OCPBUGS-2873: fix certificate reloads after rotation

When the TLS certificate (used by Prometheus to authenticate to the scraped targets) gets rotated, Prometheus doesn't pick up the new certificate until the connection to the target is re-established. Because Prometheus uses keep-alive HTTP connections, the consequence is that the scrapes start failing after about 1 day and the TargetDown alert fires. There's an upstream pull request [1] to address the issue but it isn't merged yet. This commit pulls the changes from [1] into our downstream fork by adding a replace directive to go.mod for the github.com/prometheus/common. The replacement code is under patches/github.com/prometheus/common which is the same version as upstream (v0.37.0) + the upstream PR applied on top of it. As soon as upstream Prometheus depends on a version of github.com/prometheus/common that fixes the issue, the replace directive in go.mod and the code under the patches/ directory can be removed. [1] prometheus/common#345 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier · Oct 26, 2022 · 05b3135 · 05b3135
1 parent c3cbff9
commit 05b3135
Show file tree

Hide file tree

Showing 159 changed files with 17,260 additions and 58 deletions.
diff --git a/go.mod b/go.mod
@@ -187,6 +187,18 @@ replace (
 	k8s.io/klog/v2 => github.com/simonpasquier/klog-gokit/v3 v3.0.0
 )
 
+// Use a patched version of github.com/prometheus/common v0.37.0 to have proper
+// reloading of the TLS certificates on disk.
+//
+// Bug link: https://issues.redhat.com/browse/OCPBUGS-2873
+//
+// Upstream pull request: https://github.com/prometheus/common/pull/345
+//
+// This directive (as well as the patches/ directory) can be removed once
+// upstream Prometheus depends on a version of github.com/prometheus/common
+// including the aforementioned fix.
+replace github.com/prometheus/common => ./patches/github.com/prometheus/common
+
 // Exclude linodego v1.0.0 as it is no longer published on github.
 exclude github.com/linode/linodego v1.0.0
 

diff --git a/go.sum b/go.sum
diff --git a/patches/github.com/prometheus/common/.circleci/config.yml b/patches/github.com/prometheus/common/.circleci/config.yml
@@ -0,0 +1,105 @@
+---
+version: 2.1
+
+orbs:
+  go: circleci/go@0.2.0
+
+jobs:
+  test:
+    parameters:
+      go_version:
+        type: string
+      use_gomod_cache:
+        type: boolean
+        default: true
+    docker:
+      - image: cimg/go:<< parameters.go_version >>
+    steps:
+      - checkout
+      - when:
+          condition: << parameters.use_gomod_cache >>
+          steps:
+            - go/load-cache:
+                key: v1-go<< parameters.go_version >>
+      - run: make test
+      - run: make -C sigv4 test
+      - when:
+          condition: << parameters.use_gomod_cache >>
+          steps:
+            - go/save-cache:
+                key: v1-go<< parameters.go_version >>
+      - store_test_results:
+          path: test-results
+  test-assets:
+    parameters:
+      go_version:
+        type: string
+      use_gomod_cache:
+        type: boolean
+        default: true
+    docker:
+      - image: cimg/go:<< parameters.go_version >>
+    steps:
+      - checkout
+      - when:
+          condition: << parameters.use_gomod_cache >>
+          steps:
+            - go/load-cache:
+                key: v1-go<< parameters.go_version >>
+      - run: make -C assets test
+      - when:
+          condition: << parameters.use_gomod_cache >>
+          steps:
+            - go/save-cache:
+                key: v1-go<< parameters.go_version >>
+      - store_test_results:
+          path: test-results
+  style:
+    parameters:
+      go_version:
+        type: string
+      use_gomod_cache:
+        type: boolean
+        default: true
+    docker:
+      - image: cimg/go:<< parameters.go_version >>
+    steps:
+      - checkout
+      - when:
+          condition: << parameters.use_gomod_cache >>
+          steps:
+            - go/load-cache:
+                key: v1-go<< parameters.go_version >>
+      - run: make style
+      - run: make -C sigv4 style
+      - run: make -C assets style
+      - when:
+          condition: << parameters.use_gomod_cache >>
+          steps:
+            - go/save-cache:
+                key: v1-go<< parameters.go_version >>
+      - store_test_results:
+          path: test-results
+
+workflows:
+  version: 2
+  tests:
+    jobs:
+      # Supported Go versions are synced with github.com/prometheus/client_golang.
+      - test:
+          name: go-<< matrix.go_version >>
+          matrix:
+            parameters:
+              go_version:
+                - "1.16"
+                - "1.17"
+                - "1.18"
+      - test-assets:
+          name: assets-go-<< matrix.go_version >>
+          matrix:
+            parameters:
+              go_version:
+                - "1.18"
+      - style:
+          name: style
+          go_version: "1.18"
diff --git a/patches/github.com/prometheus/common/.github/workflows/golangci-lint.yml b/patches/github.com/prometheus/common/.github/workflows/golangci-lint.yml
@@ -0,0 +1,27 @@
+name: golangci-lint
+on:
+  push:
+    paths:
+      - "go.sum"
+      - "go.mod"
+      - "**.go"
+      - "scripts/errcheck_excludes.txt"
+      - ".github/workflows/golangci-lint.yml"
+      - ".golangci.yml"
+  pull_request:
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.x
+      - name: Lint
+        uses: golangci/golangci-lint-action@v3.1.0
+        with:
+          version: v1.44.2
diff --git a/patches/github.com/prometheus/common/.gitignore b/patches/github.com/prometheus/common/.gitignore
@@ -0,0 +1 @@
+vendor/
diff --git a/patches/github.com/prometheus/common/.yamllint b/patches/github.com/prometheus/common/.yamllint
@@ -0,0 +1,27 @@
+---
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  commas: disable
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  indentation:
+    spaces: consistent
+  key-duplicates:
+    ignore: |
+      config/testdata/section_key_dup.bad.yml
+  line-length: disable
+  truthy:
+    ignore: |
+      .github/workflows/codeql-analysis.yml
+      .github/workflows/funcbench.yml
+      .github/workflows/fuzzing.yml
+      .github/workflows/prombench.yml
+      .github/workflows/golangci-lint.yml
diff --git a/patches/github.com/prometheus/common/CODE_OF_CONDUCT.md b/patches/github.com/prometheus/common/CODE_OF_CONDUCT.md
@@ -0,0 +1,3 @@
+## Prometheus Community Code of Conduct
+
+Prometheus follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
diff --git a/patches/github.com/prometheus/common/CONTRIBUTING.md b/patches/github.com/prometheus/common/CONTRIBUTING.md
@@ -0,0 +1,18 @@
+# Contributing
+
+Prometheus uses GitHub to manage reviews of pull requests.
+
+* If you have a trivial fix or improvement, go ahead and create a pull request,
+  addressing (with `@...`) the maintainer of this repository (see
+  [MAINTAINERS.md](MAINTAINERS.md)) in the description of the pull request.
+
+* If you plan to do something more involved, first discuss your ideas
+  on our [mailing list](https://groups.google.com/forum/?fromgroups#!forum/prometheus-developers).
+  This will avoid unnecessary work and surely give you and us a good deal
+  of inspiration.
+
+* Relevant coding style guidelines are the [Go Code Review
+  Comments](https://code.google.com/p/go-wiki/wiki/CodeReviewComments)
+  and the _Formatting and style_ section of Peter Bourgon's [Go: Best
+  Practices for Production
+  Environments](http://peter.bourgon.org/go-in-production/#formatting-and-style).