🐛 Address CVE-2022-21698

[pierreprinetti]

Upgrade the Prometheus client to v1.11.1.

This commit is the result of running:

go get github.com/prometheus/[email protected] \
	&& go mod tidy

See GHSA-cg3q-j54f-5p7p

What this PR does / why we need it:
Upgrades github.com/prometheus/client_golang to v1.11.1, where the vulnerability has been fixed.

Which issue(s) this PR fixes:
Fixes #1181

Special notes for your reviewer:
One handy way to check that the version of client_go used for compiling contains the security patch, is to run go mod vendor and check that the InstrumentRoundTripperCounter method contains a variadic options argument.

$ grep InstrumentRoundTripperCounter vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go
// InstrumentRoundTripperCounter is a middleware that wraps the provided
func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc {

TODOs:

• squashed commits
• if necessary:
  • includes documentation
  • adds unit tests

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	0ceab04
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/623c570631cecd00087ddbe3
😎 Deploy Preview	https://deploy-preview-1182--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[k8s-ci-robot]

Hi @pierreprinetti. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tobiasgiese]

/ok-to-test

thanks @pierreprinetti 🙂

[pierreprinetti]

/retest-required

[pierreprinetti]

@tobiasgiese Do you perhaps know why don't the unit tests love me?

[tobiasgiese]

@tobiasgiese Do you perhaps know why don't the unit tests love me?

Unfortunately, I don't have time to debug further. I have to leave early and I'm out-of-office (vacationing) until April 3rd 🌴
Maybe @mdbooth can assist?

[apricote]

The same linting errors have happened in all other CI runs today, and are probably linked to the Go 1.18 upgrade for the test infrastructure.

See this discussion in slack for details and #1184 for a potential fix.

[pierreprinetti]

I'm out-of-office

Enjoy! :)

happened in all other CI runs

Kk thanks for the heads up @apricote !

[jichenjc]

/lgtm
/approve

the change make sense, re-run the test after that PR merged then we are good to go

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jichenjc, pierreprinetti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jichenjc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pierreprinetti]

Let's see if the tests run against a rebased version of the PR :)
/retest