Upgrade Grafana to 11.3.0 and chart to 8.5.9 to fix CVE-2024-9264

[anders-elastisys]

[!warning] This is a public repository, ensure not to disclose:

• [x] personal data beyond what is necessary for interacting with this pull request, nor
• [x] business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• [ ] kind/feature
• [x] kind/improvement
• [ ] kind/deprecation
• [ ] kind/documentation
• [ ] kind/clean-up
• [ ] kind/bug
• [ ] kind/other

Optional: Mark one or more of the following that are applicable:

[!important] Breaking changes should be marked kind/admin-change or kind/dev-change depending on type Critical security fixes should be marked with kind/security

• [ ] kind/admin-change
• [ ] kind/dev-change
• [x] kind/security
• [ ] [kind/adr]()

Security notice

Upgrades Grafana to 11.3.0 to fix CVE-2024-9264

What does this PR do / why do we need this PR?

This PR upgrades the Grafana chart to v8.5.9 which upgrades the Grafana image to 11.3.0 containing a critical severity fix for CVE-2024-9264. The CVE is only exploitable if duckdb binary is available, which is not packaged by default and as such not in Welkin either (by default). The k8s-sidecar image has also been updated with this change from v1.27.4 to v1.28.0 which contains fixes for high and critical CVEs.

• Fixes #

Information to reviewers

Checklist

• [x] Proper commit message prefix on all commits
• Change checks:
  • [x] The change is transparent
  • [ ] The change is disruptive
  • [ ] The change requires no migration steps
  • [ ] The change requires migration steps
  • [ ] The change upgrades CRDs
  • [ ] The change updates the config and the schema
• Documentation checks:
  • [ ] The public documentation required no updates
  • [ ] The public documentation required an update - link to change
• Metrics checks:
  • [x] The metrics are still exposed and present in Grafana after the change
  • [ ] The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
  • [ ] The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
• Logs checks:
  • [x] The logs do not show any errors after the change
• Pod Security Policy checks:
  • [ ] Any changed pod is covered by Pod Security Admission
  • [ ] Any changed pod is covered by Gatekeeper Pod Security Policies
  • [ ] The change does not cause any pods to be blocked by Pod Security Admission or Policies
• Network Policy checks:
  • [ ] Any changed pod is covered by Network Policies
  • [ ] The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • [ ] The change does not cause any unnecessary Kubernetes audit events
  • [ ] The change requires changes to Kubernetes audit policy
• Falco checks:
  • [x] The change does not cause any alerts to be generated by Falco
• Bug checks:
  • [ ] The bug fix is covered by regression tests

[OlleLarsson]

There seems to be an issue with this image causing a bunch of warning logs when accessing dashboards:

We are not talking a huge amount here right?

[anders-elastisys]

There seems to be an issue with this image causing a bunch of warning logs when accessing dashboards:

We are not talking a huge amount here right?

@OlleLarsson Seems to add about 6 warning logs each time you enter a dashboard, change data source or just refresh the dashboard :/

[anders-elastisys]

The logging issue has been fixed in Grafana v11.3.0, I will wait a bit and see if the Helm chart gets upgraded with this image and I will then upgrade to that in this PR as well

[anders-elastisys]

I upgraded Grafana to 11.3.0 and chart to 8.5.9 now to fix the log issue introduced in 11.2.2+security-01. I will merge this later today unless anyone objects.