Fix prometheus imports to match OTel

[blakerouse]

Proposed commit message

Fixes our prometheus go.mod imports to match what prometheus upstream recommends for how to use it as a library.

This aligns our imports to match the OTel collector distribution which prevents the collisions of prometheus modules.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works (test exists)
• [ ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc. (not user facing)

Disruptive User Impact

None

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @blakerouse? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[mauri870]

The docker update to v27 might require some additional changes https://docs.docker.com/engine/release-notes/27/#go-sdk-changes

[cmacknz]

From GHSA-v23v-6jw2-98fq this has a vulnerability we need to avoid, think we'd need to go to v27.1.1+ to avoid it as there's no v27.0.4 for whatever reason.

[cmacknz]

It doesn't actually affect us but the CVSS is 10/10 so we do not want it showing up in CVE scans of Beats regardless.

[blakerouse]

@cmacknz I updated it to v27.3.1+incompatible.

Any reason why there are a lot of deps out of date? Doesn't dependabot keep deps up to date for us?

[cmacknz]

Dependabot only auto-updates for github.com/elastic dependencies, for non-elastic dependencies it only suggests updates to remove CVEs.

We could turn on dependabot for everything, but that'd be a lot of PRs to keep up with.

[blakerouse]

@cmacknz I didn't know that thanks for the explanation. It might be a lot, wonder if we could just get it to run like once a month with all deps in a single PR.

@pazone ^ would that be possible?

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix-prometheus-import upstream/fix-prometheus-import
git merge upstream/main
git push upstream fix-prometheus-import

[blakerouse]

@elastic/obs-cloudnative-monitoring Could I get a review on this PR?

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix-prometheus-import upstream/fix-prometheus-import
git merge upstream/main
git push upstream fix-prometheus-import