asm-iam-authenticator作为k8s client端的认证插件，主要提供了generate-kubeconfig和token两个子命令。

A tool to authenticate to ASM using HuaweiCloud IAM credentialsUsage:  asm-iam-authenticator [command]Available Commands:  completion          Generate the autocompletion script for the specified shell  generate-kubeconfig Generate or modify kubeconfig files based on user configuration  help                Help about any command  token               Authenticate using HuaweiCloud IAM and get token for ASMFlags:      --alsologtostderr   log to standard error as well as files (no effect when -logtostderr=true)  -h, --help              help for asm-iam-authenticator      --log_dir string    If non-empty, write log files in this directory (no effect when -logtostderr=true)      --log_file string   If non-empty, use this log file (no effect when -logtostderr=true)      --logtostderr       log to standard error instead of files (default true)  -v, --v Level           number for the log level verbosity      --version           version for asm-iam-authenticatorUse "asm-iam-authenticator [command] --help" for more information about a command.

其中，Flags主要为日志选项。

token

token子命令用于获取用户token，获取token的认证方式有用户名/密码、ak/sk两种，选择其中一种即可。

Authenticate using HuaweiCloud IAM and get token for ASMUsage:  asm-iam-authenticator token [flags]Flags:      --ak string                  IAM access key ID      --aksk-dir string            The directory of IAM access key(AK) and secret access key(SK)      --cache                      Cache the token credential on disk until it expires (default true)      --domain-name string         IAM domain name, typically your account name  -h, --help                       help for token      --iam-endpoint string        HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com")      --insecure-skip-tls-verify   If true, the iam server's certificate will not be checked for validity. (default true)      --password string            IAM user password      --project-id string          IAM project id, project id and project name should not be empty at same time      --project-name string        IAM project name, project id and project name should not be empty at same time      --sk string                  IAM secret access key      --token-expired-refresh      Whether refresh the cached token when it may have expired resulting unauthorized. If true, we will use client.authentication.k8s.io/v1alpha1 api version. Otherwise, use client.authentication.k8s.io/v1beta1      --token-only                 Return token only for other tool integration      --user-name string           IAM user name. Same as domain-name when using main account, otherwise use iam user name

其中，Flags分为用户名密码、AKSK和公共配置。

generate-kubeconfig

为用户直接生成KubeConfig配置，若指定的KubeConfig已存在，则会注入新的server、user、context配置，并将当前的KubeConfig context切换到此次配置的结果。

Generate or modify kubeconfig files based on user configuration.Sets a cluster entry, a user entry and a context entry in kubeconfig and use this context as the current-context.  The loading order follows these rules:    1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takesplace.   2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules foryour system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. Whena value is created, it is created in the first file that exists. If no files in the chain exist, then it creates thelast file in the list.   3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place. Examples:   # Generate kubeconfig to ${HOME}/.kube/config using aksk   asm-iam-authenticator generate-kubeconfig --mesh-endpoint=https://127.0.0.1:5443 --ak=*** --sk=***   # Generate kubeconfig to ${HOME}/.kube/config using domain name and password   asm-iam-authenticator generate-kubeconfig --mesh-endpoint=https://127.0.0.1:5443 --domain-name=*** --password=***Usage:  asm-iam-authenticator generate-kubeconfig [flags]Flags:      --ak string                  IAM access key ID      --aksk-dir string            The directory of IAM access key(AK) and secret access key(SK)      --cache                      Cache the token credential on disk until it expires (default true)      --domain-name string         IAM domain name, typically your account name  -h, --help                       help for generate-kubeconfig      --iam-endpoint string        HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com")      --insecure-skip-tls-verify   If true, the iam server's certificate will not be checked for validity. (default true)      --kubeconfig string          use a particular kubeconfig file      --mesh-endpoint string       Mesh server endpoint, i.e. https://127.0.0.1:5443      --mesh-region string         Mesh region, i.e. cn-north-4      --password string            IAM user password      --project-id string          IAM project id, project id and project name should not be empty at same time      --project-name string        IAM project name, project id and project name should not be empty at same time      --sk string                  IAM secret access key      --token-expired-refresh      Whether refresh the cached token when it may have expired resulting unauthorized. If true, we will use client.authentication.k8s.io/v1alpha1 api version. Otherwise, use client.authentication.k8s.io/v1beta1      --token-only                 Return token only for other tool integration      --user-name string           IAM user name. Same as domain-name when using main account, otherwise use iam user name      --validation                 Validate kubeconfig by trying to access Mesh with existing config (default true)