-# run the login script instead of opening chrome
-BROWSER := $(OUTPUT_DIR)/bin/chromelogin
-export BROWSER
-
-.PHONY: test
-test: build
-	# see the setup instruction
-	kubectl oidc-login setup \
-		--oidc-issuer-url=https://dex-server:10443/dex \
-		--oidc-client-id=YOUR_CLIENT_ID \
-		--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--oidc-extra-scope=email \
-		--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# set up the kubeconfig
-	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
-		--exec-command=kubectl \
-		--exec-arg=oidc-login \
-		--exec-arg=get-token \
-		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
-		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--exec-arg=--oidc-extra-scope=email \
-		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# make sure we can access the cluster
-	kubectl --user=oidc cluster-info
-	# switch the current context
-	kubectl config set-context --current --user=oidc
-	# make sure we can access the cluster
-	kubectl cluster-info
+.PHONY: login
+login: setup
+	$(MAKE) -C login
 
 .PHONY: setup
-setup: build dex cluster setup-chrome
+setup: dex cluster setup-chrome
+
+.PHONY: dex
+dex: cert
+	$(MAKE) -C dex
+
+.PHONY: cluster
+cluster: cert
+	$(MAKE) -C cluster
 
 .PHONY: setup-chrome
-setup-chrome: $(OUTPUT_DIR)/ca.crt
+setup-chrome: cert
 	# add the dex server certificate to the trust store
-	mkdir -p ~/.pki/nssdb
-	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
+	if [ -d ~/.pki/nssdb ]; then certutil -A -d sql:$(HOME)/.pki/nssdb -n dex -i $(CERT_DIR)/ca.crt -t "TC,,"; fi
 
-# build binaries
-.PHONY: build
-build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
-$(OUTPUT_DIR)/bin/kubectl-oidc_login:
-	go build -o $@ ..
-$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
-	go build -o $@ ./chromelogin
+.PHONY: cert
+cert:
+	$(MAKE) -C cert
 
-# create a Dex server
-.PHONY: dex
-dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
-	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
-	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
-	docker cp $(OUTPUT_DIR)/server.key dex-server:/
-	docker cp dex.yaml dex-server:/
-	docker start dex-server
-	docker logs dex-server
+.PHONY: terminate
+terminate:
+	$(MAKE) -C cluster terminate
+	$(MAKE) -C dex terminate
 
-$(OUTPUT_DIR)/ca.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
-	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
-$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
-	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
-$(OUTPUT_DIR)/server.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
-	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
-$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
-	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
-
-# create a Kubernetes cluster
-.PHONY: cluster
-cluster: dex create-cluster
-	# add the Dex container IP to /etc/hosts of kube-apiserver
-	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
-		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
-	# wait for kube-apiserver oidc initialization
-	# (oidc authenticator will retry oidc discovery every 10s)
-	sleep 10
-
-.PHONY: create-cluster
-create-cluster: $(OUTPUT_DIR)/ca.crt
-	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt
-	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
-	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
-	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
-
-# clean up the resources
 .PHONY: clean
 clean:
-	-rm -r $(OUTPUT_DIR)
-.PHONY: delete-cluster
-delete-cluster:
-	kind delete cluster --name $(CLUSTER_NAME)
-.PHONY: delete-dex
-delete-dex:
-	docker stop dex-server
-	docker rm dex-server
+	$(MAKE) -C cert clean
+	$(MAKE) -C cluster clean
+	$(MAKE) -C dex clean
+	$(MAKE) -C login clean

system_test/README.md

@@ -30,14 +30,14 @@ It prepares the following resources:
 1. Generate a pair of CA certificate and TLS server certificate for Dex.
 1. Run Dex on a container.
 1. Create a Kubernetes cluster using Kind.
-1. Mutate `/etc/hosts` of the CI machine to access Dex.
-1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
+1. Mutate `/etc/hosts` of the machine so that the browser access Dex.
+1. Mutate `/etc/hosts` of the kind container so that kube-apiserver access Dex.
 
 It performs the test by the following steps:
 
 1. Run kubectl.
 1. kubectl automatically runs kubelogin.
-1. kubelogin automatically runs [chromelogin](chromelogin).
+1. kubelogin automatically runs [chromelogin](login/chromelogin).
 1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
 1. kubelogin gets an authorization code from the browser.
 1. kubelogin gets a token.
@@ -54,21 +54,30 @@ You need to set up the following components:
 - Kind
 - Chrome or Chromium
 
-You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
+Add the following line to `/etc/hosts` so that the browser can access the Dex.
 
 ```
 127.0.0.1 dex-server
 ```
 
+Generate CA certificate and add `cert/ca.crt` into your trust store.
+For macOS, you can add it by Keychain.
+
+```shell script
+make -C cert
+```
+
 Run the test.
 
 ```shell script
-# run the test
 make
+```
 
-# clean up
-make delete-cluster
-make delete-dex
+Clean up.
+
+```shell script
+make terminate
+make clean
 ```
 
 
@@ -102,11 +111,11 @@ Consider the following issues:
 
 As a result,
 
-- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
+- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster/cluster.yaml).
 - kubelogin uses the CA certificate in `output/ca.crt`.
 - Chrome uses the CA certificate in `~/.pki/nssdb`.
 
 ### Test environment
 
-- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
-- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.
+- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster/cluster.yaml).
+- Set `BROWSER` environment variable to run [`chromelogin`](login/chromelogin) by `xdg-open`.

system_test/cert/Makefile

@@ -0,0 +1,19 @@
+.PHONY: all
+all: ca.key ca.crt server.key server.crt
+
+ca.key:
+	openssl genrsa -out $@ 2048
+ca.csr: ca.key
+	openssl req -new -key ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
+ca.crt: ca.key ca.csr
+	openssl x509 -req -in ca.csr -signkey ca.key -out $@ -days 10
+server.key:
+	openssl genrsa -out $@ 2048
+server.csr: openssl.cnf server.key
+	openssl req -new -key server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
+server.crt: openssl.cnf server.csr ca.crt ca.key
+	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
+
+.PHONY: clean
+clean:
+	-rm ca.* server.*

system_test/cluster/Makefile

@@ -0,0 +1,23 @@
+CLUSTER_NAME := kubelogin-system-test
+CERT_DIR := ../cert
+
+KUBECONFIG := kubeconfig.yaml
+export KUBECONFIG
+
+.PHONY: cluster
+cluster:
+	cp $(CERT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt
+	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
+	# add the Dex container IP to /etc/hosts
+	docker inspect -f '{{.NetworkSettings.Networks.kind.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
+		docker exec -i $(CLUSTER_NAME)-control-plane tee -a /etc/hosts
+	# wait for kube-apiserver oidc initialization
+	# (oidc authenticator will retry oidc discovery every 10s)
+	sleep 10
+	# add the cluster role
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
+
+.PHONY: terminate
+terminate:
+	kind delete cluster --name $(CLUSTER_NAME)

system_test/dex/Makefile

@@ -0,0 +1,20 @@
+CERT_DIR := ../cert
+
+.PHONY: dex
+dex: dex.yaml
+	# wait for kind network
+	while true; do if docker network inspect kind; then break; fi; sleep 1; done
+	# create a container
+	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
+	# deploy the config
+	docker cp $(CERT_DIR)/server.crt dex-server:/
+	docker cp $(CERT_DIR)/server.key dex-server:/
+	docker cp dex.yaml dex-server:/
+	# start the container
+	docker start dex-server
+	docker logs dex-server
+
+.PHONY: terminate
+terminate:
+	docker stop dex-server
+	docker rm dex-server

system_test/login/Makefile

@@ -0,0 +1,52 @@
+CERT_DIR := ../cert
+
+BIN_DIR := $(PWD)/bin
+PATH := $(PATH):$(BIN_DIR)
+export PATH
+
+KUBECONFIG := ../cluster/kubeconfig.yaml
+export KUBECONFIG
+
+# run the login script instead of opening chrome
+BROWSER := $(BIN_DIR)/chromelogin
+export BROWSER
+
+.PHONY: test
+test: build
+	# see the setup instruction
+	kubectl oidc-login setup \
+		--oidc-issuer-url=https://dex-server:10443/dex \
+		--oidc-client-id=YOUR_CLIENT_ID \
+		--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--oidc-extra-scope=email \
+		--certificate-authority=$(CERT_DIR)/ca.crt
+	# set up the kubeconfig
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=kubectl \
+		--exec-arg=oidc-login \
+		--exec-arg=get-token \
+		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
+		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--exec-arg=--oidc-extra-scope=email \
+		--exec-arg=--certificate-authority=$(CERT_DIR)/ca.crt
+	# make sure we can access the cluster
+	kubectl --user=oidc cluster-info
+	# switch the current context
+	kubectl config set-context --current --user=oidc
+	# make sure we can access the cluster
+	kubectl cluster-info
+
+.PHONY: build
+build: $(BIN_DIR)/kubectl-oidc_login $(BIN_DIR)/chromelogin
+
+$(BIN_DIR)/kubectl-oidc_login:
+	go build -o $@ ../../
+
+$(BIN_DIR)/chromelogin: $(wildcard chromelogin/*.go)
+	go build -o $@ ./chromelogin
+
+.PHONY: clean
+clean:
+	-rm -r $(BIN_DIR)