Merge branch 'stackhpc/master' into master-requirements

Alex-Welsh · Alex-Welsh · commit 4fbbd8dcd105 · 2025-05-09T10:38:23.000+01:00
diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml
@@ -335,6 +335,17 @@ jobs:
         env:
           KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
 
+      - name: Run upgrade prerequisites
+        run: |
+          docker run -t --rm \
+            -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \
+            -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \
+            ${{ steps.kayobe_image.outputs.kayobe_image }} \
+            /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/script-run.sh tools/upgrade-prerequisites.sh
+        env:
+          KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
+        if: inputs.upgrade
+
       # If testing upgrade, checkout the current release branch
       # Stash changes to tracked files, and set clean=false to avoid removing untracked files.
       # Revert changes to RabbitMQ Queue types to avoid a merge conflict
diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml
@@ -69,9 +69,9 @@ jobs:
       matrix:
         include:
           # NOTE(upgrade): Keep these in sync with Kayobe's supported Ansible and Python versions (see release notes).
-          - ansible: "2.17"
+          - ansible: "2.18"
             python: "3.12"
-          - ansible: "2.16"
+          - ansible: "2.17"
             python: "3.10"
     name: Ansible ${{ matrix.ansible }} lint with Python ${{ matrix.python }}
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
diff --git a/etc/kayobe/ansible/octavia-amphora-image-register.yml b/etc/kayobe/ansible/octavia-amphora-image-register.yml
@@ -51,9 +51,9 @@
             - python3-venv
             - python3-dev
           RedHat: []
-        common_required_pacakges:
+        common_required_packages:
           - gcc
-        required_packages: "{{ common_required_pacakges + os_family_required_packages[ansible_facts.os_family] }}"
+        required_packages: "{{ common_required_packages + os_family_required_packages[ansible_facts.os_family] }}"
         ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}"
       ansible.builtin.package:
         name: "{{ required_packages }}"
diff --git a/etc/kayobe/cephadm.yml b/etc/kayobe/cephadm.yml
@@ -12,7 +12,7 @@ cephadm_ceph_release: "squid"
 cephadm_image: "{{ stackhpc_docker_registry if stackhpc_sync_ceph_images | bool else 'quay.io' }}/ceph/ceph:{{ cephadm_image_tag }}"
 
 # Ceph container image tag.
-cephadm_image_tag: "v19.2.0"
+cephadm_image_tag: "v19.2.1"
 
 # HAProxy container image.
 cephadm_haproxy_image: "{{ stackhpc_docker_registry if stackhpc_sync_ceph_images | bool else 'quay.io' }}/ceph/haproxy:{{ cephadm_haproxy_image_tag }}"
diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml
@@ -13,3 +13,9 @@ kolla_image_tags:
   ovn_sb_db_relay:
     rocky-9: master-rocky-9-20250305T111730
     ubuntu-noble: master-ubuntu-noble-20250305T111730
+  prometheus:
+    rocky-9: master-rocky-9-20250430T112026
+    ubuntu-noble: master-ubuntu-noble-20250430T112026
+  rabbitmq:
+    rocky-9: master-rocky-9-20250502T080944
+    ubuntu-noble: master-ubuntu-noble-20250502T080944
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -526,7 +526,7 @@ stackhpc_pulp_images_kolla:
   - prometheus-mysqld-exporter
   - prometheus-node-exporter
   - prometheus-openstack-exporter
-  - prometheus-v2-server
+  - prometheus-server
   - proxysql
   - rabbitmq
   - redis
diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml
@@ -14,9 +14,27 @@
 #   - CVE-2023-31047
 fluentd_allowed_vulnerabilities:
   - CVE-2024-27280
+
 grafana_allowed_vulnerabilities:
   - CVE-2024-8986
 
+prometheus_blackbox_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_memcached_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_mysqld_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_elasticsearch_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_node_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_openstack_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_libvirt_exporter_allowed_vulnerabilities:
+  - CVE-2024-45337
+prometheus_cadvisor_allowed_vulnerabilities:
+  - CVE-2024-41110
+  - CVE-2024-45337
 
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
diff --git a/releasenotes/notes/bump-ceph-to-19-2-1-878ae64bf5420893.yaml b/releasenotes/notes/bump-ceph-to-19-2-1-878ae64bf5420893.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Bump Ceph to v19.2.1.
+fixes:
+  - |
+    Fixes `Ceph bug #66389 <https://tracker.ceph.com/issues/66389>`__
+    causing Ubuntu Noble hosts to fail to populate OSDs, by upgrading
+    to Ceph v19.2.1.
diff --git a/releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml b/releasenotes/notes/prometheus-v3-68fd3d9d6cf3e420.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Bumps the Prometheus container images to bring in Prometheus v3.
diff --git a/releasenotes/notes/rabbitmq-4.0-52657c95567fc457.yaml b/releasenotes/notes/rabbitmq-4.0-52657c95567fc457.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Bumps the RabbitMQ container image tag to upgrade RabbitMQ to v4.0
diff --git a/tools/kolla-images.py b/tools/kolla-images.py
@@ -72,7 +72,7 @@
     "ovn-sb-db-server": [
         "ovn_sb_db",
     ],
-    "prometheus-v2-server": [
+    "prometheus-server": [
         "prometheus_server",
     ],
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +features:
 +  - |
 +    Bumps the Prometheus container images to bring in Prometheus v3.