@@ -289,11 +289,9 @@ This section covers how to perform all the steps of building, deploying, and upd

      If you want to see the build logs of a complete build, use the

      command below (substituting your build name from the "osc get builds"

-     output). Notice that for now only cluster admins can run the `build-logs`

-     command, so we have to explicitly tell the command to use the `master`

-     context from the $OPENSHIFTCONFIG config file:

+     output). 

-         $ osc build-logs ruby-sample-build-1 --context=master -n test

+         $ osc build-logs ruby-sample-build-1 -n test

     The creation of the new image in the Docker registry will

     automatically trigger a deployment of the application, creating a

@@ -238,17 +238,20 @@ OS_PID=$!

 export HOME="${FAKE_HOME_DIR}"

+export OPENSHIFTCONFIG="${MASTER_CONFIG_DIR}/admin.kubeconfig"

+CLUSTER_ADMIN_CONTEXT=$(osc config view --flatten -o template -t '{{index . "current-context"}}')

+

 if [[ "${API_SCHEME}" == "https" ]]; then

 	export CURL_CA_BUNDLE="${MASTER_CONFIG_DIR}/ca.crt"

 	export CURL_CERT="${MASTER_CONFIG_DIR}/admin.crt"

 	export CURL_KEY="${MASTER_CONFIG_DIR}/admin.key"

 	# Make osc use ${MASTER_CONFIG_DIR}/admin.kubeconfig, and ignore anything in the running user's $HOME dir

-	export OPENSHIFTCONFIG="${MASTER_CONFIG_DIR}/admin.kubeconfig"

 	sudo chmod -R a+rwX "${OPENSHIFTCONFIG}"

 	echo "[INFO] To debug: export OPENSHIFTCONFIG=$OPENSHIFTCONFIG"

 fi

+

 wait_for_url "${KUBELET_SCHEME}://${KUBELET_HOST}:${KUBELET_PORT}/healthz" "[INFO] kubelet: " 0.5 60

 wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz" "apiserver: " 0.25 80

 wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/api/v1beta3/nodes/${KUBELET_HOST}" "apiserver(nodes): " 0.25 80

@@ -307,7 +310,7 @@ docker push ${DOCKER_REGISTRY}/cache/ruby-20-centos7:latest

 echo "[INFO] Pushed ruby-20-centos7"

 echo "[INFO] Back to 'master' context with 'admin' user..."

-osc project default

+osc project ${CLUSTER_ADMIN_CONTEXT}

 # Process template and create

 echo "[INFO] Submitting application template json for processing..."

@@ -1,6 +1,7 @@

 package config

 import (

+	"crypto/x509"

 	"net/url"

 	"reflect"

 	"strings"

@@ -9,12 +10,18 @@ import (

 	clientcmdapi "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd/api"

 	"github.com/GoogleCloudPlatform/kubernetes/third_party/golang/netutil"

+	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"

 	osclient "github.com/openshift/origin/pkg/client"

 )

-// getClusterNickname returns host:port of the clientConfig.Host, with .'s replaced by -'s

-func getClusterNickname(clientCfg *client.Config) (string, error) {

-	u, err := url.Parse(clientCfg.Host)

+// GetClusterNicknameFromConfig returns host:port of the clientConfig.Host, with .'s replaced by -'s

+func GetClusterNicknameFromConfig(clientCfg *client.Config) (string, error) {

+	return GetClusterNicknameFromURL(clientCfg.Host)

+}

+

+// GetClusterNicknameFromURL returns host:port of the apiServerLocation, with .'s replaced by -'s

+func GetClusterNicknameFromURL(apiServerLocation string) (string, error) {

+	u, err := url.Parse(apiServerLocation)

 	if err != nil {

 		return "", err

 	}

@@ -24,9 +31,9 @@ func getClusterNickname(clientCfg *client.Config) (string, error) {

 	return strings.Replace(hostPort, ".", "-", -1), nil

 }

-// getUserNickname returns "username(as known by the server)/getClusterNickname".  This allows tab completion for switching users to

+// GetUserNicknameFromConfig returns "username(as known by the server)/GetClusterNicknameFromConfig".  This allows tab completion for switching users to

 // work easily and obviously.

-func getUserNickname(clientCfg *client.Config) (string, error) {

+func GetUserNicknameFromConfig(clientCfg *client.Config) (string, error) {

 	client, err := osclient.New(clientCfg)

 	if err != nil {

 		return "", err

@@ -36,7 +43,7 @@ func getUserNickname(clientCfg *client.Config) (string, error) {

 		return "", err

 	}

-	clusterNick, err := getClusterNickname(clientCfg)

+	clusterNick, err := GetClusterNicknameFromConfig(clientCfg)

 	if err != nil {

 		return "", err

 	}

@@ -44,10 +51,19 @@ func getUserNickname(clientCfg *client.Config) (string, error) {

 	return userInfo.Name + "/" + clusterNick, nil

 }

-// getContextNickname returns "namespace/getClusterNickname/username(as known by the server)".  This allows tab completion for switching projects/context

+func GetUserNicknameFromCert(clusterNick string, chain ...*x509.Certificate) (string, error) {

+	userInfo, _, err := x509request.SubjectToUserConversion(chain)

+	if err != nil {

+		return "", err

+	}

+

+	return userInfo.GetName() + "/" + clusterNick, nil

+}

+

+// GetContextNicknameFromConfig returns "namespace/GetClusterNicknameFromConfig/username(as known by the server)".  This allows tab completion for switching projects/context

 // to work easily.  First tab is the most selective on project.  Second stanza in the next most selective on cluster name.  The chances of a user trying having

 // one projects on a single server that they want to operate against with two identities is low, so username is last.

-func getContextNickname(namespace string, clientCfg *client.Config) (string, error) {

+func GetContextNicknameFromConfig(namespace string, clientCfg *client.Config) (string, error) {

 	client, err := osclient.New(clientCfg)

 	if err != nil {

 		return "", err

@@ -57,7 +73,7 @@ func getContextNickname(namespace string, clientCfg *client.Config) (string, err

 		return "", err

 	}

-	clusterNick, err := getClusterNickname(clientCfg)

+	clusterNick, err := GetClusterNicknameFromConfig(clientCfg)

 	if err != nil {

 		return "", err

 	}

@@ -65,19 +81,24 @@ func getContextNickname(namespace string, clientCfg *client.Config) (string, err

 	return namespace + "/" + clusterNick + "/" + userInfo.Name, nil

 }

+func GetContextNickname(namespace, clusterNick, userNick string) (string, error) {

+	tokens := strings.SplitN(userNick, "/", 2)

+	return namespace + "/" + clusterNick + "/" + tokens[0], nil

+}

+

 // CreatePartialConfig takes a clientCfg and builds a config (kubeconfig style) from it.

 func CreateConfig(namespace string, clientCfg *client.Config) (*clientcmdapi.Config, error) {

-	clusterNick, err := getClusterNickname(clientCfg)

+	clusterNick, err := GetClusterNicknameFromConfig(clientCfg)

 	if err != nil {

 		return nil, err

 	}

-	userNick, err := getUserNickname(clientCfg)

+	userNick, err := GetUserNicknameFromConfig(clientCfg)

 	if err != nil {

 		return nil, err

 	}

-	contextNick, err := getContextNickname(namespace, clientCfg)

+	contextNick, err := GetContextNicknameFromConfig(namespace, clientCfg)

 	if err != nil {

 		return nil, err

 	}

@@ -134,11 +134,9 @@ func (o CreateClientOptions) CreateClientFolder() error {

 		APIServerURL:       o.APIServerURL,

 		PublicAPIServerURL: o.PublicAPIServerURL,

 		APIServerCAFile:    clientCopyOfCAFile,

-		ServerNick:         "master",

 		CertFile: clientCertFile,

 		KeyFile:  clientKeyFile,

-		UserNick: o.User,

 		ContextNamespace: kapi.NamespaceDefault,

@@ -16,6 +16,8 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd"

 	clientcmdapi "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd/api"

+	cliconfig "github.com/openshift/origin/pkg/cmd/cli/config"

+	"github.com/openshift/origin/pkg/cmd/server/crypto"

 	cmdutil "github.com/openshift/origin/pkg/cmd/util"

 )

@@ -25,13 +27,10 @@ type CreateKubeConfigOptions struct {

 	APIServerURL       string

 	PublicAPIServerURL string

 	APIServerCAFile    string

-	ServerNick         string

 	CertFile string

 	KeyFile  string

-	UserNick string

-	ContextNick      string

 	ContextNamespace string

 	KubeConfigFile string

@@ -92,11 +91,8 @@ users:

 	flags.StringVar(&options.APIServerURL, "master", "https://localhost:8443", "The API server's URL.")

 	flags.StringVar(&options.PublicAPIServerURL, "public-master", "", "The API public facing server's URL (if applicable).")

 	flags.StringVar(&options.APIServerCAFile, "certificate-authority", "openshift.local.config/master/ca.crt", "Path to the API server's CA file.")

-	flags.StringVar(&options.ServerNick, "cluster", "master", "Nick name for this server in .kubeconfig.")

 	flags.StringVar(&options.CertFile, "client-certificate", "", "The client cert file.")

 	flags.StringVar(&options.KeyFile, "client-key", "", "The client key file.")

-	flags.StringVar(&options.UserNick, "user", "user", "Nick name for this user in .kubeconfig.")

-	flags.StringVar(&options.ContextNick, "context", "", "Nick name for this context in .kubeconfig.")

 	flags.StringVar(&options.ContextNamespace, "namespace", kapi.NamespaceDefault, "Namespace for this context in .kubeconfig.")

 	flags.StringVar(&options.KubeConfigFile, "kubeconfig", ".kubeconfig", "Path for the resulting .kubeconfig file.")

@@ -119,15 +115,12 @@ func (o CreateKubeConfigOptions) Validate(args []string) error {

 	if len(o.APIServerCAFile) == 0 {

 		return errors.New("certificate-authority must be provided")

 	}

-	if len(o.ServerNick) == 0 {

-		return errors.New("cluster must be provided")

-	}

-	if len(o.UserNick) == 0 {

-		return errors.New("user-nick must be provided")

-	}

 	if len(o.ContextNamespace) == 0 {

 		return errors.New("namespace must be provided")

 	}

+	if len(o.APIServerURL) == 0 {

+		return errors.New("master must be provided")

+	}

 	return nil

 }

@@ -135,11 +128,7 @@ func (o CreateKubeConfigOptions) Validate(args []string) error {

 func (o CreateKubeConfigOptions) CreateKubeConfig() (*clientcmdapi.Config, error) {

 	glog.V(2).Infof("creating a .kubeconfig with: %#v", o)

-	// if you don't specify a context nick, assign it to the context namespace

-	if len(o.ContextNick) == 0 {

-		o.ContextNick = o.ContextNamespace

-	}

-

+	// read all the refenced filenames

 	caData, err := ioutil.ReadFile(o.APIServerCAFile)

 	if err != nil {

 		return nil, err

@@ -152,41 +141,66 @@ func (o CreateKubeConfigOptions) CreateKubeConfig() (*clientcmdapi.Config, error

 	if err != nil {

 		return nil, err

 	}

+	certConfig, err := crypto.GetTLSCertificateConfig(o.CertFile, o.KeyFile)

+	if err != nil {

+		return nil, err

+	}

+

+	// determine all the nicknames

+	clusterNick, err := cliconfig.GetClusterNicknameFromURL(o.APIServerURL)

+	if err != nil {

+		return nil, err

+	}

+	userNick, err := cliconfig.GetUserNicknameFromCert(clusterNick, certConfig.Certs...)

+	if err != nil {

+		return nil, err

+	}

+	contextNick, err := cliconfig.GetContextNickname(o.ContextNamespace, clusterNick, userNick)

+	if err != nil {

+		return nil, err

+	}

 	credentials := make(map[string]clientcmdapi.AuthInfo)

-	credentials[o.UserNick] = clientcmdapi.AuthInfo{

+	credentials[userNick] = clientcmdapi.AuthInfo{

 		ClientCertificateData: certData,

 		ClientKeyData:         keyData,

 	}

 	clusters := make(map[string]clientcmdapi.Cluster)

-	clusters[o.ServerNick] = clientcmdapi.Cluster{

+	clusters[clusterNick] = clientcmdapi.Cluster{

 		Server: o.APIServerURL,

 		CertificateAuthorityData: caData,

 	}

 	contexts := make(map[string]clientcmdapi.Context)

-	contexts[o.ContextNick] = clientcmdapi.Context{Cluster: o.ServerNick, AuthInfo: o.UserNick, Namespace: o.ContextNamespace}

+	contexts[contextNick] = clientcmdapi.Context{Cluster: clusterNick, AuthInfo: userNick, Namespace: o.ContextNamespace}

-	createPublic := len(o.PublicAPIServerURL) > 0

+	createPublic := (len(o.PublicAPIServerURL) > 0) && o.APIServerURL != o.PublicAPIServerURL

 	if createPublic {

-		publicClusterNick := "public-" + o.ServerNick

-		publicContextNick := "public-" + o.ContextNick

+		publicClusterNick, err := cliconfig.GetClusterNicknameFromURL(o.PublicAPIServerURL)

+		if err != nil {

+			return nil, err

+		}

+		publicContextNick, err := cliconfig.GetContextNickname(o.ContextNamespace, publicClusterNick, userNick)

+		if err != nil {

+			return nil, err

+		}

+

 		clusters[publicClusterNick] = clientcmdapi.Cluster{

 			Server: o.PublicAPIServerURL,

 			CertificateAuthorityData: caData,

 		}

-		contexts[publicContextNick] = clientcmdapi.Context{Cluster: publicClusterNick, AuthInfo: o.UserNick, Namespace: o.ContextNamespace}

+		contexts[publicContextNick] = clientcmdapi.Context{Cluster: publicClusterNick, AuthInfo: userNick, Namespace: o.ContextNamespace}

 	}

 	kubeConfig := &clientcmdapi.Config{

 		Clusters:       clusters,

 		AuthInfos:      credentials,

 		Contexts:       contexts,

-		CurrentContext: o.ContextNick,

+		CurrentContext: contextNick,

 	}

-	fmt.Fprintf(o.Output.Get(), "Generating '%s' API client config as %s\n", o.UserNick, o.KubeConfigFile)

+	fmt.Fprintf(o.Output.Get(), "Generating '%s' API client config as %s\n", userNick, o.KubeConfigFile)

 	// Ensure the parent dir exists

 	if err := os.MkdirAll(filepath.Dir(o.KubeConfigFile), os.FileMode(0755)); err != nil {

 		return nil, err

@@ -184,11 +184,9 @@ func (o CreateMasterCertsOptions) createAPIClients(getSignerCertOptions *GetSign

 			APIServerURL:       o.APIServerURL,

 			PublicAPIServerURL: o.PublicAPIServerURL,

 			APIServerCAFile:    getSignerCertOptions.CertFile,

-			ServerNick:         "master",

 			CertFile: clientCertInfo.CertLocation.CertFile,

 			KeyFile:  clientCertInfo.CertLocation.KeyFile,

-			UserNick: clientCertInfo.User,

 			ContextNamespace: kapi.NamespaceDefault,

@@ -323,11 +323,9 @@ func (o CreateNodeConfigOptions) MakeKubeConfig(clientCertFile, clientKeyFile, c

 	createKubeConfigOptions := CreateKubeConfigOptions{

 		APIServerURL:    o.APIServerURL,

 		APIServerCAFile: clientCopyOfCAFile,

-		ServerNick:      "master",

 		CertFile: clientCertFile,

 		KeyFile:  clientKeyFile,

-		UserNick: "node",

 		ContextNamespace: kapi.NamespaceDefault,