From a1682466bffd21991bc1ccaaf4e77a4b6ff4ba90 Mon Sep 17 00:00:00 2001
From: Tom <tweeks@timetrade.com>
Date: Fri, 29 Mar 2019 15:47:10 -0400
Subject: [PATCH 1/3] update readme to include kube-api oidc config

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index 8ecc6ff..07459b2 100644
--- a/README.md
+++ b/README.md
@@ -119,6 +119,21 @@ Run `kubectl describe configmap api-server-config -n openunison` to get the SSO
 
 To login, open your browser and go to the host you specified for `OU_HOST` in your `input.props`.  For instance if `OU_HOST` is `k8sou.tremolo.lan` then navigate to https://k8sou.tremolo.lan.  You'll be prompted for your Active Directory username and password.  Once authenticated you'll be able login to the portal and generate your `.kube/config` from the Tokens screen.
 
+## Add oidc parameteres to kube-apiserver
+
+On all master nodes you need to update the kube-apiserver configuration.  First create a new file with the contents of your TLS certificate for your OU_HOST (e.g. k8sou.tremolo.lan) ```/etc/kubernetes/pki/ou-ca.pem```
+
+Then add the following parameters to ```/etc/kubernetes/manifests/kube-apiserver.yaml```.  The kube-apiservers will automatically restart.
+
+```
+    - --oidc-issuer-url=https://k8sou.tremolo.lan/auth/idp/k8sIdp
+    - --oidc-client-id=kubernetes
+    - --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem
+    - --oidc-username-claim=sub
+    - --oidc-groups-claim=groups
+```
+
+
 ## Authorizing Access via RBAC
 
 On first login, if you haven't authorized access to any Kubernetes roles you won't be able to do anything.  There are two approaches you can take:

From 9e436d5b1ac799fb6f01cf27dcfbb0868db4460a Mon Sep 17 00:00:00 2001
From: Tom <tweeks@timetrade.com>
Date: Fri, 29 Mar 2019 21:03:30 -0400
Subject: [PATCH 2/3] update Complete SSO Integration with Kubernetes

---
 README.md | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 07459b2..0bb94db 100644
--- a/README.md
+++ b/README.md
@@ -115,24 +115,13 @@ Once you see `Completed`, you can exit the script (`Ctl+C`).  This script create
 
 Run `kubectl describe configmap api-server-config -n openunison` to get the SSO integration artifacts.  The output will give you both the certificate that needs to be trusted and the API server flags that need to be configured on your API servers.
 
-## First Login
-
-To login, open your browser and go to the host you specified for `OU_HOST` in your `input.props`.  For instance if `OU_HOST` is `k8sou.tremolo.lan` then navigate to https://k8sou.tremolo.lan.  You'll be prompted for your Active Directory username and password.  Once authenticated you'll be able login to the portal and generate your `.kube/config` from the Tokens screen.
-
-## Add oidc parameteres to kube-apiserver
-
-On all master nodes you need to update the kube-apiserver configuration.  First create a new file with the contents of your TLS certificate for your OU_HOST (e.g. k8sou.tremolo.lan) ```/etc/kubernetes/pki/ou-ca.pem```
+Copy the certificate to a file on your master nodes such as ```/etc/kubernetes/pki/ou-ca.pem```
 
-Then add the following parameters to ```/etc/kubernetes/manifests/kube-apiserver.yaml```.  The kube-apiservers will automatically restart.
+Then add the parameters to ```/etc/kubernetes/manifests/kube-apiserver.yaml```.  The kube-apiservers will automatically restart.
 
-```
-    - --oidc-issuer-url=https://k8sou.tremolo.lan/auth/idp/k8sIdp
-    - --oidc-client-id=kubernetes
-    - --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem
-    - --oidc-username-claim=sub
-    - --oidc-groups-claim=groups
-```
+## First Login
 
+To login, open your browser and go to the host you specified for `OU_HOST` in your `input.props`.  For instance if `OU_HOST` is `k8sou.tremolo.lan` then navigate to https://k8sou.tremolo.lan.  You'll be prompted for your Active Directory username and password.  Once authenticated you'll be able login to the portal and generate your `.kube/config` from the Tokens screen.
 
 ## Authorizing Access via RBAC
 

From 36a9f0be9a91a9fc25aa260a44ee6ca25db33828 Mon Sep 17 00:00:00 2001
From: Tom <tweeks@timetrade.com>
Date: Fri, 29 Mar 2019 21:06:03 -0400
Subject: [PATCH 3/3] Add clarification to SSO integration

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0bb94db..724a59f 100644
--- a/README.md
+++ b/README.md
@@ -117,7 +117,7 @@ Run `kubectl describe configmap api-server-config -n openunison` to get the SSO
 
 Copy the certificate to a file on your master nodes such as ```/etc/kubernetes/pki/ou-ca.pem```
 
-Then add the parameters to ```/etc/kubernetes/manifests/kube-apiserver.yaml```.  The kube-apiservers will automatically restart.
+Then add the parameters to ```/etc/kubernetes/manifests/kube-apiserver.yaml``` on your master nodes using the certificate file location above.  The kube-apiservers will automatically restart.
 
 ## First Login