{"host": "zuul1001.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2970, "only_in_self": ["Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul-key.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.chained.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.csr]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.pem]"], "only_in_other": ["Class[Profile::Zuul::Tls]", "Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem]", "File[/etc/cfssl/ssl/zuul__zuul]"], "resource_diffs": [{"resource": "Exec[Generate cert zuul__zuul refresh]", "parameters": "--- Exec[Generate cert zuul__zuul refresh].orig\n+++ Exec[Generate cert zuul__zuul refresh]\n\n@@\n-    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n"}, {"resource": "File[/etc/cfssl/ssl/zuul__zuul]", "parameters": "--- File[/etc/cfssl/ssl/zuul__zuul].orig\n+++ File[/etc/cfssl/ssl/zuul__zuul]\n\n+    mode    => 0740\n+    ensure  => directory\n+    owner   => zuul\n+    recurse => True\n+    group   => root\n"}, {"resource": "Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "parameters": "--- Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem].orig\n+++ Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]\n\n-    command   => /bin/cat /etc/zookeeper/zuul-tls/zuul__zuul.pem /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem > /etc/zookeeper/zuul-tls/zuul__zuul.chained.pem\n-    subscribe => ['Exec[renew certificate - zuul__zuul]', 'File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]', 'File[/etc/zookeeper/zuul-tls/zuul__zuul.pem]']\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/zookeeper/zuul-tls/zuul__zuul.pem /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/zookeeper/zuul-tls/zuul__zuul.chained.pem | sha512sum)\"\n\n"}, {"resource": "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "parameters": "--- File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem].orig\n+++ File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]\n\n+    mode   => 0440\n+    source => puppet:///modules/profile/pki/intermediates/zuul-cert.pem\n+    ensure => file\n+    owner  => zuul\n+    group  => root\n"}, {"resource": "Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem]", "parameters": "--- Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem].orig\n+++ Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Cfssl::Cert[zuul__zookeeper]", "parameters": "--- Cfssl::Cert[zuul__zookeeper].orig\n+++ Cfssl::Cert[zuul__zookeeper]\n\n@@\n-    notify_services => ['zookeeper']\n+    notify_services => []\n"}, {"resource": "File[/etc/zookeeper/zuul-tls/zuul__zuul-key.pem]", "parameters": "--- File[/etc/zookeeper/zuul-tls/zuul__zuul-key.pem].orig\n+++ File[/etc/zookeeper/zuul-tls/zuul__zuul-key.pem]\n\n-    mode      => 0440\n-    show_diff => False\n-    ensure    => file\n-    owner     => zuul\n-    backup    => False\n-    group     => root\n"}, {"resource": "Exec[renew certificate - zuul__zuul]", "parameters": "--- Exec[renew certificate - zuul__zuul].orig\n+++ Exec[renew certificate - zuul__zuul]\n\n@@\n-    command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/zookeeper/zuul-tls/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n@@\n-    unless  => /usr/bin/openssl x509 -in /etc/zookeeper/zuul-tls/zuul__zuul.pem -checkend 952200\n+    unless  => /usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem -checkend 952200\n"}, {"resource": "File[/etc/zookeeper/zuul-tls/zuul__zuul.chained.pem]", "parameters": "--- File[/etc/zookeeper/zuul-tls/zuul__zuul.chained.pem].orig\n+++ File[/etc/zookeeper/zuul-tls/zuul__zuul.chained.pem]\n\n-    require => Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]\n-    ensure  => file\n-    group   => root\n-    owner   => zuul\n"}, {"resource": "File[/etc/zuul/zuul.conf]", "content": "--- /etc/zuul/zuul.conf.orig\n+++ /etc/zuul/zuul.conf\n@@ -2,12 +2,12 @@\n # vim: set ft=dosini:\n [zookeeper]\n hosts=10.64.32.104:2281\n-tls_cert=/etc/zookeeper/zuul-tls/zuul__zuul.pem\n-tls_key=/etc/zookeeper/zuul-tls/zuul__zuul-key.pem\n-tls_ca=/etc/zookeeper/zuul-tls/zuul_full_chain.pem\n+tls_cert=/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem\n+tls_key=/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem\n+tls_ca=\n \n [keystore]\n-password=snakeoil\n+password=\n \n [scheduler]\n tenant_config=/etc/zuul/main.yaml"}, {"resource": "Exec[Generate cert zuul__zuul]", "parameters": "--- Exec[Generate cert zuul__zuul].orig\n+++ Exec[Generate cert zuul__zuul]\n\n@@\n-    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n@@\n-    unless  => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/zookeeper/zuul-tls/zuul__zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/zookeeper/zuul-tls/zuul__zuul-key.pem 2>&1)\"\n\n+    unless  => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/zookeeper/zuul-tls]", "parameters": "--- File[/etc/zookeeper/zuul-tls].orig\n+++ File[/etc/zookeeper/zuul-tls]\n\n@@\n-    require => ['Package[zookeeper]', 'User[zuul]']\n+    require => ['User[zuul]']\n"}, {"resource": "Exec[Generate cert zuul__zookeeper]", "parameters": "--- Exec[Generate cert zuul__zookeeper].orig\n+++ Exec[Generate cert zuul__zookeeper]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "parameters": "--- Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem].orig\n+++ Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]\n\n+    command   => /bin/cat /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem > /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem\n+    subscribe => ['Exec[renew certificate - zuul__zuul]', 'File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]', 'File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem]']\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem | sha512sum)\"\n\n"}, {"resource": "Cfssl::Cert[zuul__zuul]", "parameters": "--- Cfssl::Cert[zuul__zuul].orig\n+++ Cfssl::Cert[zuul__zuul]\n\n-    outdir => /etc/zookeeper/zuul-tls\n"}, {"resource": "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem]", "parameters": "--- File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem].orig\n+++ File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem]\n\n+    mode   => 0440\n+    ensure => file\n+    group  => root\n+    owner  => zuul\n"}, {"resource": "Class[Profile::Zuul::Base]", "parameters": "--- Class[Profile::Zuul::Base].orig\n+++ Class[Profile::Zuul::Base]\n\n-    tls_config_dir          => /etc/zookeeper/zuul-tls\n-    zookeeper_tls_fullchain => /etc/zookeeper/zuul-tls/zuul_full_chain.pem\n-    tls_password            => snakeoil\n"}, {"resource": "File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "parameters": "--- File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem].orig\n+++ File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]\n\n-    mode   => 0440\n-    source => puppet:///modules/profile/pki/intermediates/zuul-cert.pem\n-    ensure => file\n-    owner  => zuul\n-    group  => root\n"}, {"resource": "Exec[Generate cert zuul__zookeeper refresh]", "parameters": "--- Exec[Generate cert zuul__zookeeper refresh].orig\n+++ Exec[Generate cert zuul__zookeeper refresh]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "File[/etc/zookeeper/zuul-tls/zuul__zuul.pem]", "parameters": "--- File[/etc/zookeeper/zuul-tls/zuul__zuul.pem].orig\n+++ File[/etc/zookeeper/zuul-tls/zuul__zuul.pem]\n\n-    mode   => 0440\n-    ensure => file\n-    group  => root\n-    owner  => zuul\n"}, {"resource": "Class[Profile::Zuul::Tls]", "parameters": "--- Class[Profile::Zuul::Tls].orig\n+++ Class[Profile::Zuul::Tls]\n\n+    tls_config_dir => /etc/zookeeper/zuul-tls\n+    tls_password   => snakeoil\n"}, {"resource": "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr]", "parameters": "--- File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr].orig\n+++ File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr]\n\n+    mode   => 0440\n+    ensure => file\n+    group  => root\n+    owner  => zuul\n"}, {"resource": "Exec[renew certificate - zuul__zookeeper]", "parameters": "--- Exec[renew certificate - zuul__zookeeper].orig\n+++ Exec[renew certificate - zuul__zookeeper]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem]", "parameters": "--- File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem].orig\n+++ File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem]\n\n+    require => Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]\n+    ensure  => file\n+    group   => root\n+    owner   => zuul\n"}, {"resource": "File[/etc/zookeeper/zuul-tls/zuul__zuul.csr]", "parameters": "--- File[/etc/zookeeper/zuul-tls/zuul__zuul.csr].orig\n+++ File[/etc/zookeeper/zuul-tls/zuul__zuul.csr]\n\n-    mode   => 0440\n-    ensure => file\n-    group  => root\n-    owner  => zuul\n"}, {"resource": "Class[Profile::Zuul::Main]", "parameters": "--- Class[Profile::Zuul::Main].orig\n+++ Class[Profile::Zuul::Main]\n\n-    tls_config_dir => /etc/zookeeper/zuul-tls\n-    tls_password   => snakeoil\n"}, {"resource": "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem].orig\n+++ File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem]\n\n+    mode      => 0440\n+    show_diff => False\n+    ensure    => file\n+    owner     => zuul\n+    backup    => False\n+    group     => root\n"}], "perc_changed": "1.38%"}, "core": {"total": 2970, "only_in_self": ["Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul-key.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.chained.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.csr]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.pem]"], "only_in_other": ["Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem]", "File[/etc/cfssl/ssl/zuul__zuul]"], "resource_diffs": [{"resource": "Exec[Generate cert zuul__zuul refresh]", "parameters": "--- Exec[Generate cert zuul__zuul refresh].orig\n+++ Exec[Generate cert zuul__zuul refresh]\n\n@@\n-    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n"}, {"resource": "Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem]", "parameters": "--- Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem].orig\n+++ Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Exec[Generate cert zuul__zookeeper refresh]", "parameters": "--- Exec[Generate cert zuul__zookeeper refresh].orig\n+++ Exec[Generate cert zuul__zookeeper refresh]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Exec[renew certificate - zuul__zookeeper]", "parameters": "--- Exec[renew certificate - zuul__zookeeper].orig\n+++ Exec[renew certificate - zuul__zookeeper]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Exec[renew certificate - zuul__zuul]", "parameters": "--- Exec[renew certificate - zuul__zuul].orig\n+++ Exec[renew certificate - zuul__zuul]\n\n@@\n-    command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/zookeeper/zuul-tls/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n@@\n-    unless  => /usr/bin/openssl x509 -in /etc/zookeeper/zuul-tls/zuul__zuul.pem -checkend 952200\n+    unless  => /usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem -checkend 952200\n"}, {"resource": "File[/etc/zuul/zuul.conf]", "content": "--- /etc/zuul/zuul.conf.orig\n+++ /etc/zuul/zuul.conf\n@@ -2,12 +2,12 @@\n # vim: set ft=dosini:\n [zookeeper]\n hosts=10.64.32.104:2281\n-tls_cert=/etc/zookeeper/zuul-tls/zuul__zuul.pem\n-tls_key=/etc/zookeeper/zuul-tls/zuul__zuul-key.pem\n-tls_ca=/etc/zookeeper/zuul-tls/zuul_full_chain.pem\n+tls_cert=/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem\n+tls_key=/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem\n+tls_ca=\n \n [keystore]\n-password=snakeoil\n+password=\n \n [scheduler]\n tenant_config=/etc/zuul/main.yaml"}, {"resource": "Exec[Generate cert zuul__zuul]", "parameters": "--- Exec[Generate cert zuul__zuul].orig\n+++ Exec[Generate cert zuul__zuul]\n\n@@\n-    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n@@\n-    unless  => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/zookeeper/zuul-tls/zuul__zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/zookeeper/zuul-tls/zuul__zuul-key.pem 2>&1)\"\n\n+    unless  => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/zookeeper/zuul-tls]", "parameters": "--- File[/etc/zookeeper/zuul-tls].orig\n+++ File[/etc/zookeeper/zuul-tls]\n\n@@\n-    require => ['Package[zookeeper]', 'User[zuul]']\n+    require => ['User[zuul]']\n"}, {"resource": "Exec[Generate cert zuul__zookeeper]", "parameters": "--- Exec[Generate cert zuul__zookeeper].orig\n+++ Exec[Generate cert zuul__zookeeper]\n\n-    notify => ['Service[zookeeper]']\n"}], "perc_changed": "0.74%"}, "main": {"total": 2970, "only_in_self": ["Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul-key.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.chain.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.chained.pem]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.csr]", "File[/etc/zookeeper/zuul-tls/zuul__zuul.pem]"], "only_in_other": ["Class[Profile::Zuul::Tls]", "Exec[create chained cert /etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chain.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.chained.pem]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr]", "File[/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem]", "File[/etc/cfssl/ssl/zuul__zuul]"], "resource_diffs": [{"resource": "Exec[Generate cert zuul__zuul refresh]", "parameters": "--- Exec[Generate cert zuul__zuul refresh].orig\n+++ Exec[Generate cert zuul__zuul refresh]\n\n@@\n-    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n"}, {"resource": "Cfssl::Cert[zuul__zuul]", "parameters": "--- Cfssl::Cert[zuul__zuul].orig\n+++ Cfssl::Cert[zuul__zuul]\n\n-    outdir => /etc/zookeeper/zuul-tls\n"}, {"resource": "Class[Profile::Zuul::Base]", "parameters": "--- Class[Profile::Zuul::Base].orig\n+++ Class[Profile::Zuul::Base]\n\n-    tls_config_dir          => /etc/zookeeper/zuul-tls\n-    zookeeper_tls_fullchain => /etc/zookeeper/zuul-tls/zuul_full_chain.pem\n-    tls_password            => snakeoil\n"}, {"resource": "Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem]", "parameters": "--- Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem].orig\n+++ Exec[create chained cert /etc/zookeeper/zuul-tls/zuul__zookeeper.chain.pem]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Cfssl::Cert[zuul__zookeeper]", "parameters": "--- Cfssl::Cert[zuul__zookeeper].orig\n+++ Cfssl::Cert[zuul__zookeeper]\n\n@@\n-    notify_services => ['zookeeper']\n+    notify_services => []\n"}, {"resource": "Exec[Generate cert zuul__zookeeper refresh]", "parameters": "--- Exec[Generate cert zuul__zookeeper refresh].orig\n+++ Exec[Generate cert zuul__zookeeper refresh]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Exec[renew certificate - zuul__zookeeper]", "parameters": "--- Exec[renew certificate - zuul__zookeeper].orig\n+++ Exec[renew certificate - zuul__zookeeper]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Exec[renew certificate - zuul__zuul]", "parameters": "--- Exec[renew certificate - zuul__zuul].orig\n+++ Exec[renew certificate - zuul__zuul]\n\n@@\n-    command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/zookeeper/zuul-tls/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/ssl/zuul__zuul/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n@@\n-    unless  => /usr/bin/openssl x509 -in /etc/zookeeper/zuul-tls/zuul__zuul.pem -checkend 952200\n+    unless  => /usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem -checkend 952200\n"}, {"resource": "File[/etc/zuul/zuul.conf]", "content": "--- /etc/zuul/zuul.conf.orig\n+++ /etc/zuul/zuul.conf\n@@ -2,12 +2,12 @@\n # vim: set ft=dosini:\n [zookeeper]\n hosts=10.64.32.104:2281\n-tls_cert=/etc/zookeeper/zuul-tls/zuul__zuul.pem\n-tls_key=/etc/zookeeper/zuul-tls/zuul__zuul-key.pem\n-tls_ca=/etc/zookeeper/zuul-tls/zuul_full_chain.pem\n+tls_cert=/etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem\n+tls_key=/etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem\n+tls_ca=\n \n [keystore]\n-password=snakeoil\n+password=\n \n [scheduler]\n tenant_config=/etc/zuul/main.yaml"}, {"resource": "Exec[Generate cert zuul__zuul]", "parameters": "--- Exec[Generate cert zuul__zuul].orig\n+++ Exec[Generate cert zuul__zuul]\n\n@@\n-    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/zookeeper/zuul-tls/zuul__zuul\n\n+    command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/zuul1001.eqiad.wmnet.pem -label zuul  /etc/cfssl/csr/zuul__zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul__zuul/zuul__zuul\n\n@@\n-    unless  => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/zookeeper/zuul-tls/zuul__zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/zookeeper/zuul-tls/zuul__zuul-key.pem 2>&1)\"\n\n+    unless  => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/zuul__zuul/zuul__zuul-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/zookeeper/zuul-tls]", "parameters": "--- File[/etc/zookeeper/zuul-tls].orig\n+++ File[/etc/zookeeper/zuul-tls]\n\n@@\n-    require => ['Package[zookeeper]', 'User[zuul]']\n+    require => ['User[zuul]']\n"}, {"resource": "Exec[Generate cert zuul__zookeeper]", "parameters": "--- Exec[Generate cert zuul__zookeeper].orig\n+++ Exec[Generate cert zuul__zookeeper]\n\n-    notify => ['Service[zookeeper]']\n"}, {"resource": "Class[Profile::Zuul::Main]", "parameters": "--- Class[Profile::Zuul::Main].orig\n+++ Class[Profile::Zuul::Main]\n\n-    tls_config_dir => /etc/zookeeper/zuul-tls\n-    tls_password   => snakeoil\n"}], "perc_changed": "0.91%"}}}