{"host": "ms-fe2009.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3370, "only_in_self": [], "only_in_other": ["Envoyproxy::Cluster[cluster_ratelimit]", "Envoyproxy::Conf[cluster_ratelimit]", "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]"], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,7 +41,40 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n http_filters:\n+ - name: envoy.filters.http.ratelimit.resp\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit\n+ domain: upload\n+ request_type: both\n+ stage: 0\n+ failure_type_deny: false # return 200 if rate limit service is unavailable\n+ enable_x_ratelimit_headers: DRAFT_VERSION_03\n+ rate_limit_service:\n+ transport_api_version: V3\n+ grpc_service:\n+ envoy_grpc:\n+ cluster_name: cluster_ratelimit\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]", "content": "--- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig\n+++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml\n@@ -0,0 +1,18 @@\n+name: ratelimit\n+type: static\n+connect_timeout: 0.25s\n+lb_policy: ROUND_ROBIN\n+typed_extension_protocol_options:\n+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:\n+ \"@type\": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\n+ explicit_http_config:\n+ http2_protocol_options: {}\n+load_assignment:\n+ cluster_name: ratelimit\n+ endpoints:\n+ - lb_endpoints:\n+ - endpoint:\n+ address:\n+ socket_address:\n+ address: ratelimit-media.svc.codfw.wmnet\n+ port_value: 8081", "parameters": "--- File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml].orig\n+++ File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]\n\n+ ensure => present\n+ notify => Exec[verify-envoy-config]\n+ group => root\n+ mode => 0444\n+ owner => root\n"}, {"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n- stek_files => []\n- generate_request_id => True\n- global_certs => [{'cert_path': '/etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server-key.pem'}]\n- circuit_breakers_config => defaults\n+ global_key_path => /etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server-key.pem\n+ rate_limit_config => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 8081, 'domain': 'upload'}\n+ global_cert_path => /etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server.chained.pem\n+ rate_limit_enabled => True\n@@\n- upstreams => [{'server_names': ['*'], 'certificates': None, 'upstream': {'port': 80, 'addr': '10.192.0.139'}}]\n+ upstreams => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 80, 'upstream_addr': '10.192.0.139'}]\n"}, {"resource": "Envoyproxy::Cluster[cluster_ratelimit]", "parameters": "--- Envoyproxy::Cluster[cluster_ratelimit].orig\n+++ Envoyproxy::Cluster[cluster_ratelimit]\n\n+ priority => 1\n"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}, {"resource": "Envoyproxy::Conf[cluster_ratelimit]", "parameters": "--- Envoyproxy::Conf[cluster_ratelimit].orig\n+++ Envoyproxy::Conf[cluster_ratelimit]\n\n+ conf_type => cluster\n+ priority => 1\n"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n+ rate_limit_config => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 8081, 'domain': 'upload'}\n+ rate_limit_enabled => True\n"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}], "perc_changed": "0.33%"}, "core": {"total": 3370, "only_in_self": [], "only_in_other": ["File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]"], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,7 +41,40 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n http_filters:\n+ - name: envoy.filters.http.ratelimit.resp\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit\n+ domain: upload\n+ request_type: both\n+ stage: 0\n+ failure_type_deny: false # return 200 if rate limit service is unavailable\n+ enable_x_ratelimit_headers: DRAFT_VERSION_03\n+ rate_limit_service:\n+ transport_api_version: V3\n+ grpc_service:\n+ envoy_grpc:\n+ cluster_name: cluster_ratelimit\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}], "perc_changed": "0.06%"}, "main": {"total": 3370, "only_in_self": [], "only_in_other": ["Envoyproxy::Cluster[cluster_ratelimit]", "Envoyproxy::Conf[cluster_ratelimit]", "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]"], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,7 +41,40 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n http_filters:\n+ - name: envoy.filters.http.ratelimit.resp\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit\n+ domain: upload\n+ request_type: both\n+ stage: 0\n+ failure_type_deny: false # return 200 if rate limit service is unavailable\n+ enable_x_ratelimit_headers: DRAFT_VERSION_03\n+ rate_limit_service:\n+ transport_api_version: V3\n+ grpc_service:\n+ envoy_grpc:\n+ cluster_name: cluster_ratelimit\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n+ rate_limit_config => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 8081, 'domain': 'upload'}\n+ rate_limit_enabled => True\n"}, {"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n- stek_files => []\n- generate_request_id => True\n- global_certs => [{'cert_path': '/etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server-key.pem'}]\n- circuit_breakers_config => defaults\n+ global_key_path => /etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server-key.pem\n+ rate_limit_config => {'address': 'ratelimit-media.svc.codfw.wmnet', 'port': 8081, 'domain': 'upload'}\n+ global_cert_path => /etc/envoy/ssl/discovery2026__swift_discovery_wmnet_server.chained.pem\n+ rate_limit_enabled => True\n@@\n- upstreams => [{'server_names': ['*'], 'certificates': None, 'upstream': {'port': 80, 'addr': '10.192.0.139'}}]\n+ upstreams => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 80, 'upstream_addr': '10.192.0.139'}]\n"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}], "perc_changed": "0.24%"}}}