prometheus-adapter icon indicating copy to clipboard operation
prometheus-adapter copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.35.1 to 0.44.0

Open dependabot[bot] opened this issue 2 years ago • 17 comments

Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.35.1 to 0.44.0.

Release notes

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.

Release v1.20.0/v0.45.0/v0.14.0

Added

  • Set the description for the rpc.server.duration metric in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#4302)
  • Add NewServerHandler and NewClientHandler that return a grpc.StatsHandler used for gRPC instrumentation in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#3002)
  • Add new Prometheus bridge module in go.opentelemetry.io/contrib/bridges/prometheus. (#4227)

Changed

  • Upgrade dependencies of OpenTelemetry Go to use the new v1.19.0/v0.42.0/v0.0.7 release.
  • Use grpc.StatsHandler for gRPC instrumentation in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/example. (#4325)

New Contributors

Full Changelog: https://github.com/open-telemetry/opentelemetry-go-contrib/compare/v1.19.0...v1.20.0

Release v1.19.0/v0.44.0/v0.13.0

Added

  • Add gcp.gce.instance.name and gcp.gce.instance.hostname resource attributes to go.opentelemetry.io/contrib/detectors/gcp. (#4263)

Changed

  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ec2 have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ecs have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/eks have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/lambda have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-lambda-go/otellambda have been upgraded to v1.21.0. (#4265)
    • The faas.execution attribute is now faas.invocation_id.
    • The faas.id attribute is now aws.lambda.invoked_arn.
  • The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws have been upgraded to v1.21.0. (#4265)
  • The http.request.method attribute will only allow known HTTP methods from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)

Removed

  • The high cardinality attributes net.sock.peer.addr, net.sock.peer.port, http.user_agent, enduser.id, and http.client_ip were removed from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/go-kit/kit/otelkit module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/Shopify/sarama/otelsarama module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/gocql/gocql/otelgocql module is removed. (#4295)

New Contributors

Full Changelog: https://github.com/open-telemetry/opentelemetry-go-contrib/compare/v1.18.0...v1.19.0

Release v1.18.0/v0.43.0/v0.12.0

... (truncated)

Changelog

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.

[1.19.0/0.44.0/0.13.0] - 2023-09-12

Added

  • Add gcp.gce.instance.name and gcp.gce.instance.hostname resource attributes to go.opentelemetry.io/contrib/detectors/gcp. (#4263)

Changed

  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ec2 have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ecs have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/eks have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/lambda have been upgraded to v1.21.0. (#4265)
  • The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-lambda-go/otellambda have been upgraded to v1.21.0. (#4265)
    • The faas.execution attribute is now faas.invocation_id.
    • The faas.id attribute is now aws.lambda.invoked_arn.
  • The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws have been upgraded to v1.21.0. (#4265)
  • The http.request.method attribute will only allow known HTTP methods from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)

Removed

  • The high cardinality attributes net.sock.peer.addr, net.sock.peer.port, http.user_agent, enduser.id, and http.client_ip were removed from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/go-kit/kit/otelkit module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/Shopify/sarama/otelsarama module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache module is removed. (#4295)
  • The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/gocql/gocql/otelgocql module is removed. (#4295)

[1.18.0/0.43.0/0.12.0] - 2023-08-28

Added

  • Add NewMiddleware function in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#2964)
  • The go.opentelemetry.io/contrib/exporters/autoexport package to provide configuration of trace exporters with useful defaults and environment variable support. (#2753, #4100, #4130, #4132, #4134)
  • WithRouteTag in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp adds HTTP route attribute to metrics. (#615)
  • Add WithSpanOptions option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#3768)
  • Add testing support for Go 1.21. (#4233)
  • Add WithFilter option to go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#4230)

Changed

  • Change interceptors in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to disable SENT/RECEIVED events. Use WithMessageEvents() to turn back on. (#3964)

Changed

  • go.opentelemetry.io/contrib/detectors/gcp: Detect faas.instance instead of faas.id, since faas.id is being removed. (#4198)

Fixed

  • AWS XRay Remote Sampling to cap quotaBalance to 1x quota in go.opentelemetry.io/contrib/samplers/aws/xray. (#3651, #3652)

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] avatar Oct 16 '23 14:10 dependabot[bot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Oct 16 '23 14:10 k8s-ci-robot

/assign @dgrisonnet /triage accepted

dashpole avatar Oct 19 '23 16:10 dashpole

/lgtm /approve /ok-to-test

dgrisonnet avatar Nov 06 '23 21:11 dgrisonnet

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], dgrisonnet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Nov 06 '23 21:11 k8s-ci-robot

/retest

a7i avatar Nov 28 '23 16:11 a7i

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-prometheus-adapter-test fb2b03e77aabf55f9959eb09312319e491279020 link true /test pull-prometheus-adapter-test
pull-prometheus-adapter-test-e2e fb2b03e77aabf55f9959eb09312319e491279020 link true /test pull-prometheus-adapter-test-e2e
pull-prometheus-adapter-verify fb2b03e77aabf55f9959eb09312319e491279020 link true /test pull-prometheus-adapter-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Nov 28 '23 16:11 k8s-ci-robot

Library Vulnerabilities:

Severity CVE Package Name Current Version Fixed Version Source
HIGH CVE-2023-47108 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.35.0 0.46.0 https://github.com/advisories/GHSA-8pgv-569h-w5rw
HIGH CVE-2023-45142 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.35.1 0.44.0 https://github.com/advisories/GHSA-rcjv-mgp8-qvmr

a7i avatar Nov 28 '23 16:11 a7i

Prometheus-adapter is not impacted by these since it does't use the otel server nor it is exposing any otel metrics. That said, I am fine with updating the deps to silence the vulnerability reporting tools, but the PR might need to be done manually seeing the current state of CI.

dgrisonnet avatar Nov 28 '23 17:11 dgrisonnet

Prometheus-adapter is not impacted by these since it does't use the otel server nor it is exposing any otel metrics. That said, I am fine with updating the deps to silence the vulnerability reporting tools, but the PR might need to be done manually seeing the current state of CI.

@dgrisonnet good point, it is a "false positive" but good to address. I'm happy to create a PR soon.

a7i avatar Nov 28 '23 18:11 a7i

@dgrisonnet @olivierlemasle Any ETAs on when this will get merged? The latest tag has been vulnerable since weeks.

ayushiaks avatar Dec 11 '23 09:12 ayushiaks

Any ETAs on when this will get merged?

CI is red so this PR will never get merged since dependabot doesn't know how to address the failures. But if anyone is willing to take over the bump and fix the issues, I'd likely merge it.

Though I don't think this warrants a new release since the CVEs that are reported don't affect the project.

dgrisonnet avatar Dec 11 '23 10:12 dgrisonnet

This requires a bump from custom-metrics-apiserver first

a7i avatar Dec 11 '23 14:12 a7i

Build is failing because of following errors:

#15 2.247 /go/pkg/mod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected]/client.go:30:2: no required module provides package go.opentelemetry.io/otel/exporters/otlp/internal; to add it:
#15 2.247 	go get go.opentelemetry.io/otel/exporters/otlp/internal
#15 2.247 /go/pkg/mod/go.opentelemetry.io/otel/exporters/otlp/[email protected]/internal/otlpconfig/envconfig.go:25:2: no required module provides package go.opentelemetry.io/otel/exporters/otlp/internal/envconfig; to add it:
#15 2.247 	go get go.opentelemetry.io/otel/exporters/otlp/internal/envconfig

Any ideas on how to fix this? @dgrisonnet

manikantanallagatla avatar Dec 12 '23 06:12 manikantanallagatla

@a7i I don't have much time on my hands atm, could you perhaps send a PR in custom-metrics-apiserver to update the dep?

dgrisonnet avatar Dec 12 '23 15:12 dgrisonnet

@manikantanallagatla To fix that, you need to make sure all otel dependencies are at the same version. Right now, you have a mix of 1.10.0 and 1.18.0.

This is because earlier version of otel had shared internal dependencies, which were made non-shared in later versions to avoid this problem.

dashpole avatar Dec 12 '23 15:12 dashpole

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Mar 11 '24 15:03 k8s-triage-robot

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Apr 05 '24 17:04 k8s-ci-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle rotten
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar May 05 '24 18:05 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Jun 04 '24 18:06 k8s-triage-robot

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Jun 04 '24 18:06 k8s-ci-robot

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar Jun 04 '24 18:06 dependabot[bot]