{"host": "testreduce1002.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2948, "only_in_self": ["Cfssl::Cert[discovery__testreduce_discovery_wmnet_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server]", "Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "Exec[renew certificate - discovery__testreduce_discovery_wmnet_server]", "File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem]"], "only_in_other": ["Cfssl::Cert[discovery2026__testreduce_discovery_wmnet_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server]", "File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem]"], "resource_diffs": [{"resource": "File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "content": "--- /etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr.orig\n+++ /etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr\n@@ -0,0 +1,14 @@\n+{\n+  \"CN\": \"testreduce.discovery.wmnet\",\n+  \"hosts\": [\n+    \"parsoid-rt-tests.wikimedia.org\",\n+    \"testreduce.discovery.wmnet\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 256\n+  },\n+  \"names\": [\n+\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr].orig\n+++ File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]\n\n+    group  => root\n+    mode   => 0400\n+    ensure => file\n+    owner  => root\n"}, {"resource": "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change].orig\n+++ Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server\n\n+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]\n+    subscribe   => File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    refreshonly => True\n"}, {"resource": "File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "content": "--- /etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr.orig\n+++ /etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr\n@@ -1,14 +0,0 @@\n-{\n-  \"CN\": \"testreduce.discovery.wmnet\",\n-  \"hosts\": [\n-    \"parsoid-rt-tests.wikimedia.org\",\n-    \"testreduce.discovery.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr].orig\n+++ File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]\n\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Exec[renew certificate - discovery__testreduce_discovery_wmnet_server]", "parameters": "--- Exec[renew certificate - discovery__testreduce_discovery_wmnet_server].orig\n+++ Exec[renew certificate - discovery__testreduce_discovery_wmnet_server]\n\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery -profile server /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Exec[Generate cert discovery__testreduce_discovery_wmnet_server]\n-    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem -checkend 952200\n"}, {"resource": "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh]", "parameters": "--- Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh].orig\n+++ Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh]\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    subscribe   => File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]\n"}, {"resource": "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem].orig\n+++ File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem]\n\n-    group   => envoy\n-    require => Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]\n-    ensure  => file\n-    owner   => envoy\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem]\n\n+    group  => envoy\n+    mode   => 0440\n+    ensure => file\n+    owner  => envoy\n"}, {"resource": "Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server]", "parameters": "--- Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server].orig\n+++ Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server]\n\n+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server]\n+    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem -checkend 952200\n"}, {"resource": "Cfssl::Cert[discovery__testreduce_discovery_wmnet_server]", "parameters": "--- Cfssl::Cert[discovery__testreduce_discovery_wmnet_server].orig\n+++ Cfssl::Cert[discovery__testreduce_discovery_wmnet_server]\n\n-    outdir          => /etc/envoy/ssl\n-    common_name     => testreduce.discovery.wmnet\n-    group           => envoy\n-    provide_chain   => True\n-    before          => Exec[verify-envoy-config]\n-    notify_services => []\n-    owner           => envoy\n-    auto_renew      => True\n-    hosts           => ['parsoid-rt-tests.wikimedia.org']\n-    notify          => Service[envoyproxy.service]\n-    names           => []\n-    ensure          => present\n-    require         => Package[envoyproxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    before_services => []\n-    label           => discovery\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    profile         => server\n-    renew_seconds   => 952200\n-    mode            => 0740\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem]\n\n+    group   => envoy\n+    require => Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]\n+    ensure  => file\n+    owner   => envoy\n"}, {"resource": "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem].orig\n+++ File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem]\n\n-    group  => envoy\n-    mode   => 0440\n-    ensure => file\n-    owner  => envoy\n"}, {"resource": "Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "parameters": "--- Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem].orig\n+++ Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]\n\n-    command   => /bin/cat /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem > /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem | sha512sum)\"\n\n-    require   => Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change]\n-    subscribe => ['Exec[renew certificate - discovery__testreduce_discovery_wmnet_server]', 'File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem]']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]\n\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    hosts       => ['parsoid-rt-tests.wikimedia.org']\n-    names       => []\n-    common_name => testreduce.discovery.wmnet\n-    ensure      => present\n"}, {"resource": "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh]", "parameters": "--- Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh].orig\n+++ Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    refreshonly => True\n+    subscribe   => File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]\n"}, {"resource": "Exec[Generate cert discovery__testreduce_discovery_wmnet_server]", "parameters": "--- Exec[Generate cert discovery__testreduce_discovery_wmnet_server].orig\n+++ Exec[Generate cert discovery__testreduce_discovery_wmnet_server]\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem 2>&1)\"\n\n"}, {"resource": "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server]", "parameters": "--- Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server].orig\n+++ Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem 2>&1)\"\n\n"}, {"resource": "Cfssl::Cert[discovery2026__testreduce_discovery_wmnet_server]", "parameters": "--- Cfssl::Cert[discovery2026__testreduce_discovery_wmnet_server].orig\n+++ Cfssl::Cert[discovery2026__testreduce_discovery_wmnet_server]\n\n+    outdir          => /etc/envoy/ssl\n+    common_name     => testreduce.discovery.wmnet\n+    group           => envoy\n+    provide_chain   => True\n+    before          => Exec[verify-envoy-config]\n+    notify_services => []\n+    owner           => envoy\n+    auto_renew      => True\n+    hosts           => ['parsoid-rt-tests.wikimedia.org']\n+    notify          => Service[envoyproxy.service]\n+    names           => []\n+    ensure          => present\n+    require         => Package[envoyproxy]\n+    key             => {'algo': 'ecdsa', 'size': 256}\n+    before_services => []\n+    label           => discovery2026\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    profile         => server\n+    renew_seconds   => 952200\n+    mode            => 0740\n"}, {"resource": "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr]", "parameters": "--- File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr].orig\n+++ File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr]\n\n-    group  => envoy\n-    mode   => 0440\n-    ensure => file\n-    owner  => envoy\n"}, {"resource": "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem].orig\n+++ File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]\n\n-    mode   => 0440\n-    source => puppet:///modules/profile/pki/intermediates/discovery-cert.pem\n-    group  => envoy\n-    ensure => file\n-    owner  => envoy\n"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -15,8 +15,8 @@\n       '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext\n       common_tls_context:\n         tls_certificates:\n-        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem\" }\n-          private_key: { filename: \"/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem\" }\n+        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem\" }\n+          private_key: { filename: \"/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem\" }\n   filters:\n   - name: envoy.http_connection_manager\n     typed_config:"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}, {"resource": "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change].orig\n+++ Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change]\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/testreduce1002.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]\n-    subscribe   => File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n"}, {"resource": "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem].orig\n+++ File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem]\n\n-    mode      => 0440\n-    backup    => False\n-    group     => envoy\n-    show_diff => False\n-    ensure    => file\n-    owner     => envoy\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem]\n\n+    mode      => 0440\n+    backup    => False\n+    group     => envoy\n+    show_diff => False\n+    ensure    => file\n+    owner     => envoy\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]\n\n+    mode   => 0440\n+    source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem\n+    group  => envoy\n+    ensure => file\n+    owner  => envoy\n"}, {"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n@@\n-    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem'}]\n+    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem'}]\n"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n@@\n-    cfssl_label => discovery\n+    cfssl_label => discovery2026\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr].orig\n+++ File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr]\n\n+    group  => envoy\n+    mode   => 0440\n+    ensure => file\n+    owner  => envoy\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]\n\n+    key         => {'algo': 'ecdsa', 'size': 256}\n+    hosts       => ['parsoid-rt-tests.wikimedia.org']\n+    names       => []\n+    common_name => testreduce.discovery.wmnet\n+    ensure      => present\n"}, {"resource": "Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "parameters": "--- Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem].orig\n+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]\n\n+    command   => /bin/cat /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem > /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem | sha512sum)\"\n\n+    require   => Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change]\n+    subscribe => ['Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server]', 'File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem]']\n"}], "perc_changed": "1.93%"}, "core": {"total": 2948, "only_in_self": ["Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server]", "Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "Exec[renew certificate - discovery__testreduce_discovery_wmnet_server]", "File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem]"], "only_in_other": ["Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server]", "File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem]"], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -15,8 +15,8 @@\n       '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext\n       common_tls_context:\n         tls_certificates:\n-        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem\" }\n-          private_key: { filename: \"/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem\" }\n+        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem\" }\n+          private_key: { filename: \"/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem\" }\n   filters:\n   - name: envoy.http_connection_manager\n     typed_config:"}], "perc_changed": "0.78%"}, "main": {"total": 2948, "only_in_self": ["Cfssl::Cert[discovery__testreduce_discovery_wmnet_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server refresh]", "Exec[Generate cert discovery__testreduce_discovery_wmnet_server]", "Exec[create chained cert /etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "Exec[renew certificate - discovery__testreduce_discovery_wmnet_server]", "File[/etc/cfssl/csr/discovery__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.pem]"], "only_in_other": ["Cfssl::Cert[discovery2026__testreduce_discovery_wmnet_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server refresh]", "Exec[Generate cert discovery2026__testreduce_discovery_wmnet_server]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "Exec[renew certificate - discovery2026__testreduce_discovery_wmnet_server]", "File[/etc/cfssl/csr/discovery2026__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.pem]"], "resource_diffs": [{"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -15,8 +15,8 @@\n       '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext\n       common_tls_context:\n         tls_certificates:\n-        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem\" }\n-          private_key: { filename: \"/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem\" }\n+        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem\" }\n+          private_key: { filename: \"/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem\" }\n   filters:\n   - name: envoy.http_connection_manager\n     typed_config:"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}, {"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n@@\n-    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery__testreduce_discovery_wmnet_server-key.pem'}]\n+    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__testreduce_discovery_wmnet_server-key.pem'}]\n"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n@@\n-    cfssl_label => discovery\n+    cfssl_label => discovery2026\n"}], "perc_changed": "1.05%"}}}