diff --git a/README.md b/README.md
index c169373..f2db094 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ progress and are not ready for production use.
 
 ## Pre-requisites
 
-- Cert-manager installed and running
+- [cert-manager](https://cert-manager.io/docs/installation) installed and running
 - Ingress installed (e.g. nginx-ingress or OpenShift router)
 
 ## Usage
@@ -50,6 +50,10 @@ kcpFrontProxy:
     enabled: true
 ```
 
+Export the externalHostname variable, that will be used later to interact with kcp setup:
+
+    export KCP_EXTERNAL_HOSTNAME=kcp.dev.local
+
 Note that by default all certificates are signed by the Helm chart's own PKI and so will not be
 trusted by browsers. You can however change the `kcp-front-proxy`'s certificate to be issued
 by, for example, Let's Encrypt. For this you have to enable the creation of the Let's Encrypt
@@ -133,16 +137,15 @@ First we get the CA cert for the front proxy, saving it to a file `ca.crt`
 
 Now we create a new kubeconfig which references the `ca.crt`
 
-    kubectl --kubeconfig=admin.kubeconfig config set-cluster base --server https://<externalHostname>:443 --certificate-authority=ca.crt
-    kubectl --kubeconfig=admin.kubeconfig config set-cluster root --server https://<externalHostname>:443/clusters/root --certificate-authority=ca.crt
+    kubectl --kubeconfig=admin.kubeconfig config set-cluster base --server https://$KCP_EXTERNAL_HOSTNAME:443 --certificate-authority=ca.crt
+    kubectl --kubeconfig=admin.kubeconfig config set-cluster root --server https://$KCP_EXTERNAL_HOSTNAME:443/clusters/root --certificate-authority=ca.crt
 
 ### Create client-cert credentials
 
 Now we must add credentials to the kubeconfig, so requests to the front-proxy may be authenticated.
 
 One way to do this is to create a client certificate with a cert-manager `Certificate`:
-
-    $ cat admin-client-cert.yaml
+    cat <<EOF | kubectl apply -f -
     apiVersion: cert-manager.io/v1
     kind: Certificate
     metadata:
@@ -160,24 +163,23 @@ One way to do this is to create a client certificate with a cert-manager `Certif
         - system:kcp:admin
       usages:
       - client auth
-
-    $ kubectl apply -f admin-client-cert.yaml
+    EOF
 
 This will result in a `cluster-admin-client-cert` secret which we can again save to local files:
 
-    $ kubectl get secret cluster-admin-client-cert -o=jsonpath='{.data.tls\.crt}' | base64 -d > client.crt
-    $ kubectl get secret cluster-admin-client-cert -o=jsonpath='{.data.tls\.key}' | base64 -d > client.key
-    $ chmod 600 client.crt client.key
+    kubectl get secret cluster-admin-client-cert -o=jsonpath='{.data.tls\.crt}' | base64 -d > client.crt
+    kubectl get secret cluster-admin-client-cert -o=jsonpath='{.data.tls\.key}' | base64 -d > client.key
+    chmod 600 client.crt client.key
 
 We can now add these credentials to the `admin.kubeconfig` and access kcp:
 
-    $ kubectl --kubeconfig=admin.kubeconfig config set-credentials kcp-admin --client-certificate=client.crt --client-key=client.key
-    $ kubectl --kubeconfig=admin.kubeconfig config set-context base --cluster=base --user=kcp-admin
-    $ kubectl --kubeconfig=admin.kubeconfig config set-context root --cluster=root --user=kcp-admin
-    $ kubectl --kubeconfig=admin.kubeconfig config use-context root
-    $ kubectl --kubeconfig=admin.kubeconfig workspace
-    $ export KUBECONFIG=$PWD/admin.kubeconfig
-    $ kubectl workspace
+    kubectl --kubeconfig=admin.kubeconfig config set-credentials kcp-admin --client-certificate=client.crt --client-key=client.key
+    kubectl --kubeconfig=admin.kubeconfig config set-context base --cluster=base --user=kcp-admin
+    kubectl --kubeconfig=admin.kubeconfig config set-context root --cluster=root --user=kcp-admin
+    kubectl --kubeconfig=admin.kubeconfig config use-context root
+    kubectl --kubeconfig=admin.kubeconfig workspace
+    export KUBECONFIG=$PWD/admin.kubeconfig
+    kubectl workspace
     Current workspace is "1gnrr0twy6c3o".
 
 ## Install to kind cluster (for development)