Honor stderrthreshold when logtostderr is enabled

[pierluigilenoci]

Description

When logtostderr is true (the default), klog historically ignored
stderrthreshold, silently dropping the filtering that should have been
applied. This was fixed in klog v2.140.0 by introducing
legacy_stderr_threshold_behavior. Setting it to false makes klog
honour stderrthreshold regardless of logtostderr.

This PR adds two lines after klog.InitFlags() in AddFlags:

_ = allFlags.Set("legacy_stderr_threshold_behavior", "false")
_ = allFlags.Set("stderrthreshold", "INFO")

Why this replaces #8653

I closed #8653 after @hjoshi123 raised a concern about KEP-2845 deprecating klog-specific flags. On closer review, I believe that concern does not apply here, for the reasons below.

cert-manager already uses these flags internally

pkg/logs/logs.go already:

1. Calls klog.InitFlags(&allFlags) (line 72) — initializing the full klog flag set
2. Registers stderrthreshold as a deprecated-but-functional flag (lines 76-82) — users can pass --stderrthreshold=ERROR today
3. Uses klog v2.140.0 (go.mod) — the exact version that ships the legacy_stderr_threshold_behavior fix

KEP-2845 deprecates flags for future removal — it does not break them

KEP-2845 marks these flags as deprecated so they can be removed in a future release. cert-manager follows this by hiding the flags and adding a deprecation warning. But deprecation ≠ broken: a flag that is registered, accepted by the binary, and documented as deprecated should still function correctly until it is actually removed.

Today, a user who passes --stderrthreshold=ERROR to any cert-manager binary gets zero effect — the flag is silently a no-op because logtostderr=true (the default) overrides it. This is confusing and arguably worse than the KEP-2845 concern: the flag exists, is accepted without error, but does nothing.

This change adds no new user-facing flags

The fix is purely internal configuration: it tells klog to use its corrected behavior so that the already-registered stderrthreshold flag works as expected. No new flags are added, no deprecated flags are un-deprecated, and the deprecation warning remains intact.

Summary

Aspect	Before this PR	After this PR
stderrthreshold registered?	Yes (deprecated)	Yes (deprecated)
stderrthreshold functional?	No — silently ignored	Yes — works correctly
New user-facing flags?	—	None
klog version required	v2.140.0 (already in go.mod)	v2.140.0 (already in go.mod)

References

• stderrthreshold not honored when logtostderr is set kubernetes/klog#212
• feat: fix stderrthreshold not honored when logtostderr is set (#212) + two new flags kubernetes/klog#432

/cc @erikgb @ThatsMrTalbot @hjoshi123

Honor stderrthreshold when logtostderr is enabled by opting into fixed klog behavior

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign maelvls for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cert-manager-prow]

Hi @pierluigilenoci. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hjoshi123]

Hi @pierluigilenoci this seems to be a duplicate of #8653.

[pierluigilenoci]

Note: This replaces #8653, which I closed prematurely after @hjoshi123's feedback about KEP-2845. The branch was deleted along with the closure, so the original PR cannot be reopened — hence this new one.

After further analysis, I'm convinced the fix is correct and valuable. The key points are in the PR description above, but in short: cert-manager already calls klog.InitFlags(), already registers stderrthreshold as a deprecated flag, and already ships klog v2.140.0. The flag is accepted today but silently does nothing — this two-line change makes it work correctly until it is eventually removed.

[erikgb]

@pierluigilenoci, please stop spamming. If you want to bring arguments to the table on why we should accept the PR, please reopen #8653.

/close

[cert-manager-prow]

@erikgb: Closed this PR.

Details

In response to this:

@pierluigilenoci, please stop spamming. If you want to bring arguments to the table on why we should accept the PR, please reopen #8653.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pierluigilenoci]

Hi @erikgb, unfortunately I cannot reopen this PR — I accidentally deleted the branch. I apologize for the inconvenience. If the fix is still desired, I'd be happy to open a fresh PR. Thanks!

[erikgb]

Hi @erikgb, unfortunately I cannot reopen this PR — I accidentally deleted the branch. I apologize for the inconvenience. If the fix is still desired, I'd be happy to open a fresh PR. Thanks!

Hi @pierluigilenoci, I don't understand why you cannot reopen #8653. If you deleted the branch just push a copy of the branch using the same name as in the PR.