From 928fcc75328bb07e7ae242812e85027bd5269cda Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Tue, 29 Apr 2025 15:45:47 +0100
Subject: [PATCH 1/4] Rename prometheus-v2-server to prometheus-server

With Kolla bumping Promtheus to v3, the v2 name has been dropped.
Updates our tooling to reflect that.
---
 etc/kayobe/pulp.yml   | 2 +-
 tools/kolla-images.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
index 056bb377d..ac52dd44f 100644
--- a/etc/kayobe/pulp.yml
+++ b/etc/kayobe/pulp.yml
@@ -526,7 +526,7 @@ stackhpc_pulp_images_kolla:
   - prometheus-mysqld-exporter
   - prometheus-node-exporter
   - prometheus-openstack-exporter
-  - prometheus-v2-server
+  - prometheus-server
   - proxysql
   - rabbitmq
   - redis
diff --git a/tools/kolla-images.py b/tools/kolla-images.py
index 0340bbe52..e8ee420d1 100755
--- a/tools/kolla-images.py
+++ b/tools/kolla-images.py
@@ -72,7 +72,7 @@
     "ovn-sb-db-server": [
         "ovn_sb_db",
     ],
-    "prometheus-v2-server": [
+    "prometheus-server": [
         "prometheus_server",
     ],
 }

From 6c0018430321a194d809bf176a2fdb37a9875db9 Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Wed, 30 Apr 2025 09:25:36 +0100
Subject: [PATCH 2/4] Whitelist Prometheus CVEs

CVE-2024-45337 [1] affects multiple Prometheus containers. The
vulnerability allows for authorisation bypassing due to a flaw in the
handling of public key handling. We only access Prometheus with basic
auth (username/password), so we are not affected by this CVE.

CVE-2024-41110 [2] only affects prometheus_cadvisor. Suggested
workarounds are to avoid using AuthZ plugins and/or restrict access to
the Docker API to trusted parties. Best I can tell, we don't use any
AuthZ plugins and regardless the Docker API can only be reached from
the control plane, as we are not affected by this CVE.

1. https://avd.aquasec.com/nvd/2024/cve-2024-45337/
2. https://avd.aquasec.com/nvd/2024/cve-2024-41110/
---
 etc/kayobe/trivy/allowed-vulnerabilities.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml
index 9a3d67589..adf2aad82 100644
--- a/etc/kayobe/trivy/allowed-vulnerabilities.yml
+++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml
@@ -14,9 +14,27 @@
 #   - CVE-2023-31047
 fluentd_allowed_vulnerabilities:
   - CVE-2024-27280
+
 grafana_allowed_vulnerabilities:
   - CVE-2024-8986
 
+prometheus_blackbox_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_memcached_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_mysqld_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_elasticsearch_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_node_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_openstack_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_libvirt_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_cadvisor_allowed_vulnerabilities:
+  - CVE-2024-41110
+  - CVE-2024-45337
 
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.

From 595fd25b8e8d57fa29b702b349638e69647e87bf Mon Sep 17 00:00:00 2001
From: Alex-Welsh <alex@stackhpc.com>
Date: Wed, 23 Apr 2025 09:26:28 +0100
Subject: [PATCH 3/4] Bump ansible-core version in lint jobs

---
 .github/workflows/stackhpc-pull-request.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml
index bf1668030..0a62c2fd0 100644
--- a/.github/workflows/stackhpc-pull-request.yml
+++ b/.github/workflows/stackhpc-pull-request.yml
@@ -69,9 +69,9 @@ jobs:
       matrix:
         include:
           # NOTE(upgrade): Keep these in sync with Kayobe's supported Ansible and Python versions (see release notes).
-          - ansible: "2.17"
+          - ansible: "2.18"
             python: "3.12"
-          - ansible: "2.16"
+          - ansible: "2.17"
             python: "3.10"
     name: Ansible ${{ matrix.ansible }} lint with Python ${{ matrix.python }}
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'

From 898cfc10a7fbf8d0e974e9fcd206750bc6e47e6d Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Wed, 30 Apr 2025 13:33:22 +0100
Subject: [PATCH 4/4] Bump Prometheus container images to v3

---
 etc/kayobe/kolla-image-tags.yml                        | 3 +++
 releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml | 4 ++++
 2 files changed, 7 insertions(+)
 create mode 100644 releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml

diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml
index ae37d1a43..e785abd24 100644
--- a/etc/kayobe/kolla-image-tags.yml
+++ b/etc/kayobe/kolla-image-tags.yml
@@ -13,3 +13,6 @@ kolla_image_tags:
   ovn_sb_db_relay:
     rocky-9: master-rocky-9-20250305T111730
     ubuntu-noble: master-ubuntu-noble-20250305T111730
+  prometheus:
+    rocky-9: master-rocky-9-20250430T112026
+    ubuntu-noble: master-ubuntu-noble-20250430T112026
diff --git a/releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml b/releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml
new file mode 100644
index 000000000..07323ba5b
--- /dev/null
+++ b/releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Bumps the Prometheus container images to bring in Prometheus v3.