The metricsinfra config includes this bit:
profile::wmcs::metricsinfra::alertmanager::project_proxy::trusted_hosts: paws: - paws-prometheus-1.paws.eqiad1.wikimedia.cloud - paws-prometheus-2.paws.eqiad1.wikimedia.cloud
That value is used to 'Configure an Apache vhost that lets other trusted projects submit requests to the alertmanager api.'
Those hosts no longer exist, which means that a) puppet is broken and b) the new k8s-hosted prometheus is probably no longer trusted.
Fixing puppet is easy, I can just remove that config section. This task is about figuring out what we've lost, and if there's a way to get it back without necessarily knowing the IPs of the new prometheus nodes.