From cf616939f19f738cc97ccb1cea8bbfde2cc79c5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <Mic92@users.noreply.github.com>
Date: Mon, 21 Jun 2021 18:56:16 +0200
Subject: [PATCH] kube_inventory: expand tls key/tls certificate documentation 
 (#9357)

---
 plugins/inputs/kube_inventory/README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/plugins/inputs/kube_inventory/README.md b/plugins/inputs/kube_inventory/README.md
index c9d6fb0be..7803d4fc4 100644
--- a/plugins/inputs/kube_inventory/README.md
+++ b/plugins/inputs/kube_inventory/README.md
@@ -68,8 +68,11 @@ avoid cardinality issues:
   selector_exclude = ["*"]
 
   ## Optional TLS Config
+  ## Trusted root certificates for server
   # tls_ca = "/path/to/cafile"
+  ## Used for TLS client certificate authentication
   # tls_cert = "/path/to/certfile"
+  ## Used for TLS client certificate authentication
   # tls_key = "/path/to/keyfile"
   ## Use TLS but skip chain & host verification
   # insecure_skip_verify = false
@@ -127,6 +130,26 @@ subjects:
     namespace: default
 ```
 
+## Quickstart in k3s
+
+When monitoring [k3s](https://k3s.io) server instances one can re-use already generated administration token.
+This is less secure than using the more restrictive dedicated telegraf user but more convienient to set up.
+
+```console
+# an empty token will make telegraf use the client cert/key files instead
+$ touch /run/telegraf-kubernetes-token
+# replace `telegraf` with the user the telegraf process is running as
+$ install -o telegraf -m400 /var/lib/rancher/k3s/server/tls/client-admin.crt /run/telegraf-kubernetes-cert
+$ install -o telegraf -m400 /var/lib/rancher/k3s/server/tls/client-admin.key /run/telegraf-kubernetes-key
+```
+
+```toml
+[kube_inventory]
+bearer_token = "/run/telegraf-kubernetes-token"
+tls_cert = "/run/telegraf-kubernetes-cert"
+tls_key = "/run/telegraf-kubernetes-key"
+```
+
 ### Metrics:
 
 - kubernetes_daemonset