From 331fef8faebf9ab4b60d4e7c94ce42fe72da033e Mon Sep 17 00:00:00 2001
From: Margo Crawford <margaretc@vmware.com>
Date: Tue, 16 Mar 2021 14:09:53 -0700
Subject: [PATCH] Tweaked some wording, updated the cli page

---
 site/content/docs/background/architecture.md | 6 +++---
 site/content/docs/reference/cli.md           | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/site/content/docs/background/architecture.md b/site/content/docs/background/architecture.md
index ec481a5ad..89c879a00 100644
--- a/site/content/docs/background/architecture.md
+++ b/site/content/docs/background/architecture.md
@@ -22,7 +22,8 @@ to be passed on to clusters based on the user information from the IDP.
 1. The Pinniped Concierge is a credential exchange API which takes as input a
 credential from an identity source (e.g., Pinniped Supervisor, proprietary IDP),
 authenticates the user via that credential, and returns another credential which is
-understood by the host Kubernetes cluster.
+understood by the host Kubernetes cluster or by an impersonation proxy which acts
+on behalf of the user.
 
 ![Pinniped Architecture Sketch](/docs/img/pinniped_architecture_concierge_supervisor.svg)
 
@@ -97,8 +98,7 @@ issue short-lived cluster certificates. (In the future, when the Kubernetes CSR
 provides a way to issue short-lived certificates, then the Pinniped credential exchange API
 will use that instead of using the cluster's signing keypair.)
 * Impersonation Proxy: Pinniped hosts an [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation)
-proxy that performs actions on behalf of the end user. The impersonation proxy accepts and modifies user requests before passing them through to the
-Kubernetes API server.
+proxy that sends requests to the Kubernetes API server with user information and permissions based on a token. 
 
 ## kubectl Integration
 
diff --git a/site/content/docs/reference/cli.md b/site/content/docs/reference/cli.md
index de1c4e343..15d9691b8 100644
--- a/site/content/docs/reference/cli.md
+++ b/site/content/docs/reference/cli.md
@@ -43,6 +43,9 @@ pinniped get kubeconfig [flags]
 - `--concierge-authenticator-type string`:
 
   Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
+- `--concierge-mode`:
+
+Concierge mode of operation (e.g. 'ImpersonationProxy', 'TokenCredentialRequestAPI')(default: TokenCredentialRequestAPI)
 - `--kubeconfig string`:
 
   Path to kubeconfig file