{"host": "pki-root1001.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3033, "only_in_self": [], "only_in_other": ["Cfssl::Cert[discovery2026]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]", "Exec[Generate cert discovery2026 refresh]", "Exec[Generate cert discovery2026]", "Exec[renew certificate - discovery2026]", "File[/etc/cfssl/csr/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "File[/etc/cfssl/ssl/discovery2026]"], "resource_diffs": [{"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]\n\n+    ensure      => present\n+    hosts       => []\n+    common_name => discovery2026\n+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+    key         => {'algo': 'ecdsa', 'size': 521}\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026].orig\n+++ File[/etc/cfssl/ssl/discovery2026]\n\n+    owner   => root\n+    ensure  => directory\n+    group   => root\n+    recurse => True\n+    mode    => 0740\n"}, {"resource": "Class[Profile::Pki::Root_ca]", "parameters": "--- Class[Profile::Pki::Root_ca].orig\n+++ Class[Profile::Pki::Root_ca]\n\n@@\n-    intermediates => ['debmonitor', 'discovery', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n+    intermediates => ['debmonitor', 'discovery', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026/discovery2026.csr].orig\n+++ File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]\n\n+    owner  => root\n+    ensure => file\n+    group  => root\n+    mode   => 0440\n"}, {"resource": "Cfssl::Cert[discovery2026]", "parameters": "--- Cfssl::Cert[discovery2026].orig\n+++ Cfssl::Cert[discovery2026]\n\n+    auto_renew      => True\n+    ensure          => present\n+    before_services => []\n+    profile         => intermediate\n+    notify_services => []\n+    group           => root\n+    hosts           => []\n+    mode            => 0740\n+    provide_chain   => False\n+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    common_name     => discovery2026\n+    owner           => root\n+    renew_seconds   => 952200\n+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+    key             => {'algo': 'ecdsa', 'size': 521}\n"}, {"resource": "Exec[Generate cert discovery2026]", "parameters": "--- Exec[Generate cert discovery2026].orig\n+++ Exec[Generate cert discovery2026]\n\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery2026/discovery2026.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/discovery2026/discovery2026-key.pem 2>&1)\"\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]\n+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026\n\n"}, {"resource": "Exec[renew certificate - discovery2026]", "parameters": "--- Exec[renew certificate - discovery2026].orig\n+++ Exec[renew certificate - discovery2026]\n\n+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery2026/discovery2026.pem -checkend 952200\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Exec[Generate cert discovery2026]\n+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/discovery2026/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026\n\n"}, {"resource": "Exec[Generate cert discovery2026 refresh]", "parameters": "--- Exec[Generate cert discovery2026 refresh].orig\n+++ Exec[Generate cert discovery2026 refresh]\n\n+    refreshonly => True\n+    subscribe   => File[/etc/cfssl/csr/discovery2026.csr]\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026\n\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem].orig\n+++ File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]\n\n+    owner     => root\n+    ensure    => file\n+    group     => root\n+    show_diff => False\n+    backup    => False\n+    mode      => 0440\n"}, {"resource": "File[/etc/cfssl/csr/discovery2026.csr]", "content": "--- /etc/cfssl/csr/discovery2026.csr.orig\n+++ /etc/cfssl/csr/discovery2026.csr\n@@ -0,0 +1,19 @@\n+{\n+  \"CN\": \"discovery2026\",\n+  \"hosts\": [\n+    \"discovery2026\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 521\n+  },\n+  \"names\": [\n+    {\n+      \"C\": \"US\",\n+      \"L\": \"San Francisco\",\n+      \"O\": \"Wikimedia Foundation, Inc\",\n+      \"OU\": \"SRE Foundations\",\n+      \"S\": \"California\"\n+    }\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/discovery2026.csr].orig\n+++ File[/etc/cfssl/csr/discovery2026.csr]\n\n+    owner  => root\n+    ensure => file\n+    group  => root\n+    mode   => 0400\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026/discovery2026.pem].orig\n+++ File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]\n\n+    owner  => root\n+    ensure => file\n+    group  => root\n+    mode   => 0440\n"}], "perc_changed": "0.69%"}, "core": {"total": 3033, "only_in_self": [], "only_in_other": ["Exec[Generate cert discovery2026 refresh]", "Exec[Generate cert discovery2026]", "Exec[renew certificate - discovery2026]", "File[/etc/cfssl/csr/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "File[/etc/cfssl/ssl/discovery2026]"], "resource_diffs": [], "perc_changed": "0.26%"}, "main": {"total": 3033, "only_in_self": [], "only_in_other": ["Cfssl::Cert[discovery2026]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]", "Exec[Generate cert discovery2026 refresh]", "Exec[Generate cert discovery2026]", "Exec[renew certificate - discovery2026]", "File[/etc/cfssl/csr/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "File[/etc/cfssl/ssl/discovery2026]"], "resource_diffs": [{"resource": "Class[Profile::Pki::Root_ca]", "parameters": "--- Class[Profile::Pki::Root_ca].orig\n+++ Class[Profile::Pki::Root_ca]\n\n@@\n-    intermediates => ['debmonitor', 'discovery', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n+    intermediates => ['debmonitor', 'discovery', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n"}], "perc_changed": "0.36%"}}}