consul-consul-webhook-cert-manager flag provided but not defined: -log-json

[samgabrail]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

When running helm with ConnectInject enabled, the consul-consul-webhook-cert-manager pod is in crashloopback state and the logs show the following:

flag provided but not defined: -log-json
Usage:
  -config-file string
        Path to a config file to read webhook configs from. This file must be in JSON format.
  -deployment-name string
        Name of deployment that the cert-manager pod is managed by.
  -deployment-namespace string
        Namespace of deployment that the cert-manager pod is managed by.
  -kubeconfig value
        The path to a kubeconfig file to use for authentication. If this is blank, the default kubeconfig path (~/.kube/config) will be checked. If no kubeconfig is found, in-cluster auth will be used.
  -log-level string
        Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error". (default "info")
Error parsing flagSet: flag provided but not defined: -log-json

Reproduction Steps

1. When running helm install with the following values.yml:

   
   global:
   datacenter: dc1

server: replicas: ${var.num_consul_pods} bootstrapExpect: ${var.num_consul_pods}

connectInject: enabled: true default: false replicas: 1

2. View error

NAME READY STATUS RESTARTS AGE pod/consul-consul-56pvp 1/1 Running 0 42m pod/consul-consul-connect-injector-webhook-deployment-66fc8b65q69kw 0/1 ContainerCreating 0 42m pod/consul-consul-connect-injector-webhook-deployment-67fbcd9dhb8l4 0/1 ContainerCreating 0 26m pod/consul-consul-pf9xb 1/1 Running 0 42m pod/consul-consul-q8cpp 1/1 Running 0 42m pod/consul-consul-server-0 1/1 Running 0 44m pod/consul-consul-webhook-cert-manager-6f98c87648-gm7f6 0/1 CrashLoopBackOff 13 42m

Provide log files from Consul Kubernetes components by providing output from `kubectl logs` from the pod and container that is surfacing the issue. 

<details>
  <summary>Logs</summary>

flag provided but not defined: -log-json Usage: -config-file string Path to a config file to read webhook configs from. This file must be in JSON format. -deployment-name string Name of deployment that the cert-manager pod is managed by. -deployment-namespace string Namespace of deployment that the cert-manager pod is managed by. -kubeconfig value The path to a kubeconfig file to use for authentication. If this is blank, the default kubeconfig path (~/.kube/config) will be checked. If no kubeconfig is found, in-cluster auth will be used. -log-level string Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error". (default "info") Error parsing flagSet: flag provided but not defined: -log-json

</details>

--->

### Expected behavior

For the 

### Environment details

If not already included, please provide the following:
- `consul-k8s` version: 1.10.0
- `consul-helm` version: 1.10.0
- `values.yaml` used to deploy the helm chart:

Additionally, please provide details regarding the Kubernetes Infrastructure, as shown below:
- Kubernetes version: 1.19.9-gke.1900
- Cloud Provider: GKE
- Networking CNI plugin in use: Calico

### Additional Context

I solved the issue by removing this line `-log-json={{ .Values.global.logJSON }} \` from https://github.com/hashicorp/consul-helm/blob/master/templates/webhook-cert-manager-deployment.yaml#L41

After solving the first issue, I ran into a similar issue with the consul connect injector pod:

NAME READY STATUS RESTARTS AGE pod/consul-consul-connect-injector-webhook-deployment-66fc8b65jjqsl 0/1 CrashLoopBackOff 5 4m38s pod/consul-consul-l76ck 1/1 Running 0 10m pod/consul-consul-m54jr 1/1 Running 0 10m pod/consul-consul-server-0 1/1 Running 0 10m pod/consul-consul-stmcc 1/1 Running 0 10m pod/consul-consul-webhook-cert-manager-75cd69fffb-6bd9l 1/1 Running 0 10m

Logs:

k logs -f pod/consul-consul-connect-injector-webhook-deployment-66fc8b65jjqsl flag provided but not defined: -log-json Usage: -acl-auth-method string The name of the Kubernetes Auth Method to use for connectInjection if ACLs are enabled. -allow-k8s-namespace value K8s namespaces to explicitly allow. May be specified multiple times. -ca-file value Path to a CA file to use for TLS when communicating with Consul. This can also be specified via the CONSUL_CACERT environment variable. -ca-path value Path to a directory of CA certificates to use for TLS when communicating with Consul. This can also be specified via the CONSUL_CAPATH environment variable. -client-cert value Path to a client cert file to use for TLS when 'verify_incoming' is enabled. This can also be specified via the CONSUL_CLIENT_CERT environment variable. -client-key value Path to a client key file to use for TLS when 'verify_incoming' is enabled. This can also be specified via the CONSUL_CLIENT_KEY environment variable. -consul-ca-cert string [Deprecated] Please use '-ca-file' flag instead. Path to CA certificate to use if communicating with Consul clients over HTTPS. -consul-cross-namespace-acl-policy string [Enterprise Only] Name of the ACL policy to attach to all created Consul namespaces to allow service discovery across Consul namespaces. Only necessary if ACLs are enabled. -consul-destination-namespace string [Enterprise Only] Defines which Consul namespace to register all injected services into. If '-enable-k8s-namespace-mirroring' is true, this is not used. (default "default") -consul-image string Docker image for Consul. -consul-k8s-image string Docker image for consul-k8s. Used for the connect sidecar. -consul-sidecar-cpu-limit string Consul sidecar CPU limit. (default "20m") -consul-sidecar-cpu-request string Consul sidecar CPU request. (default "20m") -consul-sidecar-memory-limit string Consul sidecar memory limit. (default "50Mi") -consul-sidecar-memory-request string Consul sidecar memory request. (default "25Mi") -default-enable-metrics Default for enabling connect service metrics. -default-enable-metrics-merging Default for enabling merging of connect service metrics and envoy proxy metrics. -default-enable-transparent-proxy Enable transparent proxy mode for all Consul service mesh applications by default. (default true) -default-inject Inject by default. (default true) -default-merged-metrics-port string Default port for merged metrics endpoint on the consul-sidecar. (default "20100") -default-prometheus-scrape-path string Default path where Prometheus scrapes connect metrics from. (default "/metrics") -default-prometheus-scrape-port string Default port where Prometheus scrapes connect metrics from. (default "20200") -default-protocol string The default protocol to use in central config registrations. -default-sidecar-proxy-cpu-limit string Default sidecar proxy CPU limit. -default-sidecar-proxy-cpu-request string Default sidecar proxy CPU request. -default-sidecar-proxy-memory-limit string Default sidecar proxy memory limit. -default-sidecar-proxy-memory-request string Default sidecar proxy memory request. -deny-k8s-namespace value K8s namespaces to explicitly deny. Takes precedence over allow. May be specified multiple times. -enable-central-config Write a service-defaults config for every Connect service using protocol from -default-protocol or Pod annotation. -enable-k8s-namespace-mirroring [Enterprise Only] Enables k8s namespace mirroring. -enable-namespaces [Enterprise Only] Enables namespaces, in either a single Consul namespace or mirrored. -enable-openshift Indicates that the command runs in an OpenShift cluster. -envoy-extra-args string Extra envoy command line args to be set when starting envoy (e.g "--log-level debug --disable-hot-restart"). -envoy-image string Docker image for Envoy. -http-addr address The address and port of the Consul HTTP agent. The value can be an IP address or DNS address, but it must also include the port. This can also be specified via the CONSUL_HTTP_ADDR environment variable. The default value is http://127.0.0.1:8500. The scheme can also be set to HTTPS by setting the environment variable CONSUL_HTTP_SSL=true. -init-container-cpu-limit string Init container CPU limit. (default "50m") -init-container-cpu-request string Init container CPU request. (default "50m") -init-container-memory-limit string Init container memory limit. (default "150Mi") -init-container-memory-request string Init container memory request. (default "25Mi") -k8s-namespace-mirroring-prefix string [Enterprise Only] Prefix that will be added to all k8s namespaces mirrored into Consul if mirroring is enabled. -kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. -listen string Address to bind listener to. (default ":8080") -log-level string Log verbosity level. Supported values (in order of detail) are "debug", "info", "warn", and "error". (default "info") -release-name string The Consul Helm installation release name, e.g 'helm install ' (default "consul") -release-namespace string The Consul Helm installation namespace, e.g 'helm install --namespace ' (default "default") -tls-cert-dir string Directory with PEM-encoded TLS certificate and key to serve. -tls-server-name value The server name to use as the SNI host when connecting via TLS. This can also be specified via the CONSUL_TLS_SERVER_NAME environment variable. -token value ACL token to use in the request. This can also be specified via the CONSUL_HTTP_TOKEN environment variable. If unspecified, the query will default to the token of the Consul agent at the HTTP address. -token-file value File containing the ACL token to use in the request instead of one specified via the -token argument or CONSUL_HTTP_TOKEN environment variable. This can also be specified via the CONSUL_HTTP_TOKEN_FILE environment variable. -transparent-proxy-default-overwrite-probes Overwrite Kubernetes probes to point to Envoy by default when in Transparent Proxy mode. (default true)

I also solved this issue by removing the line ` -log-json={{ .Values.global.logJSON }} \` from https://github.com/hashicorp/consul-helm/blob/master/templates/connect-inject-deployment.yaml#L87

Final output:

NAME READY STATUS RESTARTS AGE pod/consul-consul-connect-injector-webhook-deployment-d84458f4rq65r 1/1 Running 0 20s pod/consul-consul-l76ck 1/1 Running 0 12m pod/consul-consul-m54jr 1/1 Running 0 12m pod/consul-consul-server-0 1/1 Running 0 12m pod/consul-consul-stmcc 1/1 Running 0 12m pod/consul-consul-webhook-cert-manager-75cd69fffb-6bd9l 1/1 Running 0 12m

[kschoche]

Hi @samgabrail! It looks like you're using consul-helm master instead of consul-helm's latest release, -log-json was just added about a week ago but has not been released yet. In our next release both consul-k8s and consul-helm will support it.

If you're using the development branch as the base for your helm installs you'll also need to provide a new build of consul-k8s from it's branch and use this as your imageK8s: argument in helm. Sorry for the inconvience!

[samgabrail]

thanks, @kschoche makes sense.