[k8s-keystone-auth] Invalid args in keystone auth examples

[addyess]

The Example deployment for k8s-keystone-auth fails because of missing arguments in provider-os/k8s-keystone-auth:v1.28.1

cloud-provider-openstack/examples/webhook/keystone-deployment.yaml

Lines 22 to 31 in fdba36b

	args:
	- ./bin/k8s-keystone-auth
	- --tls-cert-file
	- /etc/pki/tls.crt
	- --tls-private-key-file
	- /etc/pki/tls.key
	- --policy-configmap-name
	- k8s-auth-policy
	- --keystone-url
	- {{ keystone_server_url }}

Logs when the pod starts

2023/11/03 13:30:22 Running command:                                                                                                                                                                                                                                              
Command env: (log-file=, also-stdout=false, redirect-stderr=true)                                                                                                                                                                                                                 
Run from directory:                                                                                                                                                                                                                                                               
Executable path: ./bin/k8s-keystone-auth                                                                                                                                                                                                                                          
Args (comma-delimited): ./bin/k8s-keystone-auth,--tls-cert-file,/etc/pki/tls.crt,--tls-private-key-file,/etc/pki/tls.key,--policy-configmap-name,k8s-auth-policy,--keystone-url,http://10.246.154.17:5000/v3                                                                      
2023/11/03 13:30:22 Now listening for interrupts                                                                                                                                                                                                                                  
unknown flag: --tls-cert-file                                                                                                                                                                                                                                                     
Usage of ./bin/k8s-keystone-auth:                                                                                                                                                                                                                                                 
      --log-flush-frequency duration   Maximum number of seconds between log flushes (default 5s)                                                                                                                                                                                 
      --user-agent stringArray         Extra data to add to gophercloud user-agent. Use multiple times to add more than one component.                                                                                                                                            
  -v, --v Level                        number for the log level verbosity                                                                                                                                                                                                         
      --version                        Show current version and exit                                                                                                                                                                                                              
      --vmodule moduleSpec             comma-separated list of pattern=N settings for file-filtered logging (only works for the default text log format)                                                                                                                          
unknown flag: --tls-cert-file                                                                                                                                                                                                                                                     
2023/11/03 13:30:22 running command: exit status 2                                                                                                                                                                                                                                
Stream closed EOF for kube-system/k8s-keystone-auth-5b99f99956-6qg7l (k8s-keystone-auth) 

[addyess]

it is possible to set all of these with env variables:

        args:
        - ./bin/k8s-keystone-auth
        env:
        - name: OS_AUTH_URL
          value: http://<my-keystone-ip>:5000/v3
        - name: TLS_CERT_FILE
          value: /etc/pki/tls.crt
        - name: TLS_PRIVATE_KEY_FILE
          value: /etc/pki/tls.key
        - name: KEYSTONE_POLICY_CONFIGMAP_NAME
          value: k8s-auth-policy

[dulek]

@stephenfin do you think your commit might have affected this?

[jichenjc]

I rebuilt the exec file and seems it's supported?

CGO_ENABLED=0 GOOS=linux GOARCH= GOPROXY=https://proxy.golang.org,direct go build \
        -trimpath \
        -ldflags "-w -s -X 'k8s.io/component-base/version.gitVersion=v1.27.0-alpha.0-127-gfdba36ba' -X 'k8s.io/cloud-provider-openstack/pkg/version.Version=v1.27.0-alpha.0-127-gfdba36ba'" \
        -o k8s-keystone-auth \
        cmd/k8s-keystone-auth/main.go


[root@ocp2 cloud-provider-openstack]# ./k8s-keystone-auth  -h
Usage of ./k8s-keystone-auth:
      --keystone-ca-file string        File containing the certificate authority for Keystone Service.
      --keystone-policy-file string    File containing the policy, if provided, it takes precedence over the policy configmap.
      --keystone-url string            URL for the OpenStack Keystone API
      --kubeconfig string              Kubeconfig file used to connect to Kubernetes API to get policy configmap. If the service is running inside the pod, this option is not necessary, will use in-cluster config instead.
      --listen string                  <address>:<port> to listen on (default "0.0.0.0:8443")
      --log-flush-frequency duration   Maximum number of seconds between log flushes (default 5s)
      --policy-configmap-name string   ConfigMap in kube-system namespace containing the policy configuration, the ConfigMap data must contain the key 'policies'
      --sync-config-file string        File containing config values for data synchronization beetween Keystone and Kubernetes.
      --sync-configmap-name string     ConfigMap in kube-system namespace containing config values for data synchronization beetween Keystone and Kubernetes.
      --tls-cert-file string           File containing the default x509 Certificate for HTTPS.
      --tls-private-key-file string    File containing the default x509 private key matching --tls-cert-file.
      --user-agent stringArray         Extra data to add to gophercloud user-agent. Use multiple times to add more than one component.
  -v, --v Level                        number for the log level verbosity
      --version                        Show current version and exit
      --vmodule moduleSpec             comma-separated list of pattern=N settings for file-filtered logging (only works for the default text log format)
pflag: help requested

[stephenfin]

@stephenfin do you think your commit might have affected this?

Yup, this was me. Looks like I broke this with f6ca48e but fixed it again with one of the commits that was squashed into #2325, de63646. I'll see if I can propose a backport.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[addyess]

/remove-lifecycle stale

[stephenfin]

This was resolved in #2467 but we have yet to release that. I don't know why this hasn't been marked as closed by us merging that PR either: perhaps we need to have a release cut first?

[jichenjc]

/close

per above , I guess we don't have fix=>release=>validate=>close process ,so let's close then if needed, let's reopen

[k8s-ci-robot]

@jichenjc: Closing this issue.

In response to this:

/close

per above , I guess we don't have fix=>release=>validate=>close process ,so let's close then if needed, let's reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.