Compilation results for ms-fe2009.codfw.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

• File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]
• Envoyproxy::Conf[cluster_ratelimit]
• Envoyproxy::Cluster[cluster_ratelimit]

Resources modified

• File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]

  Content differences:

  --- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig
  +++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml
  @@ -41,7 +41,40 @@
                 retry_policy:
                   num_retries: 1
                   retry_on: "5xx"
  +              typed_per_filter_config:
  +                envoy.filters.http.ratelimit.resp:
  +                  "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute
  +                  rate_limits:
  +                    - hits_addend:
  +                        format: "%BYTES_SENT%"
  +                      apply_on_stream_done: true
  +                      # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.
  +                      actions:
  +                        # Provide the user's identity (x-client-ip is set at the edge) as the counter key
  +                        - request_headers:
  +                            descriptor_key: user_id
  +                            header_name: x-client-ip
  +                        # Hardcode the policy and user class for now
  +                        - generic_key:
  +                            descriptor_key: policy
  +                            descriptor_value: thumbnails
  +                        - generic_key:
  +                            descriptor_key: user_class
  +                            descriptor_value: anon
         http_filters:
  +      - name: envoy.filters.http.ratelimit.resp
  +        typed_config:
  +          "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
  +          domain: upload
  +          request_type: both
  +          stage: 0
  +          failure_type_deny: false # return 200 if rate limit service is unavailable
  +          enable_x_ratelimit_headers: DRAFT_VERSION_03
  +          rate_limit_service:
  +            transport_api_version: V3
  +            grpc_service:
  +              envoy_grpc:
  +                cluster_name: cluster_ratelimit
         - name: envoy.filters.http.router
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

• File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]

  Parameters differences:

  --- File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml].orig
  +++ File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]
  
  +    ensure => present
  +    notify => Exec[verify-envoy-config]
  +    group  => root
  +    mode   => 0444
  +    owner  => root
  

  Content differences:

  --- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig
  +++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml
  @@ -0,0 +1,18 @@
  +name: ratelimit
  +type: static
  +connect_timeout: 0.25s
  +lb_policy: ROUND_ROBIN
  +typed_extension_protocol_options:
  +  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
  +    "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
  +    explicit_http_config:
  +      http2_protocol_options: {}
  +load_assignment:
  +  cluster_name: ratelimit
  +  endpoints:
  +  - lb_endpoints:
  +    - endpoint:
  +        address:
  +          socket_address:
  +            address: ratelimit-media.svc.codfw.wmnet
  +            port_value: 8081

• Envoyproxy::Tls_terminator[443]

  Parameters differences:

  --- Envoyproxy::Tls_terminator[443].orig
  +++ Envoyproxy::Tls_terminator[443]
  
  -    stek_files              => []
  -    generate_request_id     => True
  -    global_certs            => [{'cert_path': '/etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server-key.pem'}]
  -    circuit_breakers_config => defaults
  +    global_key_path         => /etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server-key.pem
  +    rate_limit_config       => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 8081, 'domain': 'upload'}
  +    global_cert_path        => /etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server.chained.pem
  +    rate_limit_enabled      => True
  @@
  -    upstreams               => [{'server_names': ['*'], 'certificates': None, 'upstream': {'port': 80, 'addr': '10.192.0.139'}}]
  +    upstreams               => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 80, 'upstream_addr': '10.192.0.139'}]
  

• Envoyproxy::Cluster[cluster_ratelimit]

  Parameters differences:

  --- Envoyproxy::Cluster[cluster_ratelimit].orig
  +++ Envoyproxy::Cluster[cluster_ratelimit]
  
  +    priority => 1
  

• Envoyproxy::Listener[tls_terminator_443]

• Envoyproxy::Conf[cluster_ratelimit]

  Parameters differences:

  --- Envoyproxy::Conf[cluster_ratelimit].orig
  +++ Envoyproxy::Conf[cluster_ratelimit]
  
  +    conf_type => cluster
  +    priority  => 1
  

• Class[Profile::Tlsproxy::Envoy]

  Parameters differences:

  --- Class[Profile::Tlsproxy::Envoy].orig
  +++ Class[Profile::Tlsproxy::Envoy]
  
  +    rate_limit_config  => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 8081, 'domain': 'upload'}
  +    rate_limit_enabled => True
  

• Envoyproxy::Conf[tls_terminator_443]

Relevant files

• Production catalog
• Change catalog
• Production errors/warnings
• Change errors/warnings
• Core Diff
• Standard Diff