build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.35.1 to 0.44.0

[dependabot[bot]]

Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.35.1 to 0.44.0.

Release notes

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.

Release v1.20.0/v0.45.0/v0.14.0

Added

• Set the description for the rpc.server.duration metric in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#4302)
• Add NewServerHandler and NewClientHandler that return a grpc.StatsHandler used for gRPC instrumentation in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#3002)
• Add new Prometheus bridge module in go.opentelemetry.io/contrib/bridges/prometheus. (#4227)

Changed

• Upgrade dependencies of OpenTelemetry Go to use the new v1.19.0/v0.42.0/v0.0.7 release.
• Use grpc.StatsHandler for gRPC instrumentation in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/example. (#4325)

New Contributors

• @​puckpuck made their first contribution in open-telemetry/opentelemetry-go-contrib#4302

Full Changelog: https://github.com/open-telemetry/opentelemetry-go-contrib/compare/v1.19.0...v1.20.0

Release v1.19.0/v0.44.0/v0.13.0

Added

• Add gcp.gce.instance.name and gcp.gce.instance.hostname resource attributes to go.opentelemetry.io/contrib/detectors/gcp. (#4263)

Changed

• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ec2 have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ecs have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/eks have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/lambda have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-lambda-go/otellambda have been upgraded to v1.21.0. (#4265)
  • The faas.execution attribute is now faas.invocation_id.
  • The faas.id attribute is now aws.lambda.invoked_arn.
• The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws have been upgraded to v1.21.0. (#4265)
• The http.request.method attribute will only allow known HTTP methods from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)

Removed

• The high cardinality attributes net.sock.peer.addr, net.sock.peer.port, http.user_agent, enduser.id, and http.client_ip were removed from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/go-kit/kit/otelkit module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/Shopify/sarama/otelsarama module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/gocql/gocql/otelgocql module is removed. (#4295)

New Contributors

• @​utsushiiro made their first contribution in open-telemetry/opentelemetry-go-contrib#4260
• @​RangelReale made their first contribution in open-telemetry/opentelemetry-go-contrib#4230

Full Changelog: https://github.com/open-telemetry/opentelemetry-go-contrib/compare/v1.18.0...v1.19.0

Release v1.18.0/v0.43.0/v0.12.0

... (truncated)

Changelog

Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.

[1.19.0/0.44.0/0.13.0] - 2023-09-12

Added

• Add gcp.gce.instance.name and gcp.gce.instance.hostname resource attributes to go.opentelemetry.io/contrib/detectors/gcp. (#4263)

Changed

• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ec2 have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ecs have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/eks have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/lambda have been upgraded to v1.21.0. (#4265)
• The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-lambda-go/otellambda have been upgraded to v1.21.0. (#4265)
  • The faas.execution attribute is now faas.invocation_id.
  • The faas.id attribute is now aws.lambda.invoked_arn.
• The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws have been upgraded to v1.21.0. (#4265)
• The http.request.method attribute will only allow known HTTP methods from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)

Removed

• The high cardinality attributes net.sock.peer.addr, net.sock.peer.port, http.user_agent, enduser.id, and http.client_ip were removed from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/go-kit/kit/otelkit module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/Shopify/sarama/otelsarama module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache module is removed. (#4295)
• The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/gocql/gocql/otelgocql module is removed. (#4295)

[1.18.0/0.43.0/0.12.0] - 2023-08-28

Added

• Add NewMiddleware function in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#2964)
• The go.opentelemetry.io/contrib/exporters/autoexport package to provide configuration of trace exporters with useful defaults and environment variable support. (#2753, #4100, #4130, #4132, #4134)
• WithRouteTag in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp adds HTTP route attribute to metrics. (#615)
• Add WithSpanOptions option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#3768)
• Add testing support for Go 1.21. (#4233)
• Add WithFilter option to go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#4230)

Changed

• Change interceptors in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to disable SENT/RECEIVED events. Use WithMessageEvents() to turn back on. (#3964)

Changed

• go.opentelemetry.io/contrib/detectors/gcp: Detect faas.instance instead of faas.id, since faas.id is being removed. (#4198)

Fixed

• AWS XRay Remote Sampling to cap quotaBalance to 1x quota in go.opentelemetry.io/contrib/samplers/aws/xray. (#3651, #3652)

... (truncated)

Commits

• fdfa6e3 Release v1.19.0/v0.44.0/v0.13.0 (#4299)
• aea7540 build(deps): bump github.com/aws/aws-sdk-go in /detectors/aws/ec2 (#4297)
• 7e88614 Remove otelbeego, otelkit, otelsarama, otelmemcache, otelgocql (#4295)
• 14f153e build(deps): bump actions/checkout from 3 to 4 (#4291)
• 01c596d dependabot updates Mon Sep 11 05:08:50 UTC 2023 (#4294)
• 50ca48f Remove high cardanility metrics from otelhttp (#4277)
• b6fc62f Update go versions used in workflow (#4278)
• 7a8f53c Add new gcp host attributes (#4263)
• aab5f49 [mux] Add request filters like otelhttp (#4230)
• 3ad5a2c Deprecate otelmemcache, otelgocql (#4164)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kubernetes-sigs/prometheus-adapter/network/alerts).

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[k8s-ci-robot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[dashpole]

/assign @dgrisonnet /triage accepted

[dgrisonnet]

/lgtm /approve /ok-to-test

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], dgrisonnet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/OWNERS)~~ [dgrisonnet] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[a7i]

/retest

[k8s-ci-robot]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-prometheus-adapter-test	fb2b03e77aabf55f9959eb09312319e491279020	link	true	/test pull-prometheus-adapter-test
pull-prometheus-adapter-test-e2e	fb2b03e77aabf55f9959eb09312319e491279020	link	true	/test pull-prometheus-adapter-test-e2e
pull-prometheus-adapter-verify	fb2b03e77aabf55f9959eb09312319e491279020	link	true	/test pull-prometheus-adapter-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[a7i]

Library Vulnerabilities:	Severity	CVE	Package Name	Current Version	Fixed Version	Source
HIGH	CVE-2023-47108	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	0.35.0	0.46.0	https://github.com/advisories/GHSA-8pgv-569h-w5rw
HIGH	CVE-2023-45142	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	0.35.1	0.44.0	https://github.com/advisories/GHSA-rcjv-mgp8-qvmr

[dgrisonnet]

Prometheus-adapter is not impacted by these since it does't use the otel server nor it is exposing any otel metrics. That said, I am fine with updating the deps to silence the vulnerability reporting tools, but the PR might need to be done manually seeing the current state of CI.

[a7i]

Prometheus-adapter is not impacted by these since it does't use the otel server nor it is exposing any otel metrics. That said, I am fine with updating the deps to silence the vulnerability reporting tools, but the PR might need to be done manually seeing the current state of CI.

@dgrisonnet good point, it is a "false positive" but good to address. I'm happy to create a PR soon.

[ayushiaks]

@dgrisonnet @olivierlemasle Any ETAs on when this will get merged? The latest tag has been vulnerable since weeks.

[dgrisonnet]

Any ETAs on when this will get merged?

CI is red so this PR will never get merged since dependabot doesn't know how to address the failures. But if anyone is willing to take over the bump and fix the issues, I'd likely merge it.

Though I don't think this warrants a new release since the CVEs that are reported don't affect the project.

[a7i]

This requires a bump from custom-metrics-apiserver first

[manikantanallagatla]

Build is failing because of following errors:

#15 2.247 /go/pkg/mod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.10.0/client.go:30:2: no required module provides package go.opentelemetry.io/otel/exporters/otlp/internal; to add it:
#15 2.247   go get go.opentelemetry.io/otel/exporters/otlp/internal
#15 2.247 /go/pkg/mod/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.10.0/internal/otlpconfig/envconfig.go:25:2: no required module provides package go.opentelemetry.io/otel/exporters/otlp/internal/envconfig; to add it:
#15 2.247   go get go.opentelemetry.io/otel/exporters/otlp/internal/envconfig

Any ideas on how to fix this? @dgrisonnet

[dgrisonnet]

@a7i I don't have much time on my hands atm, could you perhaps send a PR in custom-metrics-apiserver to update the dep?

[dashpole]

@manikantanallagatla To fix that, you need to make sure all otel dependencies are at the same version. Right now, you have a mix of 1.10.0 and 1.18.0.

This is because earlier version of otel had shared internal dependencies, which were made non-shared in later versions to avoid this problem.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to [this](https://github.com/kubernetes-sigs/prometheus-adapter/pull/611#issuecomment-2148189582): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages PRs according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the PR is closed > >You can: >- Reopen this PR with `/reopen` >- Mark this PR as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.