SELF_HOSTED_SETUP Document Correction

[geckofu]

APIServer Configuration

In SELF_HOSTED_SETUP.md it says you need to add --service-account-key-file with the path to the $PKCS_KEY file. I have tested with minikube 1.17 and a kops 1.15 cluster, here is the error message:

{"log":"Error: invalid authentication config: error reading public key file /var/lib/minikube/certs/sa-signing-pkcs.pub: data does not contain any valid RSA or ECDSA public keys\n","stream":"stderr","time":"2020-02-10T14:34:36.834045998Z"}

According to the apiserver doc, it should be the path to $PUB_KEY

Also the original public key may not be explictly specified by --service-account-key-file (using the default value same as --tls-private-key-file) so user needs to make sure it is included, otherwise existing tokens will fail: https://github.com/aws/amazon-eks-pod-identity-webhook/issues/29

ControllerManager Configuration

It is missing from the doc that you should also configure controller managers:

You must pass a service account private key file to the token controller in the controller-manager by using the --service-account-private-key-file option. The private key will be used to sign generated service account tokens. Managing Service Accounts

[otterley]

@geckofu I think this change (in #37) caused a regression. The $PUB_KEY file is not a PEM-encoded key as required by the apiserver; it is an OpenSSH-format public key. The $PKCS_KEY file is the PEM-encoded key.

As the apiserver documentation states:

File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens.

This issue was raised before in #11 - I fear that we are going back and forth here.