Compilation results for deploy1003.eqiad.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	17015
Resources added:	26
Resources removed:	26
Resources modified:	57
Change percentage:	0.64%

Resources only in the new catalog

File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.csr]
Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server]
File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem]
Cfssl::Csr[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]
File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem]
File[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]
Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh]
Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh on intermediate ca change]
Exec[create chained cert /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]
Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh on intermediate ca change]
Exec[renew certificate - discovery2026__deployment_eqiad_wmnet_server]
File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem]
File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem]
File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.csr]
Cfssl::Cert[discovery2026__deployment_eqiad_wmnet_server]
Exec[create chained cert /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]
Cfssl::Csr[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]
File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]
File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem]
File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem]
Exec[renew certificate - discovery2026__spiderpig_wikimedia_org_server]
Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server]
File[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]
File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]
Cfssl::Cert[discovery2026__spiderpig_wikimedia_org_server]
Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh]

Resources only in the old catalog

File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem]
File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem]
Cfssl::Csr[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]
Exec[Generate cert discovery__spiderpig_wikimedia_org_server]
File[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]
File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem]
Exec[create chained cert /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]
Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh on intermediate ca change]
Exec[renew certificate - discovery__deployment_eqiad_wmnet_server]
Cfssl::Cert[discovery__deployment_eqiad_wmnet_server]
File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]
File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.csr]
Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh]
File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.csr]
Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh on intermediate ca change]
Exec[Generate cert discovery__deployment_eqiad_wmnet_server]
Exec[renew certificate - discovery__spiderpig_wikimedia_org_server]
File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem]
Cfssl::Cert[discovery__spiderpig_wikimedia_org_server]
File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]
Cfssl::Csr[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]
File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem]
Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh]
File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem]
Exec[create chained cert /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]
File[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]

Resources modified

File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem]

+    show_diff => False
+    group     => envoy
+    owner     => envoy
+    mode      => 0440
+    backup    => False
+    ensure    => file

Cfssl::Csr[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]

+    names       => []
+    common_name => deployment.eqiad.wmnet
+    key         => {'algo': 'ecdsa', 'size': 256}
+    ensure      => present
+    hosts       => []

Exec[Generate cert discovery__spiderpig_wikimedia_org_server]

Parameters differences:

--- Exec[Generate cert discovery__spiderpig_wikimedia_org_server].orig
+++ Exec[Generate cert discovery__spiderpig_wikimedia_org_server]

-    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem 2>&1)"

-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]
-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server

File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem]

+    require => Exec[create chained cert /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]
+    group   => envoy
+    owner   => envoy
+    ensure  => file

Exec[Generate cert discovery__deployment_eqiad_wmnet_server]

Parameters differences:

--- Exec[Generate cert discovery__deployment_eqiad_wmnet_server].orig
+++ Exec[Generate cert discovery__deployment_eqiad_wmnet_server]

-    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem 2>&1)"

-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]
-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server

Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server]

Parameters differences:

--- Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server].orig
+++ Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem 2>&1)"

+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server

File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]

Content differences:

--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig
+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml
@@ -16,8 +16,8 @@
       '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
       common_tls_context:
         tls_certificates:
-        - certificate_chain: { filename: "/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem" }
-          private_key: { filename: "/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem" }
+        - certificate_chain: { filename: "/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem" }
+          private_key: { filename: "/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem" }
   filters:
   - name: envoy.http_connection_manager
     typed_config:
@@ -58,8 +58,8 @@
       '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
       common_tls_context:
         tls_certificates:
-        - certificate_chain: { filename: "/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem" }
-          private_key: { filename: "/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem" }
+        - certificate_chain: { filename: "/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem" }
+          private_key: { filename: "/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem" }
   filters:
   - name: envoy.http_connection_manager
     typed_config:

Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh on intermediate ca change].orig
+++ Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server

+    subscribe   => File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]
+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]
+    refreshonly => True

Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh on intermediate ca change].orig
+++ Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh on intermediate ca change]

-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server

-    subscribe   => File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]
-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]
-    refreshonly => True

Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh]

Parameters differences:

--- Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh].orig
+++ Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server

+    refreshonly => True
+    subscribe   => File[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]

File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem].orig
+++ File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem]

-    mode   => 0440
-    group  => envoy
-    owner  => envoy
-    ensure => file

File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem].orig
+++ File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem]

-    show_diff => False
-    group     => envoy
-    owner     => envoy
-    mode      => 0440
-    backup    => False
-    ensure    => file

File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem].orig
+++ File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem]

-    require => Exec[create chained cert /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]
-    group   => envoy
-    owner   => envoy
-    ensure  => file

Cfssl::Cert[discovery2026__deployment_eqiad_wmnet_server]

Parameters differences:

--- Cfssl::Cert[discovery2026__deployment_eqiad_wmnet_server].orig
+++ Cfssl::Cert[discovery2026__deployment_eqiad_wmnet_server]

+    group           => envoy
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    provide_chain   => True
+    names           => []
+    require         => Package[envoyproxy]
+    renew_seconds   => 952200
+    profile         => server
+    outdir          => /etc/envoy/ssl
+    ensure          => present
+    common_name     => deployment.eqiad.wmnet
+    label           => discovery2026
+    key             => {'algo': 'ecdsa', 'size': 256}
+    notify          => Service[envoyproxy.service]
+    before          => Exec[verify-envoy-config]
+    mode            => 0740
+    notify_services => []
+    owner           => envoy
+    auto_renew      => True
+    before_services => []
+    hosts           => []

Cfssl::Csr[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]

+    names       => []
+    common_name => spiderpig.wikimedia.org
+    key         => {'algo': 'ecdsa', 'size': 256}
+    ensure      => present
+    hosts       => ['spiderpig.wikimedia.org']

Exec[renew certificate - discovery__spiderpig_wikimedia_org_server]

Parameters differences:

--- Exec[renew certificate - discovery__spiderpig_wikimedia_org_server].orig
+++ Exec[renew certificate - discovery__spiderpig_wikimedia_org_server]

-    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem -checkend 952200
-    require     => Exec[Generate cert discovery__spiderpig_wikimedia_org_server]
-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server

File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem].orig
+++ File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem]

-    show_diff => False
-    group     => envoy
-    owner     => envoy
-    mode      => 0440
-    backup    => False
-    ensure    => file

File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem]

+    require => Exec[create chained cert /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]
+    group   => envoy
+    owner   => envoy
+    ensure  => file

Exec[create chained cert /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem].orig
+++ Exec[create chained cert /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]

-    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem | sha512sum)"

-    require   => Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh on intermediate ca change]
-    command   => /bin/cat /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem > /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem
-    subscribe => ['Exec[renew certificate - discovery__deployment_eqiad_wmnet_server]', 'File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem]']

Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server]

Parameters differences:

--- Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server].orig
+++ Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem 2>&1)"

+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server

Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh on intermediate ca change].orig
+++ Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server

+    subscribe   => File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]
+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]
+    refreshonly => True

File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem].orig
+++ File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]

-    source => puppet:///modules/profile/pki/intermediates/discovery-cert.pem
-    group  => envoy
-    owner  => envoy
-    mode   => 0440
-    ensure => file

Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh on intermediate ca change].orig
+++ Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh on intermediate ca change]

-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server

-    subscribe   => File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]
-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]
-    refreshonly => True

Envoyproxy::Conf[tls_terminator_443]

File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem]

+    mode   => 0440
+    group  => envoy
+    owner  => envoy
+    ensure => file

File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem].orig
+++ File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem]

-    require => Exec[create chained cert /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chain.pem]
-    group   => envoy
-    owner   => envoy
-    ensure  => file

File[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]

Parameters differences:

--- File[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr].orig
+++ File[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]

-    mode   => 0400
-    group  => root
-    owner  => root
-    ensure => file

Content differences:

--- /etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr.orig
+++ /etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr
@@ -1,13 +0,0 @@
-{
-  "CN": "spiderpig.wikimedia.org",
-  "hosts": [
-    "spiderpig.wikimedia.org"
-  ],
-  "key": {
-    "algo": "ecdsa",
-    "size": 256
-  },
-  "names": [
-
-  ]
-}

Exec[renew certificate - discovery2026__deployment_eqiad_wmnet_server]

Parameters differences:

--- Exec[renew certificate - discovery2026__deployment_eqiad_wmnet_server].orig
+++ Exec[renew certificate - discovery2026__deployment_eqiad_wmnet_server]

+    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem -checkend 952200
+    require     => Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server

Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh]

Parameters differences:

--- Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh].orig
+++ Exec[Generate cert discovery__deployment_eqiad_wmnet_server refresh]

-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server

-    refreshonly => True
-    subscribe   => File[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]

File[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]

Parameters differences:

--- File[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr].orig
+++ File[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]

-    mode   => 0400
-    group  => root
-    owner  => root
-    ensure => file

Content differences:

--- /etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr.orig
+++ /etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr
@@ -1,13 +0,0 @@
-{
-  "CN": "deployment.eqiad.wmnet",
-  "hosts": [
-    "deployment.eqiad.wmnet"
-  ],
-  "key": {
-    "algo": "ecdsa",
-    "size": 256
-  },
-  "names": [
-
-  ]
-}

File[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]

Parameters differences:

--- File[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr].orig
+++ File[/etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr]

+    mode   => 0400
+    group  => root
+    owner  => root
+    ensure => file

Content differences:

--- /etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr.orig
+++ /etc/cfssl/csr/discovery2026__spiderpig_wikimedia_org_server.csr
@@ -0,0 +1,13 @@
+{
+  "CN": "spiderpig.wikimedia.org",
+  "hosts": [
+    "spiderpig.wikimedia.org"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

File[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]

Parameters differences:

--- File[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr].orig
+++ File[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]

+    mode   => 0400
+    group  => root
+    owner  => root
+    ensure => file

Content differences:

--- /etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr.orig
+++ /etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr
@@ -0,0 +1,13 @@
+{
+  "CN": "deployment.eqiad.wmnet",
+  "hosts": [
+    "deployment.eqiad.wmnet"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

Exec[renew certificate - discovery__deployment_eqiad_wmnet_server]

Parameters differences:

--- Exec[renew certificate - discovery__deployment_eqiad_wmnet_server].orig
+++ Exec[renew certificate - discovery__deployment_eqiad_wmnet_server]

-    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.pem -checkend 952200
-    require     => Exec[Generate cert discovery__deployment_eqiad_wmnet_server]
-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server

Envoyproxy::Tls_terminator[443]

Parameters differences:

--- Envoyproxy::Tls_terminator[443].orig
+++ Envoyproxy::Tls_terminator[443]

@@
-    upstreams    => [{'server_names': ['spiderpig.wikimedia.org'], 'certificates': [{'cert_path': '/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server-key.pem'}], 'upstream': {'port': 9000, 'addr': 'deploy1003.eqiad.wmnet'}}]
+    upstreams    => [{'server_names': ['spiderpig.wikimedia.org'], 'certificates': [{'cert_path': '/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem'}], 'upstream': {'port': 9000, 'addr': 'deploy1003.eqiad.wmnet'}}]
@@
-    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server-key.pem'}]
+    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server-key.pem'}]

Class[Profile::Tlsproxy::Envoy]

Parameters differences:

--- Class[Profile::Tlsproxy::Envoy].orig
+++ Class[Profile::Tlsproxy::Envoy]

@@
-    cfssl_label => discovery
+    cfssl_label => discovery2026

Cfssl::Cert[discovery2026__spiderpig_wikimedia_org_server]

Parameters differences:

--- Cfssl::Cert[discovery2026__spiderpig_wikimedia_org_server].orig
+++ Cfssl::Cert[discovery2026__spiderpig_wikimedia_org_server]

+    group           => envoy
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    provide_chain   => True
+    names           => []
+    require         => Package[envoyproxy]
+    renew_seconds   => 952200
+    profile         => server
+    outdir          => /etc/envoy/ssl
+    ensure          => present
+    common_name     => spiderpig.wikimedia.org
+    label           => discovery2026
+    key             => {'algo': 'ecdsa', 'size': 256}
+    notify          => Service[envoyproxy.service]
+    before          => Exec[verify-envoy-config]
+    mode            => 0740
+    notify_services => []
+    owner           => envoy
+    auto_renew      => True
+    before_services => []
+    hosts           => ['spiderpig.wikimedia.org']

Exec[create chained cert /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem].orig
+++ Exec[create chained cert /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]

-    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem | sha512sum)"

-    require   => Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh on intermediate ca change]
-    command   => /bin/cat /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem > /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chained.pem
-    subscribe => ['Exec[renew certificate - discovery__spiderpig_wikimedia_org_server]', 'File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]', 'File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem]']

Exec[renew certificate - discovery2026__spiderpig_wikimedia_org_server]

Parameters differences:

--- Exec[renew certificate - discovery2026__spiderpig_wikimedia_org_server].orig
+++ Exec[renew certificate - discovery2026__spiderpig_wikimedia_org_server]

+    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem -checkend 952200
+    require     => Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server

Cfssl::Csr[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery__deployment_eqiad_wmnet_server.csr]

-    names       => []
-    common_name => deployment.eqiad.wmnet
-    key         => {'algo': 'ecdsa', 'size': 256}
-    ensure      => present
-    hosts       => []

File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.csr]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.csr].orig
+++ File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.csr]

-    mode   => 0440
-    group  => envoy
-    owner  => envoy
-    ensure => file

Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh]

Parameters differences:

--- Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh].orig
+++ Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server

+    refreshonly => True
+    subscribe   => File[/etc/cfssl/csr/discovery2026__deployment_eqiad_wmnet_server.csr]

File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]

+    source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem
+    group  => envoy
+    owner  => envoy
+    mode   => 0440
+    ensure => file

Cfssl::Cert[discovery__spiderpig_wikimedia_org_server]

Parameters differences:

--- Cfssl::Cert[discovery__spiderpig_wikimedia_org_server].orig
+++ Cfssl::Cert[discovery__spiderpig_wikimedia_org_server]

-    group           => envoy
-    environment     => ['GODEBUG=x509ignoreCN=0']
-    provide_chain   => True
-    names           => []
-    require         => Package[envoyproxy]
-    renew_seconds   => 952200
-    profile         => server
-    outdir          => /etc/envoy/ssl
-    ensure          => present
-    common_name     => spiderpig.wikimedia.org
-    label           => discovery
-    key             => {'algo': 'ecdsa', 'size': 256}
-    notify          => Service[envoyproxy.service]
-    before          => Exec[verify-envoy-config]
-    mode            => 0740
-    notify_services => []
-    owner           => envoy
-    auto_renew      => True
-    before_services => []
-    hosts           => ['spiderpig.wikimedia.org']

File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.csr]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.csr].orig
+++ File[/etc/envoy/ssl/discovery__deployment_eqiad_wmnet_server.csr]

-    mode   => 0440
-    group  => envoy
-    owner  => envoy
-    ensure => file

Exec[create chained cert /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem].orig
+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem | sha512sum)"

+    require   => Exec[Generate cert discovery2026__deployment_eqiad_wmnet_server refresh on intermediate ca change]
+    command   => /bin/cat /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem > /etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chained.pem
+    subscribe => ['Exec[renew certificate - discovery2026__deployment_eqiad_wmnet_server]', 'File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.pem]']

Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh]

Parameters differences:

--- Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh].orig
+++ Exec[Generate cert discovery__spiderpig_wikimedia_org_server refresh]

-    environment => ['GODEBUG=x509ignoreCN=0']
-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deploy1003.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server

-    refreshonly => True
-    subscribe   => File[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]

Cfssl::Cert[discovery__deployment_eqiad_wmnet_server]

Parameters differences:

--- Cfssl::Cert[discovery__deployment_eqiad_wmnet_server].orig
+++ Cfssl::Cert[discovery__deployment_eqiad_wmnet_server]

-    group           => envoy
-    environment     => ['GODEBUG=x509ignoreCN=0']
-    provide_chain   => True
-    names           => []
-    require         => Package[envoyproxy]
-    renew_seconds   => 952200
-    profile         => server
-    outdir          => /etc/envoy/ssl
-    ensure          => present
-    common_name     => deployment.eqiad.wmnet
-    label           => discovery
-    key             => {'algo': 'ecdsa', 'size': 256}
-    notify          => Service[envoyproxy.service]
-    before          => Exec[verify-envoy-config]
-    mode            => 0740
-    notify_services => []
-    owner           => envoy
-    auto_renew      => True
-    before_services => []
-    hosts           => []

Envoyproxy::Listener[tls_terminator_443]

File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.csr]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.csr].orig
+++ File[/etc/envoy/ssl/discovery2026__deployment_eqiad_wmnet_server.csr]

+    mode   => 0440
+    group  => envoy
+    owner  => envoy
+    ensure => file

File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem]

+    mode   => 0440
+    group  => envoy
+    owner  => envoy
+    ensure => file

Exec[create chained cert /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem].orig
+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem | sha512sum)"

+    require   => Exec[Generate cert discovery2026__spiderpig_wikimedia_org_server refresh on intermediate ca change]
+    command   => /bin/cat /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem > /etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chained.pem
+    subscribe => ['Exec[renew certificate - discovery2026__spiderpig_wikimedia_org_server]', 'File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.pem]']

File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.chain.pem]

+    source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem
+    group  => envoy
+    owner  => envoy
+    mode   => 0440
+    ensure => file

File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem].orig
+++ File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.chain.pem]

-    source => puppet:///modules/profile/pki/intermediates/discovery-cert.pem
-    group  => envoy
-    owner  => envoy
-    mode   => 0440
-    ensure => file

File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.csr]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.csr].orig
+++ File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server.csr]

+    mode   => 0440
+    group  => envoy
+    owner  => envoy
+    ensure => file

Cfssl::Csr[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery__spiderpig_wikimedia_org_server.csr]

-    names       => []
-    common_name => spiderpig.wikimedia.org
-    key         => {'algo': 'ecdsa', 'size': 256}
-    ensure      => present
-    hosts       => ['spiderpig.wikimedia.org']

File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem].orig
+++ File[/etc/envoy/ssl/discovery__spiderpig_wikimedia_org_server.pem]

-    mode   => 0440
-    group  => envoy
-    owner  => envoy
-    ensure => file

File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__spiderpig_wikimedia_org_server-key.pem]

+    show_diff => False
+    group     => envoy
+    owner     => envoy
+    mode      => 0440
+    backup    => False
+    ensure    => file

Compilation results for deploy1003.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

Resources only in the old catalog

Resources modified

Relevant files