{"host": "pki-root1001.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3051, "only_in_self": ["Cfssl::Cert[discovery]", "Cfssl::Csr[/etc/cfssl/csr/discovery.csr]", "Exec[Generate cert discovery refresh]", "Exec[Generate cert discovery]", "Exec[renew certificate - discovery]", "File[/etc/cfssl/csr/discovery.csr]", "File[/etc/cfssl/ssl/discovery/discovery-key.pem]", "File[/etc/cfssl/ssl/discovery/discovery.csr]", "File[/etc/cfssl/ssl/discovery/discovery.pem]", "File[/etc/cfssl/ssl/discovery]"], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/cfssl/ssl/discovery]", "parameters": "--- File[/etc/cfssl/ssl/discovery].orig\n+++ File[/etc/cfssl/ssl/discovery]\n\n-    group   => root\n-    recurse => True\n-    owner   => root\n-    ensure  => directory\n-    mode    => 0740\n"}, {"resource": "Cfssl::Cert[discovery]", "parameters": "--- Cfssl::Cert[discovery].orig\n+++ Cfssl::Cert[discovery]\n\n-    profile         => intermediate\n-    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n-    provide_chain   => False\n-    notify_services => []\n-    group           => root\n-    owner           => root\n-    before_services => []\n-    hosts           => []\n-    common_name     => discovery\n-    key             => {'algo': 'ecdsa', 'size': 521}\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n-    mode            => 0740\n-    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    ensure          => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery.csr]\n\n-    common_name => discovery\n-    hosts       => []\n-    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 521}\n"}, {"resource": "File[/etc/cfssl/csr/discovery.csr]", "content": "--- /etc/cfssl/csr/discovery.csr.orig\n+++ /etc/cfssl/csr/discovery.csr\n@@ -1,19 +0,0 @@\n-{\n-  \"CN\": \"discovery\",\n-  \"hosts\": [\n-    \"discovery\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 521\n-  },\n-  \"names\": [\n-    {\n-      \"C\": \"US\",\n-      \"L\": \"San Francisco\",\n-      \"O\": \"Wikimedia Foundation, Inc\",\n-      \"OU\": \"SRE Foundations\",\n-      \"S\": \"California\"\n-    }\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/discovery.csr].orig\n+++ File[/etc/cfssl/csr/discovery.csr]\n\n-    group  => root\n-    owner  => root\n-    ensure => file\n-    mode   => 0400\n"}, {"resource": "Exec[renew certificate - discovery]", "parameters": "--- Exec[renew certificate - discovery].orig\n+++ Exec[renew certificate - discovery]\n\n-    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/discovery/discovery.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery/discovery\n\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery/discovery.pem -checkend 952200\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Exec[Generate cert discovery]\n"}, {"resource": "File[/etc/cfssl/ssl/discovery/discovery.pem]", "parameters": "--- File[/etc/cfssl/ssl/discovery/discovery.pem].orig\n+++ File[/etc/cfssl/ssl/discovery/discovery.pem]\n\n-    group  => root\n-    owner  => root\n-    ensure => file\n-    mode   => 0440\n"}, {"resource": "Exec[Generate cert discovery refresh]", "parameters": "--- Exec[Generate cert discovery refresh].orig\n+++ Exec[Generate cert discovery refresh]\n\n-    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/discovery.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery/discovery\n\n-    subscribe   => File[/etc/cfssl/csr/discovery.csr]\n-    refreshonly => True\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/cfssl/ssl/discovery/discovery.csr]", "parameters": "--- File[/etc/cfssl/ssl/discovery/discovery.csr].orig\n+++ File[/etc/cfssl/ssl/discovery/discovery.csr]\n\n-    group  => root\n-    owner  => root\n-    ensure => file\n-    mode   => 0440\n"}, {"resource": "File[/etc/cfssl/ssl/discovery/discovery-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/discovery/discovery-key.pem].orig\n+++ File[/etc/cfssl/ssl/discovery/discovery-key.pem]\n\n-    group     => root\n-    owner     => root\n-    backup    => False\n-    ensure    => file\n-    show_diff => False\n-    mode      => 0440\n"}, {"resource": "Class[Profile::Pki::Root_ca]", "parameters": "--- Class[Profile::Pki::Root_ca].orig\n+++ Class[Profile::Pki::Root_ca]\n\n@@\n-    intermediates => ['debmonitor', 'discovery', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n+    intermediates => ['debmonitor', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n"}, {"resource": "Exec[Generate cert discovery]", "parameters": "--- Exec[Generate cert discovery].orig\n+++ Exec[Generate cert discovery]\n\n-    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/discovery.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery/discovery\n\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery/discovery.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/discovery/discovery-key.pem 2>&1)\"\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Cfssl::Csr[/etc/cfssl/csr/discovery.csr]\n"}], "perc_changed": "0.69%"}, "core": {"total": 3051, "only_in_self": ["Exec[Generate cert discovery refresh]", "Exec[Generate cert discovery]", "Exec[renew certificate - discovery]", "File[/etc/cfssl/csr/discovery.csr]", "File[/etc/cfssl/ssl/discovery/discovery-key.pem]", "File[/etc/cfssl/ssl/discovery/discovery.csr]", "File[/etc/cfssl/ssl/discovery/discovery.pem]", "File[/etc/cfssl/ssl/discovery]"], "only_in_other": [], "resource_diffs": [], "perc_changed": "0.26%"}, "main": {"total": 3051, "only_in_self": ["Cfssl::Cert[discovery]", "Cfssl::Csr[/etc/cfssl/csr/discovery.csr]", "Exec[Generate cert discovery refresh]", "Exec[Generate cert discovery]", "Exec[renew certificate - discovery]", "File[/etc/cfssl/csr/discovery.csr]", "File[/etc/cfssl/ssl/discovery/discovery-key.pem]", "File[/etc/cfssl/ssl/discovery/discovery.csr]", "File[/etc/cfssl/ssl/discovery/discovery.pem]", "File[/etc/cfssl/ssl/discovery]"], "only_in_other": [], "resource_diffs": [{"resource": "Class[Profile::Pki::Root_ca]", "parameters": "--- Class[Profile::Pki::Root_ca].orig\n+++ Class[Profile::Pki::Root_ca]\n\n@@\n-    intermediates => ['debmonitor', 'discovery', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n+    intermediates => ['debmonitor', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n"}], "perc_changed": "0.36%"}}}