Fallback to disk storage if too big for keyring (#1257)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/acceptance-test.yaml

@@ -0,0 +1,34 @@
+name: acceptance-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/acceptance-test.yaml
+      - acceptance_test/**
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/acceptance-test.yaml
+      - acceptance_test/**
+
+jobs:
+  test-makefile:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make -C acceptance_test check
+      - run: make -C acceptance_test
+        env:
+          OIDC_ISSUER_URL: https://accounts.google.com
+          OIDC_CLIENT_ID: REDACTED.apps.googleusercontent.com
+          YOUR_EMAIL: REDACTED@gmail.com
+      - run: make -C acceptance_test delete-cluster
+      - run: make -C acceptance_test clean

.github/workflows/docker.yaml

@@ -46,7 +46,7 @@ jobs:
           image: ghcr.io/${{ github.repository }}/cache
       - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
       - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
-      - uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
+      - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         id: build
         with:
           push: ${{ github.event_name == 'push' }}

.github/workflows/go.yaml

@@ -30,7 +30,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
@@ -48,7 +48,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
@@ -59,7 +59,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: tools/go.mod
           cache-dependency-path: tools/go.sum
@@ -70,7 +70,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: tools/go.mod
           cache-dependency-path: tools/go.sum

.github/workflows/release.yaml

@@ -58,7 +58,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum

.github/workflows/system-test.yaml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum

acceptance_test/Makefile

@@ -4,33 +4,38 @@ OUTPUT_DIR := $(CURDIR)/output
 KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
 export KUBECONFIG
 
-# create a Kubernetes cluster
 .PHONY: cluster
 cluster:
-	# create a cluster
+	# Create a cluster.
 	mkdir -p $(OUTPUT_DIR)
 	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
 	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
-	# set up access control
+
+	# Set up the access control.
 	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
 	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
-	# set up kubectl
+
+	# Set up kubectl.
 	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-api-version=client.authentication.k8s.io/v1 \
+		--exec-interactive-mode=Never \
 		--exec-command=$(CURDIR)/../kubelogin \
 		--exec-arg=get-token \
 		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
 		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
 		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
-		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
 		--exec-arg=--oidc-extra-scope=email
-	# switch the default user
+
+	# Switch the default user.
 	kubectl config set-context --current --user=oidc
 
-# clean up the resources
+	# Show the kubeconfig.
+	kubectl config view
+
 .PHONY: clean
 clean:
 	-rm -r $(OUTPUT_DIR)
+
 .PHONY: delete-cluster
 delete-cluster:
 	kind delete cluster --name $(CLUSTER_NAME)

acceptance_test/README.md

@@ -1,16 +1,14 @@
 # kubelogin/acceptance_test
 
-This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
-
+This is a manual test to verify if the Kubernetes OIDC authentication works with your OIDC provider.
 
 ## Purpose
 
 This test checks the following points:
 
-1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
+1. You can set up your OIDC provider using the [setup guide](../docs/setup.md).
 1. The plugin works with your OIDC provider.
 
-
 ## Getting Started
 
 ### Prerequisite
@@ -22,7 +20,7 @@ make -C ..
 ```
 
 You need to set up your provider.
-See [setup guide](../docs/setup.md) for more.
+See the [setup guide](../docs/setup.md) for more.
 
 You need to install the following tools:
 
@@ -44,7 +42,6 @@ For example, you can create a cluster with Google account authentication.
 ```sh
 make OIDC_ISSUER_URL=https://accounts.google.com \
   OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
-  OIDC_CLIENT_SECRET=REDACTED \
   YOUR_EMAIL=REDACTED@gmail.com
 ```
 

go.mod

@@ -3,7 +3,7 @@ module github.com/int128/kubelogin
 go 1.23.5
 
 require (
-	github.com/chromedp/chromedp v0.11.2
+	github.com/chromedp/chromedp v0.12.1
 	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/gofrs/flock v0.12.1
 	github.com/golang-jwt/jwt/v5 v5.2.1
@@ -27,7 +27,7 @@ require (
 
 require (
 	al.essio.dev/pkg/shellescape v1.5.1 // indirect
-	github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb // indirect
+	github.com/chromedp/cdproto v0.0.0-20250120090109-d38428e4d9c8 // indirect
 	github.com/chromedp/sysutil v1.1.0 // indirect
 	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -45,7 +45,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect

go.sum

@@ -1,10 +1,10 @@
 al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
 al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb h1:noKVm2SsG4v0Yd0lHNtFYc9EUxIVvrr4kJ6hM8wvIYU=
-github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb/go.mod h1:4XqMl3iIW08jtieURWL6Tt5924w21pxirC6th662XUM=
-github.com/chromedp/chromedp v0.11.2 h1:ZRHTh7DjbNTlfIv3NFTbB7eVeu5XCNkgrpcGSpn2oX0=
-github.com/chromedp/chromedp v0.11.2/go.mod h1:lr8dFRLKsdTTWb75C/Ttol2vnBKOSnt0BW8R9Xaupi8=
+github.com/chromedp/cdproto v0.0.0-20250120090109-d38428e4d9c8 h1:Q2byC+xLgH/Z7hExJ8G/jVqsvCfGhMmNgM1ysZARA3o=
+github.com/chromedp/cdproto v0.0.0-20250120090109-d38428e4d9c8/go.mod h1:RTGuBeCeabAJGi3OZf71a6cGa7oYBfBP75VJZFLv6SU=
+github.com/chromedp/chromedp v0.12.1 h1:kBMblXk7xH5/6j3K9uk8d7/c+fzXWiUsCsPte0VMwOA=
+github.com/chromedp/chromedp v0.12.1/go.mod h1:F6+wdq9LKFDMoyxhq46ZLz4VLXrsrCAR3sFqJz4Nqc0=
 github.com/chromedp/sysutil v1.1.0 h1:PUFNv5EcprjqXZD9nJb9b/c9ibAbxiYo4exNWZyipwM=
 github.com/chromedp/sysutil v1.1.0/go.mod h1:WiThHUdltqCNKGc4gaU50XgYjwjYIhKWoHGPTUfWTJ8=
 github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
@@ -83,8 +83,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80 h1:6Yzfa6GP0rIo/kULo2bwGEkFvCePZ3qHDDTC3/J9Swo=
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
+github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

integration_test/credetial_plugin_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 )
 
 // Run the integration tests of the credential plugin use-case.
@@ -50,7 +50,6 @@ func TestCredentialPlugin(t *testing.T) {
 
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
-				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
 				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
@@ -77,7 +76,6 @@ func TestCredentialPlugin(t *testing.T) {
 			})
 
 			t.Run("ROPC", func(t *testing.T) {
-				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
 				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
@@ -108,7 +106,6 @@ func TestCredentialPlugin(t *testing.T) {
 			})
 
 			t.Run("TokenCacheLifecycle", func(t *testing.T) {
-				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
 				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{})
@@ -203,7 +200,6 @@ func TestCredentialPlugin(t *testing.T) {
 
 	t.Run("PKCE", func(t *testing.T) {
 		t.Run("Not supported by provider", func(t *testing.T) {
-			t.Parallel()
 			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -229,7 +225,6 @@ func TestCredentialPlugin(t *testing.T) {
 		})
 
 		t.Run("Enforce", func(t *testing.T) {
-			t.Parallel()
 			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -257,7 +252,6 @@ func TestCredentialPlugin(t *testing.T) {
 	})
 
 	t.Run("TLSData", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		svc := oidcserver.New(t, keypair.Server, testconfig.Config{
@@ -284,7 +278,6 @@ func TestCredentialPlugin(t *testing.T) {
 	})
 
 	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -314,7 +307,6 @@ func TestCredentialPlugin(t *testing.T) {
 	})
 
 	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -341,7 +333,6 @@ func TestCredentialPlugin(t *testing.T) {
 	})
 
 	t.Run("RedirectURLHostname", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -368,7 +359,6 @@ func TestCredentialPlugin(t *testing.T) {
 	})
 
 	t.Run("RedirectURLHTTPS", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -401,7 +391,6 @@ func TestCredentialPlugin(t *testing.T) {
 	})
 
 	t.Run("ExtraParams", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		svc := oidcserver.New(t, keypair.None, testconfig.Config{
@@ -446,6 +435,10 @@ type getTokenConfig struct {
 
 func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
 	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, cfg.stdout, logger.New(t), cfg.httpDriver)
+	t.Setenv(
+		"KUBERNETES_EXEC_INFO",
+		`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
+	)
 	exitCode := cmd.Run(ctx, append([]string{
 		"kubelogin",
 		"get-token",
@@ -461,22 +454,22 @@ func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
 }
 
 func assertCredentialPluginStdout(t *testing.T, stdout io.Reader, token string, expiry time.Time) {
-	var got clientauthenticationv1beta1.ExecCredential
+	var got clientauthenticationv1.ExecCredential
 	if err := json.NewDecoder(stdout).Decode(&got); err != nil {
 		t.Errorf("could not decode json of the credential plugin: %s", err)
 		return
 	}
-	want := clientauthenticationv1beta1.ExecCredential{
+	want := clientauthenticationv1.ExecCredential{
 		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
+			APIVersion: "client.authentication.k8s.io/v1",
 			Kind:       "ExecCredential",
 		},
-		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+		Status: &clientauthenticationv1.ExecCredentialStatus{
 			Token:               token,
 			ExpirationTimestamp: &metav1.Time{Time: expiry},
 		},
 	}
 	if diff := cmp.Diff(want, got); diff != "" {
-		t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
+		t.Errorf("stdout mismatch (-want +got):\n%s", diff)
 	}
 }

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Provider.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package service_mock
 

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Service.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package service_mock
 

mocks/github.com/int128/kubelogin/pkg/cmd_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package cmd_mock
 

mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package reader_mock
 

mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package writer_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package browser_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package clock_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package logger_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Verbose.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package logger_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_goLogger.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package logger_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package reader_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdin.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package stdio_mock
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdout.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package stdio_mock
 

mocks/github.com/int128/kubelogin/pkg/jwt_mock/mock_Clock.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package jwt_mock
 

mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package loader_mock
 

mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package writer_mock
 

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_FactoryInterface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package client_mock
 

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package client_mock
 

mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mock_testingLogger.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package logger_mock
 

mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package loader_mock
 

mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package repository_mock
 

mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package authentication_mock
 

mocks/github.com/int128/kubelogin/pkg/usecases/clean_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package clean_mock
 

mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package credentialplugin_mock
 

mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package setup_mock
 

mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mock_Interface.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package standalone_mock
 

mocks/io_mock/mock_Closer.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.51.0. DO NOT EDIT.
+// Code generated by mockery v2.51.1. DO NOT EDIT.
 
 package io_mock
 

pkg/tokencache/repository/repository.go

@@ -125,6 +125,9 @@ func (r *Repository) Save(config tokencache.Config, key tokencache.Key, tokenSet
 			if errors.Is(err, keyring.ErrUnsupportedPlatform) {
 				return writeToFile(config, checksum, tokenSet)
 			}
+			if errors.Is(err, keyring.ErrSetDataTooBig) {
+				return writeToFile(config, checksum, tokenSet)
+			}
 			return err
 		}
 		return nil

system_test/README.md

@@ -2,12 +2,11 @@
 
 This is an automated test for verifying behavior of the plugin with a real Kubernetes cluster and OIDC provider.
 
-
 ## Purpose
 
 This test checks the following points:
 
-1. User can set up Kubernetes OIDC authentication using [setup guide](../docs/setup.md).
+1. User can set up Kubernetes OIDC authentication using the [setup guide](../docs/setup.md).
 1. User can log in to an OIDC provider on a browser.
 1. User can access the cluster using a token returned from the plugin.
 
@@ -18,7 +17,6 @@ It depends on the following components:
 - Browser (Chrome)
 - kubectl command
 
-
 ## How it works
 
 Let's take a look at the diagram.
@@ -45,7 +43,6 @@ It performs the test by the following steps:
 1. kube-apiserver verifies the token by Dex.
 1. Check if kubectl exited with code 0.
 
-
 ## Run locally
 
 You need to set up the following components:
@@ -80,7 +77,6 @@ make terminate
 make clean
 ```
 
-
 ## Technical consideration
 
 ### Network and DNS

system_test/cluster/Makefile

@@ -8,13 +8,16 @@ export KUBECONFIG
 cluster:
 	cp $(CERT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt
 	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
-	# add the Dex container IP to /etc/hosts
+
+	# Add the Dex container IP to /etc/hosts.
 	docker inspect -f '{{.NetworkSettings.Networks.kind.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
 		docker exec -i $(CLUSTER_NAME)-control-plane tee -a /etc/hosts
-	# wait for kube-apiserver oidc initialization
-	# (oidc authenticator will retry oidc discovery every 10s)
+
+	# Wait for kube-apiserver oidc initialization.
+	# oidc authenticator will retry oidc discovery every 10s.
 	sleep 10
-	# add the cluster role
+
+	# Add the cluster role.
 	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
 	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
 

system_test/dex/Makefile

@@ -2,15 +2,18 @@ CERT_DIR := ../cert
 
 .PHONY: dex
 dex: dex.yaml
-	# wait for kind network
-	while true; do if docker network inspect kind; then break; fi; sleep 1; done
-	# create a container
+	# Wait for kind network.
+	until docker network inspect kind; do sleep 1; done
+
+	# Create a container.
 	docker create -q --name dex-server -p 10443:10443 --network kind ghcr.io/dexidp/dex:v2.39.0 dex serve /dex.yaml
-	# deploy the config
+
+	# Deploy the config.
 	docker cp $(CERT_DIR)/server.crt dex-server:/
 	docker cp $(CERT_DIR)/server.key dex-server:/
 	docker cp dex.yaml dex-server:/
-	# start the container
+
+	# Start the container.
 	docker start dex-server
 	docker logs dex-server
 

tools/go.mod

@@ -5,7 +5,7 @@ go 1.23.5
 require (
 	github.com/golangci/golangci-lint v1.63.4
 	github.com/google/wire v0.6.0
-	github.com/vektra/mockery/v2 v2.51.0
+	github.com/vektra/mockery/v2 v2.51.1
 )
 
 require (

tools/go.sum

@@ -580,8 +580,8 @@ github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYR
 github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
 github.com/uudashr/iface v1.3.0 h1:zwPch0fs9tdh9BmL5kcgSpvnObV+yHjO4JjVBl8IA10=
 github.com/uudashr/iface v1.3.0/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
-github.com/vektra/mockery/v2 v2.51.0 h1:pAPiE1xyZ/2y6VTr8dRAJGrbNBKeMtN0aqY12rXzuiQ=
-github.com/vektra/mockery/v2 v2.51.0/go.mod h1:xO2DeYemEPC2tCzIZ+a1tifZ/7Laf/Chxg3vlc+oDsI=
+github.com/vektra/mockery/v2 v2.51.1 h1:BiiUSotsS7B56xvTjlIY2VDZxiEY9rzQ+ev69jE/mtw=
+github.com/vektra/mockery/v2 v2.51.1/go.mod h1:xO2DeYemEPC2tCzIZ+a1tifZ/7Laf/Chxg3vlc+oDsI=
 github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU=
 github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg=
 github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM=