refactor: include scheme in base URL for metrics (#1243)

don't assume it's always `https`, so we can be more flexible when testing against an `http` endpoint
also, update vuln exclusions

---------

Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
Co-authored-by: Rafaela Maria Soares da Silva <rsoaresd@redhat.com>

Author: xcoulon

.govulncheck.yaml

@@ -4,40 +4,52 @@ ignored-vulnerabilities:
   # Fixed in: crypto/x509@go1.24.8
   - id: GO-2025-4013
     info: https://pkg.go.dev/vuln/GO-2025-4013
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
   # Lack of limit when parsing cookies can cause memory exhaustion in net/http
   # Found in: net/http@go1.23.12
   # Fixed in: net/http@go1.24.8
   - id: GO-2025-4012
     info: https://pkg.go.dev/vuln/GO-2025-4012
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
   # Parsing DER payload can cause memory exhaustion in encoding/asn1
   # Found in: encoding/asn1@go1.23.12
   # Fixed in: encoding/asn1@go1.24.8
   - id: GO-2025-4011
     info: https://pkg.go.dev/vuln/GO-2025-4011
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
   # Insufficient validation of bracketed IPv6 hostnames in net/url
   # Found in: net/url@go1.23.12
   # Fixed in: net/url@go1.24.8
   - id: GO-2025-4010
     info: https://pkg.go.dev/vuln/GO-2025-4010
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
   # Quadratic complexity when parsing some invalid inputs in encoding/pem
   # Found in: encoding/pem@go1.23.12
   # Fixed in: encoding/pem@go1.24.8
   - id: GO-2025-4009
     info: https://pkg.go.dev/vuln/GO-2025-4009
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
   # ALPN negotiation error contains attacker controlled information in crypto/tls
   # Found in: crypto/tls@go1.23.12
   # Fixed in: crypto/tls@go1.24.8
   - id: GO-2025-4008
     info: https://pkg.go.dev/vuln/GO-2025-4008
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
   # Quadratic complexity when checking name constraints in crypto/x509
   # Found in: crypto/x509@go1.23.12
   # Fixed in: crypto/x509@go1.24.9
   - id: GO-2025-4007
     info: https://pkg.go.dev/vuln/GO-2025-4007
-    silence-until: 2025-12-03
+    silence-until: 2026-02-05
+  # Excessive resource consumption when printing error string for host certificate validation in crypto/x509
+  # Found in: crypto/x509@go1.23.12
+  # Fixed in: crypto/x509@go1.24.11
+  - id: GO-2025-4155
+    info: https://pkg.go.dev/vuln/GO-2025-4155
+    silence-until: 2026-02-04
+  # Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
+  # Found in: crypto/x509@go1.23.12
+  # Fixed in: crypto/x509@go1.24.11
+  - id: GO-2025-4175
+    info: https://pkg.go.dev/vuln/GO-2025-4175
+    silence-until: 2026-02-04

testsupport/init.go

@@ -207,12 +207,12 @@ func WaitForDeployments(t *testing.T) wait.Awaitilities {
 		// setup host metrics route for metrics verification in tests
 		hostMetricsRoute, err := initHostAwait.SetupRouteForService(t, "host-operator-metrics-service", "/metrics")
 		require.NoError(t, err)
-		initHostAwait.MetricsURL = hostMetricsRoute.Status.Ingress[0].Host
+		initHostAwait.MetricsURL = "https://" + hostMetricsRoute.Status.Ingress[0].Host
 
 		// setup member metrics route for metrics verification in tests
 		memberMetricsRoute, err := initMemberAwait.SetupRouteForService(t, "member-operator-metrics-service", "/metrics")
 		require.NoError(t, err, "failed while setting up or waiting for the route to the 'member-operator-metrics' service to be available")
-		initMemberAwait.MetricsURL = memberMetricsRoute.Status.Ingress[0].Host
+		initMemberAwait.MetricsURL = "https://" + memberMetricsRoute.Status.Ingress[0].Host
 
 		// Wait for the webhooks in Member 1 only because we do not deploy webhooks for Member 2
 		// (we can't deploy the same webhook multiple times on the same cluster)

testsupport/metrics/metrics.go

@@ -13,27 +13,27 @@ import (
 	"k8s.io/client-go/rest"
 )
 
-func GetMetricValue(restConfig *rest.Config, url string, family string, expectedLabels []string) (float64, error) {
-	value, err := getMetricValue(restConfig, url, family, expectedLabels, getValue)
+func GetMetricValue(restConfig *rest.Config, baseURL string, family string, expectedLabels []string) (float64, error) {
+	value, err := getMetricValue(restConfig, baseURL, family, expectedLabels, getValue)
 	if value == nil {
 		return -1, err
 	}
 	return *value, err
 }
 
-func GetHistogramBuckets(restConfig *rest.Config, url string, family string, expectedLabels []string) ([]*dto.Bucket, error) {
-	value, err := getMetricValue(restConfig, url, family, expectedLabels, getBuckets)
+func GetHistogramBuckets(restConfig *rest.Config, baseURL string, family string, expectedLabels []string) ([]*dto.Bucket, error) {
+	value, err := getMetricValue(restConfig, baseURL, family, expectedLabels, getBuckets)
 	if value == nil {
 		return nil, err
 	}
 	return *value, err
 }
 
-func getMetricValue[T any](restConfig *rest.Config, url string, family string, expectedLabels []string, getValue func(dto.MetricType, *dto.Metric) (*T, error)) (*T, error) {
+func getMetricValue[T any](restConfig *rest.Config, baseURL string, family string, expectedLabels []string, getValue func(dto.MetricType, *dto.Metric) (*T, error)) (*T, error) {
 	if len(expectedLabels)%2 != 0 {
 		return nil, fmt.Errorf("received odd number of label arguments, labels must be key-value pairs")
 	}
-	uri := fmt.Sprintf("https://%s/metrics", url)
+	uri := baseURL + "/metrics"
 	var metrics []byte
 
 	client := http.Client{
@@ -128,8 +128,8 @@ func getBuckets(t dto.MetricType, m *dto.Metric) (*[]*dto.Bucket, error) {
 }
 
 // GetMetricLabels return all labels (indexed by key) for all metrics of the given `family`
-func GetMetricLabels(restConfig *rest.Config, url string, family string) ([]map[string]string, error) {
-	uri := fmt.Sprintf("https://%s/metrics", url)
+func GetMetricLabels(restConfig *rest.Config, baseURL string, family string) ([]map[string]string, error) {
+	uri := baseURL + "/metrics"
 	var metrics []byte
 
 	client := http.Client{

testsupport/metrics/metrics_test.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -62,36 +61,34 @@ func TestGetMetricValue(t *testing.T) {
 		BearerToken: "1a2b3bc",
 	}
 
-	url := strings.TrimPrefix(ts.URL, "https://")
-
 	t.Run("valid metrics", func(t *testing.T) {
 		t.Run("counter with no labels", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "sandbox_user_signups_total", []string{})
+			result, err := GetMetricValue(config, ts.URL, "sandbox_user_signups_total", []string{})
 			// then
 			require.NoError(t, err)
 			assert.InDelta(t, float64(7), result, 0.1)
 		})
 
 		t.Run("counter with single label", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "workqueue_depth", []string{"name", "masteruserrecord-controller"})
+			result, err := GetMetricValue(config, ts.URL, "workqueue_depth", []string{"name", "masteruserrecord-controller"})
 			// then
 			require.NoError(t, err)
 			assert.InDelta(t, float64(0), result, 0.1)
 		})
 
 		t.Run("counter with two labels", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "controller_runtime_reconcile_total", []string{"controller", "usersignup-controller", "result", "success"})
+			result, err := GetMetricValue(config, ts.URL, "controller_runtime_reconcile_total", []string{"controller", "usersignup-controller", "result", "success"})
 			// then
 			require.NoError(t, err)
 			assert.InDelta(t, float64(10), result, 0.1)
 		})
 
 		t.Run("gauge with no labels", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "sandbox_master_user_record_current", []string{})
+			result, err := GetMetricValue(config, ts.URL, "sandbox_master_user_record_current", []string{})
 			// then
 			require.NoError(t, err)
 			assert.InDelta(t, float64(7), result, 0.01)
@@ -101,7 +98,7 @@ func TestGetMetricValue(t *testing.T) {
 	t.Run("failures", func(t *testing.T) {
 		t.Run("metric does not exist", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "non_existent_counter", []string{})
+			result, err := GetMetricValue(config, ts.URL, "non_existent_counter", []string{})
 			// then
 			require.Error(t, err)
 			require.EqualError(t, err, "metric 'non_existent_counter{[]}' not found")
@@ -110,7 +107,7 @@ func TestGetMetricValue(t *testing.T) {
 
 		t.Run("metric family exists but labels do not match", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "workqueue_depth", []string{"name", "non-existent-controller"})
+			result, err := GetMetricValue(config, ts.URL, "workqueue_depth", []string{"name", "non-existent-controller"})
 			// then
 			require.Error(t, err)
 			require.EqualError(t, err, "metric 'workqueue_depth{[name non-existent-controller]}' not found")
@@ -119,7 +116,7 @@ func TestGetMetricValue(t *testing.T) {
 
 		t.Run("odd number of label parameters", func(t *testing.T) {
 			// when
-			result, err := GetMetricValue(config, url, "workqueue_depth", []string{"name"})
+			result, err := GetMetricValue(config, ts.URL, "workqueue_depth", []string{"name"})
 			// then
 			require.Error(t, err)
 			require.EqualError(t, err, "received odd number of label arguments, labels must be key-value pairs")