Compilation results for ms-fe2009.codfw.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

• Envoyproxy::Cluster[cluster_ratelimit]
• Envoyproxy::Conf[cluster_ratelimit]
• File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]

Resources modified

• Envoyproxy::Tls_terminator[443]

  Parameters differences:

  --- Envoyproxy::Tls_terminator[443].orig
  +++ Envoyproxy::Tls_terminator[443]
  
  +    rate_limit_enabled => True
  +    rate_limit_config  => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 30443, 'domain': 'upload'}
  

• Class[Profile::Tlsproxy::Envoy]

  Parameters differences:

  --- Class[Profile::Tlsproxy::Envoy].orig
  +++ Class[Profile::Tlsproxy::Envoy]
  
  +    rate_limit_enabled => True
  +    rate_limit_config  => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 30443, 'domain': 'upload'}
  

• Envoyproxy::Listener[tls_terminator_443]

• File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]

  Content differences:

  --- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig
  +++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml
  @@ -41,7 +41,40 @@
                 retry_policy:
                   num_retries: 1
                   retry_on: "5xx"
  +              typed_per_filter_config:
  +                envoy.filters.http.ratelimit.resp:
  +                  "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute
  +                  rate_limits:
  +                    - hits_addend:
  +                        format: "%BYTES_SENT%"
  +                      apply_on_stream_done: true
  +                      # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.
  +                      actions:
  +                        # Provide the user's identity (x-client-ip is set at the edge) as the counter key
  +                        - request_headers:
  +                            descriptor_key: user_id
  +                            header_name: x-client-ip
  +                        # Hardcode the policy and user class for now
  +                        - generic_key:
  +                            descriptor_key: policy
  +                            descriptor_value: thumbnails
  +                        - generic_key:
  +                            descriptor_key: user_class
  +                            descriptor_value: anon
         http_filters:
  +      - name: envoy.filters.http.ratelimit.resp
  +        typed_config:
  +          "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
  +          domain: upload
  +          request_type: both
  +          stage: 0
  +          failure_type_deny: false # return 200 if rate limit service is unavailable
  +          enable_x_ratelimit_headers: DRAFT_VERSION_03
  +          rate_limit_service:
  +            transport_api_version: V3
  +            grpc_service:
  +              envoy_grpc:
  +                cluster_name: cluster_ratelimit
         - name: envoy.filters.http.router
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

• Envoyproxy::Conf[tls_terminator_443]

Relevant files

• Production catalog
• Change catalog
• Production errors/warnings
• Change errors/warnings
• Core Diff
• Full Diff