Adding README.md Updates With the New Auth Flow

**Why:** * Documentes how to configured your `kubeconfig` to use `ExecCredential` `client-go` mechanisms. * Changes some of the documented comments to reflex `clientauth` vs 1.10 release Signed-off-by: Christopher Hein <me@christopherhein.com>
d-nishi · Apr 10, 2018 · c66d898 · c66d898
1 parent 73dc4ff
commit c66d898
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -82,13 +82,26 @@ systemctl restart kubelet.service
 ```
 
 ### 4. Set up kubectl to use Heptio Authenticator for AWS tokens
+
+> This requires a 1.10+ `kubectl` binary to work. If you receive `Please enter Username:` when trying to use `kubectl` you need to update to the latest `kubectl`
+
 Finally, once the server is set up you'll want to authenticate!
 You will still need a `kubeconfig` that has the public data about your cluster (cluster CA certificate, endpoint address).
 The `users` section of your configuration, however, can be mostly blank:
 ```yaml
 # [...]
 users:
 - name: kubernetes-admin
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: heptio-authenticator-aws
+      args:
+        - "token"
+        - "-i"
+        - "CLUSTER_ID"
+        - "-r"
+        - "ROLE_ARN"
   # no client certificate/key needed here!
 ```
 
@@ -98,8 +111,8 @@ It may make sense to upload it to a trusted public location such as AWS S3.
 Make sure you have the `heptio-authenticator-aws` binary installed.
 You can install it with `go get -u -v github.com/heptio/authenticator/cmd/heptio-authenticator-aws`.
 
-To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig --token "$(heptio-authenticator-aws token -i CLUSTER_ID -r ROLE_ARN)" [...]`.
-You can simplify this with an alias or shell wrapper.
+To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig" [...]`.
+kubectl will handle `exec`'ing the `heptio-authenticator-aws` binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver.
 The token is valid for 15 minutes (the shortest value AWS permits) and can be reused multiple times.
 
 You can also omit `-r ROLE_ARN` to sign the token with your existing credentials without assuming a dedicated role.

diff --git a/cmd/heptio-authenticator-aws/token.go b/cmd/heptio-authenticator-aws/token.go
@@ -35,7 +35,7 @@ var tokenCmd = &cobra.Command{
 		clusterID := viper.GetString("clusterID")
 
 		if clusterID == "" {
-			fmt.Fprintf(os.Stderr, "error: cluster ID not specified\n")
+			fmt.Fprintf(os.Stderr, "Error: cluster ID not specified\n")
 			cmd.Usage()
 			os.Exit(1)
 		}

diff --git a/pkg/token/token.go b/pkg/token/token.go
@@ -127,7 +127,7 @@ type Generator interface {
 	Get(string) (string, error)
 	// GetWithRole creates a token by assuming the provided role, using the credentials in the default chain.
 	GetWithRole(clusterID, roleARN string) (string, error)
-	// FormatJSON returns the client auth formatted json for the execcredential auth
+	// FormatJSON returns the client auth formatted json for the ExecCredential auth
 	FormatJSON(string) string
 }
 
@@ -184,7 +184,7 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error)
 	return v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), nil
 }
 
-// FormatJSON formats the json to support 1.10 external authProvider
+// FormatJSON formats the json to support ExecCredential authentication
 func (g generator) FormatJSON(token string) string {
 	execInput := &clientauthv1alpha1.ExecCredential{
 		TypeMeta: metav1.TypeMeta{