Compilation results for titan1002.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

• File[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]
• Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh on intermediate ca change]
• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem]
• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.csr]
• Cfssl::Cert[discovery2026__thanos-query_discovery_wmnet_server]
• Exec[renew certificate - discovery2026__thanos-query_discovery_wmnet_server]
• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]
• Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server]
• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem]
• Exec[create chained cert /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]
• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem]
• Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh]
• Cfssl::Csr[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]

Resources only in the old catalog

• Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh on intermediate ca change]
• Exec[create chained cert /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]
• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem]
• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]
• Cfssl::Csr[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]
• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem]
• Exec[Generate cert discovery__thanos-query_discovery_wmnet_server]
• Exec[renew certificate - discovery__thanos-query_discovery_wmnet_server]
• Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh]
• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem]
• Cfssl::Cert[discovery__thanos-query_discovery_wmnet_server]
• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.csr]
• File[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]

Resources modified

• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem].orig
  +++ File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]
  
  -    source => puppet:///modules/profile/pki/intermediates/discovery-cert.pem
  -    mode   => 0440
  -    owner  => envoy
  -    group  => envoy
  -    ensure => file
  

• Exec[renew certificate - discovery__thanos-query_discovery_wmnet_server]

  Parameters differences:

  --- Exec[renew certificate - discovery__thanos-query_discovery_wmnet_server].orig
  +++ Exec[renew certificate - discovery__thanos-query_discovery_wmnet_server]
  
  -    require     => Exec[Generate cert discovery__thanos-query_discovery_wmnet_server]
  -    environment => ['GODEBUG=x509ignoreCN=0']
  -    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem -checkend 952200
  -    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery -profile server /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server
  
  

• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem].orig
  +++ File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem]
  
  -    mode      => 0440
  -    owner     => envoy
  -    group     => envoy
  -    backup    => False
  -    ensure    => file
  -    show_diff => False
  

• Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh on intermediate ca change]

  Parameters differences:

  --- Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh on intermediate ca change].orig
  +++ Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh on intermediate ca change]
  
  -    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]
  -    environment => ['GODEBUG=x509ignoreCN=0']
  -    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server
  
  -    refreshonly => True
  -    subscribe   => File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]
  

• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem].orig
  +++ File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem]
  
  +    group   => envoy
  +    require => Exec[create chained cert /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]
  +    ensure  => file
  +    owner   => envoy
  

• File[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]

  Parameters differences:

  --- File[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr].orig
  +++ File[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]
  
  -    group  => root
  -    mode   => 0400
  -    ensure => file
  -    owner  => root
  

  Content differences:

  --- /etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr.orig
  +++ /etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr
  @@ -1,16 +0,0 @@
  -{
  -  "CN": "thanos-query.discovery.wmnet",
  -  "hosts": [
  -    "thanos-query",
  -    "thanos-query.svc.eqiad.wmnet",
  -    "thanos-query.discovery.wmnet",
  -    "thanos.wikimedia.org"
  -  ],
  -  "key": {
  -    "algo": "ecdsa",
  -    "size": 256
  -  },
  -  "names": [
  -
  -  ]
  -}

• Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh on intermediate ca change]

  Parameters differences:

  --- Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh on intermediate ca change].orig
  +++ Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh on intermediate ca change]
  
  +    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]
  +    environment => ['GODEBUG=x509ignoreCN=0']
  +    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server
  
  +    refreshonly => True
  +    subscribe   => File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]
  

• Envoyproxy::Listener[tls_terminator_443]

• File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]

  Content differences:

  --- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig
  +++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml
  @@ -16,8 +16,8 @@
         '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
         common_tls_context:
           tls_certificates:
  -        - certificate_chain: { filename: "/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem" }
  -          private_key: { filename: "/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem" }
  +        - certificate_chain: { filename: "/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem" }
  +          private_key: { filename: "/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem" }
     filters:
     - name: envoy.http_connection_manager
       typed_config:

• File[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]

  Parameters differences:

  --- File[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr].orig
  +++ File[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]
  
  +    group  => root
  +    mode   => 0400
  +    ensure => file
  +    owner  => root
  

  Content differences:

  --- /etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr.orig
  +++ /etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr
  @@ -0,0 +1,16 @@
  +{
  +  "CN": "thanos-query.discovery.wmnet",
  +  "hosts": [
  +    "thanos-query",
  +    "thanos-query.svc.eqiad.wmnet",
  +    "thanos-query.discovery.wmnet",
  +    "thanos.wikimedia.org"
  +  ],
  +  "key": {
  +    "algo": "ecdsa",
  +    "size": 256
  +  },
  +  "names": [
  +
  +  ]
  +}

• Class[Profile::Tlsproxy::Envoy]

  Parameters differences:

  --- Class[Profile::Tlsproxy::Envoy].orig
  +++ Class[Profile::Tlsproxy::Envoy]
  
  @@
  -    cfssl_label => discovery
  +    cfssl_label => discovery2026
  

• Exec[Generate cert discovery__thanos-query_discovery_wmnet_server]

  Parameters differences:

  --- Exec[Generate cert discovery__thanos-query_discovery_wmnet_server].orig
  +++ Exec[Generate cert discovery__thanos-query_discovery_wmnet_server]
  
  -    require     => Cfssl::Csr[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]
  -    environment => ['GODEBUG=x509ignoreCN=0']
  -    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem 2>&1)"
  
  -    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server
  
  

• Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh]

  Parameters differences:

  --- Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh].orig
  +++ Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh]
  
  -    environment => ['GODEBUG=x509ignoreCN=0']
  -    subscribe   => File[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]
  -    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery -profile server /etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server
  
  -    refreshonly => True
  

• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem].orig
  +++ File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem]
  
  +    mode      => 0440
  +    owner     => envoy
  +    group     => envoy
  +    backup    => False
  +    ensure    => file
  +    show_diff => False
  

• Cfssl::Csr[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]

  Parameters differences:

  --- Cfssl::Csr[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr].orig
  +++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]
  
  +    hosts       => ['thanos-query', 'thanos-query.svc.eqiad.wmnet', 'thanos-query.discovery.wmnet', 'thanos.wikimedia.org']
  +    names       => []
  +    key         => {'algo': 'ecdsa', 'size': 256}
  +    common_name => thanos-query.discovery.wmnet
  +    ensure      => present
  

• Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh]

  Parameters differences:

  --- Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh].orig
  +++ Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh]
  
  +    environment => ['GODEBUG=x509ignoreCN=0']
  +    subscribe   => File[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]
  +    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server
  
  +    refreshonly => True
  

• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem].orig
  +++ File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem]
  
  -    group   => envoy
  -    require => Exec[create chained cert /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]
  -    ensure  => file
  -    owner   => envoy
  

• Exec[create chained cert /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]

  Parameters differences:

  --- Exec[create chained cert /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem].orig
  +++ Exec[create chained cert /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]
  
  +    require   => Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server refresh on intermediate ca change]
  +    subscribe => ['Exec[renew certificate - discovery2026__thanos-query_discovery_wmnet_server]', 'File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem]']
  +    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem | sha512sum)"
  
  +    command   => /bin/cat /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem > /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem
  

• Cfssl::Csr[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]

  Parameters differences:

  --- Cfssl::Csr[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr].orig
  +++ Cfssl::Csr[/etc/cfssl/csr/discovery__thanos-query_discovery_wmnet_server.csr]
  
  -    hosts       => ['thanos-query', 'thanos-query.svc.eqiad.wmnet', 'thanos-query.discovery.wmnet', 'thanos.wikimedia.org']
  -    names       => []
  -    key         => {'algo': 'ecdsa', 'size': 256}
  -    common_name => thanos-query.discovery.wmnet
  -    ensure      => present
  

• Exec[renew certificate - discovery2026__thanos-query_discovery_wmnet_server]

  Parameters differences:

  --- Exec[renew certificate - discovery2026__thanos-query_discovery_wmnet_server].orig
  +++ Exec[renew certificate - discovery2026__thanos-query_discovery_wmnet_server]
  
  +    require     => Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server]
  +    environment => ['GODEBUG=x509ignoreCN=0']
  +    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem -checkend 952200
  +    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server
  
  

• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem].orig
  +++ File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem]
  
  -    group  => envoy
  -    mode   => 0440
  -    ensure => file
  -    owner  => envoy
  

• Envoyproxy::Conf[tls_terminator_443]

• Cfssl::Cert[discovery__thanos-query_discovery_wmnet_server]

  Parameters differences:

  --- Cfssl::Cert[discovery__thanos-query_discovery_wmnet_server].orig
  +++ Cfssl::Cert[discovery__thanos-query_discovery_wmnet_server]
  
  -    owner           => envoy
  -    group           => envoy
  -    notify          => Service[envoyproxy.service]
  -    environment     => ['GODEBUG=x509ignoreCN=0']
  -    key             => {'algo': 'ecdsa', 'size': 256}
  -    mode            => 0740
  -    ensure          => present
  -    outdir          => /etc/envoy/ssl
  -    label           => discovery
  -    hosts           => ['thanos-query', 'thanos-query.svc.eqiad.wmnet', 'thanos-query.discovery.wmnet', 'thanos.wikimedia.org']
  -    notify_services => []
  -    names           => []
  -    auto_renew      => True
  -    profile         => server
  -    common_name     => thanos-query.discovery.wmnet
  -    provide_chain   => True
  -    require         => Package[envoyproxy]
  -    before_services => []
  -    renew_seconds   => 952200
  -    before          => Exec[verify-envoy-config]
  

• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem].orig
  +++ File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem]
  
  +    group  => envoy
  +    mode   => 0440
  +    ensure => file
  +    owner  => envoy
  

• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.csr]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.csr].orig
  +++ File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.csr]
  
  +    group  => envoy
  +    mode   => 0440
  +    ensure => file
  +    owner  => envoy
  

• File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem].orig
  +++ File[/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chain.pem]
  
  +    source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem
  +    mode   => 0440
  +    owner  => envoy
  +    group  => envoy
  +    ensure => file
  

• Cfssl::Cert[discovery2026__thanos-query_discovery_wmnet_server]

  Parameters differences:

  --- Cfssl::Cert[discovery2026__thanos-query_discovery_wmnet_server].orig
  +++ Cfssl::Cert[discovery2026__thanos-query_discovery_wmnet_server]
  
  +    owner           => envoy
  +    group           => envoy
  +    notify          => Service[envoyproxy.service]
  +    environment     => ['GODEBUG=x509ignoreCN=0']
  +    key             => {'algo': 'ecdsa', 'size': 256}
  +    mode            => 0740
  +    ensure          => present
  +    outdir          => /etc/envoy/ssl
  +    label           => discovery2026
  +    hosts           => ['thanos-query', 'thanos-query.svc.eqiad.wmnet', 'thanos-query.discovery.wmnet', 'thanos.wikimedia.org']
  +    notify_services => []
  +    names           => []
  +    auto_renew      => True
  +    profile         => server
  +    common_name     => thanos-query.discovery.wmnet
  +    provide_chain   => True
  +    require         => Package[envoyproxy]
  +    before_services => []
  +    renew_seconds   => 952200
  +    before          => Exec[verify-envoy-config]
  

• Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server]

  Parameters differences:

  --- Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server].orig
  +++ Exec[Generate cert discovery2026__thanos-query_discovery_wmnet_server]
  
  +    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr]
  +    environment => ['GODEBUG=x509ignoreCN=0']
  +    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem 2>&1)"
  
  +    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/titan1002.eqiad.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__thanos-query_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server
  
  

• File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.csr]

  Parameters differences:

  --- File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.csr].orig
  +++ File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.csr]
  
  -    group  => envoy
  -    mode   => 0440
  -    ensure => file
  -    owner  => envoy
  

• Exec[create chained cert /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]

  Parameters differences:

  --- Exec[create chained cert /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem].orig
  +++ Exec[create chained cert /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]
  
  -    require   => Exec[Generate cert discovery__thanos-query_discovery_wmnet_server refresh on intermediate ca change]
  -    subscribe => ['Exec[renew certificate - discovery__thanos-query_discovery_wmnet_server]', 'File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem]']
  -    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem | sha512sum)"
  
  -    command   => /bin/cat /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.pem /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chain.pem > /etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem
  

• Envoyproxy::Tls_terminator[443]

  Parameters differences:

  --- Envoyproxy::Tls_terminator[443].orig
  +++ Envoyproxy::Tls_terminator[443]
  
  @@
  -    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery__thanos-query_discovery_wmnet_server-key.pem'}]
  +    global_certs => [{'cert_path': '/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server.chained.pem', 'key_path': '/etc/envoy/ssl/discovery2026__thanos-query_discovery_wmnet_server-key.pem'}]
  

Relevant files

• Production catalog
• Change catalog
• Production errors/warnings
• Change errors/warnings
• Core Diff
• Standard Diff