Kubernetes Docs Update (#3386)

* Update Kubnernetes Docs

* Add a note about alpha clusters on GKE

* Fix JSON formatting

* Update kubernetes.html.md

* Fix a few review comments

website/source/api/auth/kubernetes/index.html.md

@@ -29,20 +29,21 @@ access the Kubernetes API.
 | `POST`   | `/auth/kubernetes/config`    | `204 (empty body)`     |
 
 ### Parameters
- - `pem_keys` `(array: <required>)` - List of PEM-formated public keys or certificates
+ - `kubernetes_host` `(string: <required>)` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
+ - `kubernetes_ca_cert` `(string: "")` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
+ - `pem_keys` `(array: [])` - Optional list of PEM-formated public keys or certificates
     used to verify the signatures of kubernetes service account
     JWTs. If a certificate is given, its public key will be
-    extracted.
- - `kubernetes_host` `(string: <required>)` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
- - `kubernetes_ca_cert` `(string: "")` - PEM encoded CA cert for use by the TLS client used to talk with the API.
+    extracted. Not every installation of Kuberentes exposes these
+    keys. 
 
 ### Sample Payload
 
 ```json
 {
-  "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
   "kubernetes_host": "https://192.168.99.100:8443",
-  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----"
+  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
+  "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----"
 }
 ```
 
@@ -77,9 +78,9 @@ $ curl \
 ```json
 {
   "data":{
-      "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
       "kubernetes_host": "https://192.168.99.100:8443",
-      "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----"
+      "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
+      "pem_keys": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----"
   },
   ...
 }

website/source/docs/auth/kubernetes.html.md

@@ -99,7 +99,6 @@ configure it, use the `/config` endpoint.
 
 ```
 $ vault write auth/kubernetes/config \
-    pem_keys=@signingkey.crt \
     kubernetes_host=https://192.168.99.100:8443 \
     kubernetes_ca_cert=@ca.crt
 ```
@@ -122,6 +121,7 @@ it gives it the default policy.
 
 ## Configuring Kubernetes
 
+### Token Review Lookup
 This backend accesses the [Kubernetes TokenReview
 API](https://kubernetes.io/docs/api-reference/v1.7/#tokenreview-v1-authentication)
 to validate the provided JWT is still valid. Kubernetes should be running with
@@ -130,10 +130,12 @@ versions prior should ensure the Kubernetes API server is started with with this
 setting. Otherwise deleted tokens in Kubernetes will not be properly revoked and
 will be able to authenticate to this backend. 
 
+### RBAC Configuration
+
 Service Accounts used in this backend will need to have access to the
-TokenReview API. If Kubernetes is configured to use RBAC roles the Service
-Account should be granted permissions to access this API. The following
-example ClusterRoleBinding could be used to grant these permissions:
+TokenReview API. If Kubernetes is configured to use Role Based Access Control
+the Service Account should be granted permissions to access this API. The
+following example ClusterRoleBinding could be used to grant these permissions:
 
 ```
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -151,6 +153,12 @@ subjects:
   namespace: default
 ```
 
+### GKE 
+
+Currently the Token Review API endpoint is only available in alpha clusters on
+Google Container Engine. This means on GKE this backend can only be used with an
+alpha cluster.
+
 ## API
 
 The Kubernetes Auth Plugin has a full HTTP API. Please see the