Compilation results for pki1001.eqiad.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	4897
Resources added:	0
Resources removed:	84
Resources modified:	90
Change percentage:	3.55%

Resources only in the old catalog

Nrpe::Check[check_check_certificate_expiry_discovery]
Profile::Pki::Multirootca::Monitoring[discovery]
Monitoring::Service[check_certificate_expiry_discovery]
Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]
Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]
File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]
Sudo::User[nrpe-check_check_certificate_expiry_discovery]
Prometheus::Blackbox::Check::Http[PKI_discovery]
Systemd::Unit[cfssl-ocsprefresh-discovery.timer]
File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
Systemd::Unit[cfssl-ocspserve@discovery]
File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]
Service[cfssl-ocspserve@discovery]
Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]
Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]
File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]
File[/etc/sudoers.d/nrpe_certificate_check_discovery]
Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]
Nrpe::Monitor_service[check_certificate_expiry_discovery]
Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]
Systemd::Timer[cfssl-ocsprefresh-discovery]
Cfssl::Signer[discovery]
Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]
Systemd::Timer::Job[cfssl-ocsprefresh-discovery]
File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]
File[/var/log/cfssl-ocsprefresh-discovery]
Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
File[/etc/cfssl/ocsp/discovery.ocsp]
Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]
File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]
Logrotate::Conf[cfssl-ocsprefresh-discovery]
File[/etc/cfssl/signers/discovery/ca/discovery.pem]
Cfssl::Config[discovery]
File[/srv/cfssl/bundles/discovery.pem]
Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]
Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]
Systemd::Syslog[cfssl-ocsprefresh-discovery]
Service[cfssl-ocsprefresh-discovery.timer]
Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]
Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]
File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]
Systemd::Service[cfssl-ocspserve@discovery]
File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]
Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]
Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]
File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]
File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]
File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]
File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]
File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]
Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]
File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
Systemd::Service[cfssl-ocsprefresh-discovery]
File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]
File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]
Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]
Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]
Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]
Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]
File[/lib/systemd/system/cfssl-ocspserve@discovery.service]
Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]
Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]
File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]
Cfssl::Ocsp[discovery]
File[/etc/cfssl/signers/discovery/cfssl.conf]
File[/etc/cfssl/signers/discovery/ca]
Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]
Exec[Generate initial CRL for discovery]
File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]
File[/etc/cfssl/signers/discovery]
File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]
Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]
Systemd::Unit[cfssl-ocsprefresh-discovery.service]
Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]
Rsyslog::Conf[cfssl-ocsprefresh-discovery]
Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]
Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]
Sudo::User[nrpe_certificate_check_discovery]
Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]

Resources modified

Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]

Parameters differences:

--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig
+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]

-    restart           => False
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer
-    ensure            => present
-    require           => ['Class[Systemd]']

File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem].orig
+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]

-    group     => root
-    owner     => root
-    backup    => False
-    ensure    => file
-    show_diff => False
-    mode      => 0440

Systemd::Unit[cfssl-ocsprefresh-discovery.timer]

Parameters differences:

--- Systemd::Unit[cfssl-ocsprefresh-discovery.timer].orig
+++ Systemd::Unit[cfssl-ocsprefresh-discovery.timer]

-    restart           => False
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => cfssl-ocsprefresh-discovery.timer
-    ensure            => present
-    require           => ['Class[Systemd]']

File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem].orig
+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]

-    group  => root
-    owner  => root
-    ensure => file
-    mode   => 0440

File[/etc/cfssl/signers/discovery/ca/discovery.pem]

Parameters differences:

--- File[/etc/cfssl/signers/discovery/ca/discovery.pem].orig
+++ File[/etc/cfssl/signers/discovery/ca/discovery.pem]

-    group  => root
-    notify => Service[cfssl-multirootca]
-    owner  => root
-    ensure => file
-    mode   => 0444

Content differences:

--- /etc/cfssl/signers/discovery/ca/discovery.pem.orig
+++ /etc/cfssl/signers/discovery/ca/discovery.pem
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw
-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j
-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu
-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3
-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ
-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp
-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw
-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI
-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G
-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw
-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT
-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292
-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f
-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt
-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw
-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4
-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4
-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=
------END CERTIFICATE-----

Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]

Parameters differences:

--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig
+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]

-    restart           => False
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service
-    ensure            => present
-    require           => ['Class[Systemd]']

Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]

Parameters differences:

--- Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet].orig
+++ Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]

-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet

-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -checkend 952200
-    environment => ['GODEBUG=x509ignoreCN=0']
-    require     => Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]

Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]

Parameters differences:

--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery].orig
+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]

-    mode     => 0444
-    priority => 25
-    ensure   => absent

Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service].orig
+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]

-    restart           => False
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => nrpe2nodexp-check_certificate_expiry_discovery.service
-    ensure            => absent
-    require           => ['Class[Systemd]']

Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    splay              => 0
-    accuracy           => 15sec
-    unit_name          => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service
-    ensure             => present
-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]
-    fixed_random_delay => False

Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]

-    command     => /bin/systemctl daemon-reload
-    refreshonly => True

Class[Profile::Pki::Multirootca]

Parameters differences:

--- Class[Profile::Pki::Multirootca].orig
+++ Class[Profile::Pki::Multirootca]

@@
-    intermediates => {'debmonitor': {'ocsp_port': 10001}, 'discovery': {'ocsp_port': 10002, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}
+    intermediates => {'debmonitor': {'ocsp_port': 10001}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}

Cfssl::Ocsp[discovery]

Parameters differences:

--- Cfssl::Ocsp[discovery].orig
+++ Cfssl::Ocsp[discovery]

-    ocsprefresh_update => True
-    db_driver          => mysql
-    listen_port        => 10002
-    refresh_interval   => 96h
-    common_name        => pki1001.eqiad.wmnet
-    listen_addr        => 127.0.0.1
-    additional_names   => []
-    ca_file            => /etc/cfssl/signers/discovery/ca/discovery.pem
-    db_conf_file       => /etc/cfssl/db.conf
-    log_level          => info

Profile::Pki::Multirootca::Monitoring[discovery]

Parameters differences:

--- Profile::Pki::Multirootca::Monitoring[discovery].orig
+++ Profile::Pki::Multirootca::Monitoring[discovery]

-    ca_file      => /etc/cfssl/signers/discovery/ca/discovery.pem
-    ensure       => present
-    vhost        => pki.discovery.wmnet
-    intermediate => discovery

Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]

Parameters differences:

--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh].orig
+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]

-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet

-    subscribe   => File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]
-    refreshonly => True
-    environment => ['GODEBUG=x509ignoreCN=0']

File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]

-    group  => root
-    notify => Service[rsyslog]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf.orig
+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf
@@ -1,10 +0,0 @@
-# rsyslog.conf(5) configuration file for services.
-# This file is managed by Puppet.
-if $programname startswith "prometheus-node-textfile-prometheus-check-discovery-certificate-expiry" then {
-    action(
-        type="omfile" file="/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/syslog.log"
-        fileOwner="root" fileGroup="root"
-        fileCreateMode="0644"
-    )
-    & stop
-}

Nrpe::Check[check_check_certificate_expiry_discovery]

Parameters differences:

--- Nrpe::Check[check_check_certificate_expiry_discovery].orig
+++ Nrpe::Check[check_check_certificate_expiry_discovery]

-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem
-    ensure    => present
-    sudo_user => root
-    before    => Monitoring::Service[check_certificate_expiry_discovery]

Systemd::Timer::Job[cfssl-ocsprefresh-discovery]

Parameters differences:

--- Systemd::Timer::Job[cfssl-ocsprefresh-discovery].orig
+++ Systemd::Timer::Job[cfssl-ocsprefresh-discovery]

-    syslog_match_startswith   => True
-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery 
-    syslog_force_stop         => True
-    send_mail_to              => root@pki1001.eqiad.wmnet
-    logfile_basedir           => /var/log
-    monitoring_contact_groups => admins
-    logfile_group             => root
-    logfile_name              => syslog.log
-    logging_enabled           => True
-    success_exit_status       => []
-    ignore_errors             => False
-    monitoring_enabled        => False
-    send_mail                 => False
-    environment               => {}
-    private_tmp               => False
-    fixed_random_delay        => False
-    send_mail_only_on_error   => True
-    description               => OCSP Refresh job - discovery
-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-    ensure                    => present
-    user                      => root
-    logfile_perms             => all
-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}

Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]

Parameters differences:

--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)].orig
+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]

-    command     => /bin/systemctl daemon-reload
-    refreshonly => True

Sudo::User[nrpe-check_check_certificate_expiry_discovery]

Parameters differences:

--- Sudo::User[nrpe-check_check_certificate_expiry_discovery].orig
+++ Sudo::User[nrpe-check_check_certificate_expiry_discovery]

-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem']
-    user       => nagios
-    ensure     => present
-    tag        => nrpe::check
-    require    => ['Class[Sudo]']

Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]

Parameters differences:

--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery].orig
+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]

-    syslog_match_startswith   => True
-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash "38e4dbcfd07ed60daf5bb89397abbe29" --timeout 10 --check-command "check_check_certificate_expiry_discovery"
-    syslog_force_stop         => True
-    send_mail_to              => root@pki1001.eqiad.wmnet
-    logfile_basedir           => /var/log
-    splay                     => 60
-    group                     => prometheus-node-exporter
-    monitoring_contact_groups => admins
-    logfile_group             => root
-    logfile_name              => syslog.log
-    logging_enabled           => False
-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_discovery
-    success_exit_status       => []
-    ignore_errors             => True
-    monitoring_enabled        => False
-    send_mail                 => False
-    environment               => {}
-    fixed_random_delay        => True
-    private_tmp               => False
-    send_mail_only_on_error   => True
-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.
-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-    ensure                    => absent
-    user                      => nagios
-    logfile_perms             => all
-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]

File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]

Parameters differences:

--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig
+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]

-    group  => root
-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service.orig
+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service
@@ -1,8 +0,0 @@
-[Unit]
-Description=Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry
-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom

File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]

Parameters differences:

--- File[/etc/cfssl/signers/discovery/ca/discovery-key.pem].orig
+++ File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]

-    group     => root
-    notify    => Service[cfssl-multirootca]
-    owner     => root
-    ensure    => file
-    show_diff => False
-    mode      => 0400

Content differences:

--- /etc/cfssl/signers/discovery/ca/discovery-key.pem.orig
+++ /etc/cfssl/signers/discovery/ca/discovery-key.pem
@@ -1 +0,0 @@
-##### FAKE FOR PUPPET ######

File[/var/log/cfssl-ocsprefresh-discovery]

Parameters differences:

--- File[/var/log/cfssl-ocsprefresh-discovery].orig
+++ File[/var/log/cfssl-ocsprefresh-discovery]

-    group  => root
-    force  => True
-    owner  => root
-    backup => False
-    ensure => directory
-    mode   => 0755

File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]

Parameters differences:

--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig
+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]

-    group  => root
-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer.orig
+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer
@@ -1,12 +0,0 @@
-[Unit]
-Description=Periodic execution of prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service
-
-[Timer]
-Unit=prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service
-# Accuracy sets the maximum time interval around the execution time we want to allow
-AccuracySec=15sec
-OnCalendar=daily
-RandomizedDelaySec=0
-
-[Install]
-WantedBy=multi-user.target

File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]

Parameters differences:

--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service].orig
+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]

-    group  => root
-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /lib/systemd/system/cfssl-ocsprefresh-discovery.service.orig
+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.service
@@ -1,8 +0,0 @@
-[Unit]
-Description=OCSP Refresh job - discovery
-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery

File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]

Parameters differences:

--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg].orig
+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]

-    group   => root
-    notify  => Service[nagios-nrpe-server]
-    owner   => root
-    ensure  => present
-    tag     => nrpe::check
-    require => Package[nagios-nrpe-server]
-    mode    => 0444

Content differences:

--- /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg.orig
+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg
@@ -1,2 +0,0 @@
-# File generated by puppet. DO NOT edit by hand
-command[check_check_certificate_expiry_discovery]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem

Httpd::Site[pki.discovery.wmnet]

File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig
+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]

-    group  => root
-    owner  => root
-    ensure => file
-    mode   => 0440

Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    override                 => False
-    migration_task           => T407130
-    monitoring_enabled       => False
-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]
-    restart                  => False
-    service_params           => {}
-    unit_type                => timer
-    monitoring_contact_group => admins
-    monitoring_critical      => False
-    ensure                   => present

File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]

Parameters differences:

--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer].orig
+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]

-    group  => root
-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /lib/systemd/system/cfssl-ocsprefresh-discovery.timer.orig
+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.timer
@@ -1,13 +0,0 @@
-[Unit]
-Description=Periodic execution of cfssl-ocsprefresh-discovery.service
-
-[Timer]
-Unit=cfssl-ocsprefresh-discovery.service
-# Accuracy sets the maximum time interval around the execution time we want to allow
-AccuracySec=15sec
-OnUnitInactiveSec=1h
-OnActiveSec=1s
-RandomizedDelaySec=0
-
-[Install]
-WantedBy=multi-user.target

File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf].orig
+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]

-    group  => root
-    notify => Service[rsyslog]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf.orig
+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf
@@ -1,10 +0,0 @@
-# rsyslog.conf(5) configuration file for services.
-# This file is managed by Puppet.
-if $programname startswith "cfssl-ocsprefresh-discovery" then {
-    action(
-        type="omfile" file="/var/log/cfssl-ocsprefresh-discovery/syslog.log"
-        fileOwner="root" fileGroup="root"
-        fileCreateMode="0644"
-    )
-    & stop
-}

File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    group  => root
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.orig
+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry
@@ -1,12 +0,0 @@
-# logrotate(8) config for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry
-
-/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/*.log {
-    daily
-    copytruncate
-    missingok
-    compress
-    delaycompress
-    notifempty
-    rotate 15
-    size 256M
-}

File[/etc/cfssl/multiroot.conf]

Content differences:

--- /etc/cfssl/multiroot.conf.orig
+++ /etc/cfssl/multiroot.conf
@@ -2,12 +2,6 @@
 private = file:///etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem
 certificate = /etc/cfssl/signers/debmonitor/ca/debmonitor.pem
 config = /etc/cfssl/signers/debmonitor/cfssl.conf
-dbconfig = /etc/cfssl/db.conf
-
-[discovery]
-private = file:///etc/cfssl/signers/discovery/ca/discovery-key.pem
-certificate = /etc/cfssl/signers/discovery/ca/discovery.pem
-config = /etc/cfssl/signers/discovery/cfssl.conf
 dbconfig = /etc/cfssl/db.conf
 
 [kafka]

Systemd::Timer[cfssl-ocsprefresh-discovery]

Parameters differences:

--- Systemd::Timer[cfssl-ocsprefresh-discovery].orig
+++ Systemd::Timer[cfssl-ocsprefresh-discovery]

-    splay              => 0
-    accuracy           => 15sec
-    unit_name          => cfssl-ocsprefresh-discovery.service
-    ensure             => present
-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]
-    fixed_random_delay => False

Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry].orig
+++ Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]

-    user           => root
-    environment    => {}
-    extra_packages => []
-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']
-    run_cmd        => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom
-    ensure         => present
-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py
-    interval       => daily

File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]

-    group  => root
-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]
-    owner  => root
-    ensure => absent
-    mode   => 0444

Content differences:

--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service.orig
+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service
@@ -1,11 +0,0 @@
-[Unit]
-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.
-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-
-[Service]
-Type=oneshot
-User=nagios
-
-Group=prometheus-node-exporter
-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_discovery
-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash "38e4dbcfd07ed60daf5bb89397abbe29" --timeout 10 --check-command "check_check_certificate_expiry_discovery"

Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)].orig
+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]

-    command     => /bin/systemctl daemon-reload
-    refreshonly => True

Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)].orig
+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]

-    command     => /bin/systemctl daemon-reload
-    refreshonly => True
-    before      => ['Service[cfssl-ocsprefresh-discovery.timer]']

Logrotate::Conf[cfssl-ocsprefresh-discovery]

Parameters differences:

--- Logrotate::Conf[cfssl-ocsprefresh-discovery].orig
+++ Logrotate::Conf[cfssl-ocsprefresh-discovery]

-    ensure => present

Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]

-    command     => /bin/systemctl daemon-reload
-    refreshonly => True

Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]

Parameters differences:

--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery].orig
+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]

-    contact_groups         => admins
-    is_volatile            => 0
-    check_period           => 24x7
-    max_check_attempts     => 3
-    check_interval         => 1
-    notification_options   => c,r,f
-    notification_period    => 24x7
-    check_freshness        => 0
-    notifications_enabled  => 1
-    service_description    => Check to ensure the signer certificate is valid CA: discovery
-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations
-    servicegroups          => pki_eqiad
-    retry_interval         => 1
-    notification_interval  => 0
-    check_command          => nrpe_check!check_check_certificate_expiry_discovery!10
-    active_checks_enabled  => 1
-    host_name              => pki1001
-    passive_checks_enabled => 1
-    ensure                 => present

Systemd::Unit[cfssl-ocspserve@discovery]

Parameters differences:

--- Systemd::Unit[cfssl-ocspserve@discovery].orig
+++ Systemd::Unit[cfssl-ocspserve@discovery]

-    restart           => True
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => cfssl-ocspserve@discovery
-    ensure            => present
-    require           => ['Class[Systemd]']

Systemd::Service[cfssl-ocsprefresh-discovery]

Parameters differences:

--- Systemd::Service[cfssl-ocsprefresh-discovery].orig
+++ Systemd::Service[cfssl-ocsprefresh-discovery]

-    override                 => False
-    migration_task           => T407130
-    monitoring_enabled       => False
-    require                  => Systemd::Unit[cfssl-ocsprefresh-discovery.service]
-    restart                  => False
-    service_params           => {}
-    unit_type                => timer
-    monitoring_contact_group => admins
-    monitoring_critical      => False
-    ensure                   => present

Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]

Parameters differences:

--- Service[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig
+++ Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]

-    ensure   => stopped
-    enable   => False
-    provider => systemd
-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]']

Httpd::Conf[pki.discovery.wmnet]

Cfssl::Config[discovery]

Parameters differences:

--- Cfssl::Config[discovery].orig
+++ Cfssl::Config[discovery]

-    notify              => Service[cfssl-multirootca]
-    default_crl_url     => http://pki.discovery.wmnet/crl/discovery
-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/discovery
-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}
-    default_expiry      => 672h
-    default_usages      => ['digital signature', 'key encipherment', 'server auth']
-    ensure              => present
-    remotes             => {}
-    path                => /etc/cfssl/signers/discovery/cfssl.conf
-    default_auth_key    => default_auth
-    default_auth_remote => {}
-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}

File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]

Parameters differences:

--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom].orig
+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]

-    group  => root
-    owner  => root
-    ensure => absent

File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig
+++ File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]

-    group  => root
-    owner  => root
-    ensure => file
-    mode   => 0400

Content differences:

--- /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr.orig
+++ /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr
@@ -1,13 +0,0 @@
-{
-  "CN": "pki1001.eqiad.wmnet",
-  "hosts": [
-    "pki1001.eqiad.wmnet"
-  ],
-  "key": {
-    "algo": "ecdsa",
-    "size": 256
-  },
-  "names": [
-
-  ]
-}

Nrpe::Monitor_service[check_certificate_expiry_discovery]

Parameters differences:

--- Nrpe::Monitor_service[check_certificate_expiry_discovery].orig
+++ Nrpe::Monitor_service[check_certificate_expiry_discovery]

-    nrpe2nodexp_parse_perf_data => False
-    enable_nrpe2nodexp          => False
-    retries                     => 3
-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem
-    check_interval              => 1
-    contact_group               => admins
-    sudo_user                   => root
-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations
-    retry_interval              => 1
-    migration_task              => T350694
-    enable_icinga_check         => True
-    critical                    => False
-    description                 => Check to ensure the signer certificate is valid CA: discovery
-    ensure                      => present
-    alertmanager_team           => observability
-    timeout                     => 10

Systemd::Syslog[cfssl-ocsprefresh-discovery]

Parameters differences:

--- Systemd::Syslog[cfssl-ocsprefresh-discovery].orig
+++ Systemd::Syslog[cfssl-ocsprefresh-discovery]

-    readable_by            => all
-    programname_comparison => startswith
-    base_dir               => /var/log
-    force_stop             => True
-    group                  => root
-    owner                  => root
-    log_filename           => syslog.log
-    ensure                 => present

File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- File[/usr/local/bin/prometheus-check-discovery-certificate-expiry].orig
+++ File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]

-    group  => root
-    owner  => root
-    source => puppet:///modules/prometheus/check_certificate_expiry.py
-    ensure => present
-    mode   => 0555

File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]

Parameters differences:

--- File[/etc/logrotate.d/cfssl-ocsprefresh-discovery].orig
+++ File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]

-    group  => root
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /etc/logrotate.d/cfssl-ocsprefresh-discovery.orig
+++ /etc/logrotate.d/cfssl-ocsprefresh-discovery
@@ -1,12 +0,0 @@
-# logrotate(8) config for cfssl-ocsprefresh-discovery
-
-/var/log/cfssl-ocsprefresh-discovery/*.log {
-    daily
-    copytruncate
-    missingok
-    compress
-    delaycompress
-    notifempty
-    rotate 15
-    size 256M
-}

File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]

Parameters differences:

--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf].orig
+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]

-    group  => root
-    notify => Service[rsyslog]
-    owner  => root
-    ensure => absent
-    mode   => 0444

Content differences:

--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf.orig
+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf
@@ -1,10 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-if $programname contains "nrpe2nodexp-check_certificate_expiry_discovery" then {
-    if ($msg contains "\"ecs.version\": \"1.7.0\"") then {
-        # Send logs to kafka
-        set $.log_outputs = "kafka ecs_170 local";
-    } else {
-        # Filter out non-relevant nrpe2nodexp messages
-        stop
-    }
-}

Class[Cfssl::Multirootca]

Parameters differences:

--- Class[Cfssl::Multirootca].orig
+++ Class[Cfssl::Multirootca]

@@
-    signers => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery': {'private': '/etc/cfssl/signers/discovery/ca/discovery-key.pem', 'certificate': '/etc/cfssl/signers/discovery/ca/discovery.pem', 'config': '/etc/cfssl/signers/discovery/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}
+    signers => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}

Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]

Parameters differences:

--- Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29].orig
+++ Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]

-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations
-    for                => 3m
-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_discovery))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))
-    severity           => info
-    dashboard          => TODO
-    instance           => ops
-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery
-    group              => nrpechecks
-    expr               => (nagios_nrpe_check_result{alert_rule_hash="38e4dbcfd07ed60daf5bb89397abbe29",check_name="check_check_certificate_expiry_discovery", status=~"(WARNING|CRITICAL)", severity=~"(warning|critical)"} > 0) * on (instance) group_left (team) role_owner
-    site               => eqiad
-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery
-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__discovery
-    def_label_whitelst => ['team', 'severity']
-    team               => observability
-    ensure             => absent

Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    priority => 40
-    ensure   => present
-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]
-    mode     => 0444

File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]

-    group  => root
-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]
-    owner  => root
-    ensure => absent
-    mode   => 0444

Content differences:

--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer.orig
+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer
@@ -1,14 +0,0 @@
-[Unit]
-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_discovery.service
-
-[Timer]
-Unit=nrpe2nodexp-check_certificate_expiry_discovery.service
-# Accuracy sets the maximum time interval around the execution time we want to allow
-AccuracySec=15sec
-OnUnitInactiveSec=1min
-OnActiveSec=1s
-RandomizedDelaySec=60
-FixedRandomDelay=true
-
-[Install]
-WantedBy=multi-user.target

Monitoring::Service[check_certificate_expiry_discovery]

Parameters differences:

--- Monitoring::Service[check_certificate_expiry_discovery].orig
+++ Monitoring::Service[check_certificate_expiry_discovery]

-    retry_interval => 1
-    migration_task => T350694
-    check_command  => nrpe_check!check_check_certificate_expiry_discovery!10
-    passive        => False
-    retries        => 3
-    freshness      => 36000
-    critical       => False
-    check_interval => 1
-    description    => Check to ensure the signer certificate is valid CA: discovery
-    contact_group  => admins
-    config_dir     => /etc/nagios
-    ensure         => present
-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations
-    host           => pki1001

File[/srv/cfssl/bundles/discovery.pem]

Parameters differences:

--- File[/srv/cfssl/bundles/discovery.pem].orig
+++ File[/srv/cfssl/bundles/discovery.pem]

-    group  => root
-    owner  => root
-    ensure => file
-    mode   => 0444

Content differences:

--- /srv/cfssl/bundles/discovery.pem.orig
+++ /srv/cfssl/bundles/discovery.pem
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw
-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j
-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu
-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3
-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ
-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp
-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw
-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI
-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G
-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw
-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT
-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292
-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f
-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt
-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw
-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4
-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4
-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=
------END CERTIFICATE-----

Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]

Parameters differences:

--- Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet].orig
+++ Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]

-    notify          => Service[cfssl-ocspserve@discovery]
-    profile         => ocsp
-    names           => []
-    provide_chain   => False
-    notify_services => []
-    group           => root
-    owner           => root
-    label           => discovery
-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem
-    before_services => []
-    hosts           => []
-    common_name     => pki1001.eqiad.wmnet
-    key             => {'algo': 'ecdsa', 'size': 256}
-    environment     => ['GODEBUG=x509ignoreCN=0']
-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-discovery]
-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}
-    mode            => 0740
-    auto_renew      => True
-    renew_seconds   => 952200
-    outdir          => /etc/cfssl/ssl/ocsp
-    ensure          => present
-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem

Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]

Parameters differences:

--- Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig
+++ Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]

-    ensure   => running
-    enable   => True
-    provider => systemd

Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]

Parameters differences:

--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery].orig
+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]

-    override                 => False
-    migration_task           => T407130
-    monitoring_enabled       => False
-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]
-    restart                  => False
-    service_params           => {}
-    unit_type                => timer
-    monitoring_contact_group => admins
-    monitoring_critical      => False
-    ensure                   => absent

File[/lib/systemd/system/cfssl-ocspserve@discovery.service]

Parameters differences:

--- File[/lib/systemd/system/cfssl-ocspserve@discovery.service].orig
+++ File[/lib/systemd/system/cfssl-ocspserve@discovery.service]

-    group  => root
-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]
-    owner  => root
-    ensure => present
-    mode   => 0444

Content differences:

--- /lib/systemd/system/cfssl-ocspserve@discovery.service.orig
+++ /lib/systemd/system/cfssl-ocspserve@discovery.service
@@ -1,15 +0,0 @@
-[Unit]
-Description=Cloudflare SSL OCSP Responder (discovery)
-After=network.target remote-fs.target nss-lookup.target
-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc
-
-[Service]
-ExecStart=/usr/bin/cfssl ocspserve \
-          -address 127.0.0.1 \
-          -port 10002 \
-          -responses /etc/cfssl/ocsp/discovery.ocsp
-Restart=always
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-
-[Install]
-WantedBy=multi-user.target

Rsyslog::Conf[cfssl-ocsprefresh-discovery]

Parameters differences:

--- Rsyslog::Conf[cfssl-ocsprefresh-discovery].orig
+++ Rsyslog::Conf[cfssl-ocsprefresh-discovery]

-    priority => 40
-    ensure   => present
-    require  => File[/var/log/cfssl-ocsprefresh-discovery]
-    mode     => 0444

Sudo::User[nrpe_certificate_check_discovery]

Parameters differences:

--- Sudo::User[nrpe_certificate_check_discovery].orig
+++ Sudo::User[nrpe_certificate_check_discovery]

-    privileges => []
-    ensure     => absent
-    user       => nrpe_certificate_check_discovery
-    require    => ['Class[Sudo]']

File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]

Content differences:

--- /etc/apache2/sites-available/50-pki-discovery-wmnet.conf.orig
+++ /etc/apache2/sites-available/50-pki-discovery-wmnet.conf
@@ -24,9 +24,6 @@
   # debmonitor
   ProxyPass /ocsp/debmonitor  http://localhost:10001/
   ProxyPassReverse /ocsp/debmonitor  http://localhost:10001/
-  # discovery
-  ProxyPass /ocsp/discovery  http://localhost:10002/
-  ProxyPassReverse /ocsp/discovery  http://localhost:10002/
   # kafka
   ProxyPass /ocsp/kafka  http://localhost:10003/
   ProxyPassReverse /ocsp/kafka  http://localhost:10003/

Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)].orig
+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]

-    command     => /bin/systemctl daemon-reload
-    refreshonly => True
-    before      => ['Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]']

Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]

Parameters differences:

--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet].orig
+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]

-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet

-    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem 2>&1)"

-    environment => ['GODEBUG=x509ignoreCN=0']
-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]

Prometheus::Blackbox::Check::Http[PKI_discovery]

Parameters differences:

--- Prometheus::Blackbox::Check::Http[PKI_discovery].orig
+++ Prometheus::Blackbox::Check::Http[PKI_discovery]

-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})
-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All
-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}
-    port                    => 443
-    ip6                     => 2620:0:861:101:10:64:0:10
-    header_matches          => []
-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire
-    site                    => eqiad
-    body_raw                => {"label":"discovery"}
-    req_headers             => {}
-    certificate_expiry_days => 10
-    status_matches          => []
-    force_tls               => False
-    ip4                     => 10.64.0.10
-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.
-    alert_after             => 2m
-    ip_families             => ['ip4', 'ip6']
-    severity                => critical
-    path                    => /api/v1/cfssl/info
-    body_regex_not_matches  => []
-    insecure_tls            => False
-    method                  => POST
-    follow_redirects        => False
-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}
-    body                    => {}
-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}
-    body_regex_matches      => ['"success":true']
-    server_name             => pki.discovery.wmnet
-    use_client_auth         => True
-    client_auth_cert        => /etc/prometheus/ssl/cert.pem
-    prometheus_instance     => ops
-    instance_label          => pki1001
-    header_not_matches      => []
-    team                    => sre
-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard
-    client_auth_key         => /etc/prometheus/ssl/server.key
-    timeout                 => 3s

Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig
+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]

-    restart           => False
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => nrpe2nodexp-check_certificate_expiry_discovery.timer
-    ensure            => absent
-    require           => ['Class[Systemd]']

Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    syslog_match_startswith   => True
-    command                   => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom
-    syslog_force_stop         => True
-    send_mail_to              => root@pki1001.eqiad.wmnet
-    logfile_basedir           => /var/log
-    monitoring_contact_groups => admins
-    logfile_group             => root
-    logfile_name              => syslog.log
-    logging_enabled           => True
-    success_exit_status       => []
-    ignore_errors             => False
-    monitoring_enabled        => False
-    send_mail                 => False
-    environment               => {}
-    private_tmp               => False
-    fixed_random_delay        => False
-    send_mail_only_on_error   => True
-    description               => Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry
-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-    ensure                    => present
-    user                      => root
-    logfile_perms             => all
-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}

File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    group  => root
-    force  => True
-    owner  => root
-    backup => False
-    ensure => directory
-    mode   => 0755

Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    ensure => present

File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]

Parameters differences:

--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery].orig
+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]

-    group        => root
-    validate_cmd => /usr/sbin/visudo -cqf %
-    owner        => root
-    ensure       => present
-    require      => Package[nagios-nrpe-server]
-    mode         => 0440

Content differences:

--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery.orig
+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery
@@ -1,3 +0,0 @@
-# This file is managed by Puppet!
-
-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem

Exec[Generate initial CRL for discovery]

Parameters differences:

--- Exec[Generate initial CRL for discovery].orig
+++ Exec[Generate initial CRL for discovery]

-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/discovery/ca/discovery.pem /etc/cfssl/signers/discovery/ca/discovery-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/discovery
-    creates => /srv/cfssl/crl/discovery
-    path    => ['/usr/bin']
-    require => ['Package[golang-cfssl]']

Service[cfssl-ocsprefresh-discovery.timer]

Parameters differences:

--- Service[cfssl-ocsprefresh-discovery.timer].orig
+++ Service[cfssl-ocsprefresh-discovery.timer]

-    ensure   => running
-    enable   => True
-    provider => systemd

Service[cfssl-ocspserve@discovery]

Parameters differences:

--- Service[cfssl-ocspserve@discovery].orig
+++ Service[cfssl-ocspserve@discovery]

-    ensure => running
-    enable => True

Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

Parameters differences:

--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig
+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]

-    readable_by            => all
-    programname_comparison => startswith
-    base_dir               => /var/log
-    force_stop             => True
-    group                  => root
-    owner                  => root
-    log_filename           => syslog.log
-    ensure                 => present

File[/etc/cfssl/signers/discovery/cfssl.conf]

Parameters differences:

--- File[/etc/cfssl/signers/discovery/cfssl.conf].orig
+++ File[/etc/cfssl/signers/discovery/cfssl.conf]

-    group     => root
-    owner     => root
-    ensure    => present
-    show_diff => False
-    mode      => 0440

Content differences:

--- /etc/cfssl/signers/discovery/cfssl.conf.orig
+++ /etc/cfssl/signers/discovery/cfssl.conf
@@ -1,129 +0,0 @@
-{
-  "auth_keys": {
-    "default_auth": {
-      "key": "aaaabbbbccccdddd",
-      "type": "standard"
-    },
-    "k8s_staging": {
-      "key": "ddddccccbbbbaaaa",
-      "type": "standard"
-    },
-    "k8s_wikikube": {
-      "key": "ddddccccbbbbaaab",
-      "type": "standard"
-    },
-    "k8s_mlserve": {
-      "key": "bbbbccccddddaaaa",
-      "type": "standard"
-    },
-    "k8s_mlstaging": {
-      "key": "ccccbbbbaaaadddd",
-      "type": "standard"
-    },
-    "k8s_dse": {
-      "key": "bbbbaaaaddddcccc",
-      "type": "standard"
-    },
-    "k8s_aux": {
-      "key": "ffffffffffffffff",
-      "type": "standard"
-    }
-  },
-  "signing": {
-    "default": {
-      "auth_key": "default_auth",
-      "usages": [
-        "digital signature",
-        "key encipherment",
-        "server auth"
-      ],
-      "expiry": "672h",
-      "crl_url": "http://pki.discovery.wmnet/crl/discovery",
-      "ocsp_url": "http://pki.discovery.wmnet/ocsp/discovery"
-    },
-    "profiles": {
-      "ocsp": {
-        "auth_key": "default_auth",
-        "expiry": "43800h",
-        "usages": [
-          "digital signature",
-          "ocsp signing"
-        ]
-      },
-      "server": {
-        "auth_key": "default_auth",
-        "expiry": "672h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth"
-        ]
-      },
-      "k8s_staging": {
-        "auth_key": "k8s_staging",
-        "expiry": "24h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth"
-        ]
-      },
-      "k8s_wikikube": {
-        "auth_key": "k8s_wikikube",
-        "expiry": "672h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth"
-        ]
-      },
-      "k8s_mlserve": {
-        "auth_key": "k8s_mlserve",
-        "expiry": "672h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth"
-        ]
-      },
-      "k8s_mlstaging": {
-        "auth_key": "k8s_mlstaging",
-        "expiry": "24h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth"
-        ]
-      },
-      "k8s_dse": {
-        "auth_key": "k8s_dse",
-        "expiry": "672h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth",
-          "client auth"
-        ]
-      },
-      "k8s_dse_opensearch": {
-        "auth_key": "k8s_dse",
-        "expiry": "4380h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth",
-          "client auth"
-        ]
-      },
-      "k8s_aux": {
-        "auth_key": "k8s_aux",
-        "expiry": "672h",
-        "usages": [
-          "digital signature",
-          "key encipherment",
-          "server auth"
-        ]
-      }
-    }
-  }
-}

Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]

-    common_name => pki1001.eqiad.wmnet
-    hosts       => []
-    names       => []
-    ensure      => present
-    key         => {'algo': 'ecdsa', 'size': 256}

Systemd::Unit[cfssl-ocsprefresh-discovery.service]

Parameters differences:

--- Systemd::Unit[cfssl-ocsprefresh-discovery.service].orig
+++ Systemd::Unit[cfssl-ocsprefresh-discovery.service]

-    restart           => False
-    override          => False
-    override_filename => puppet-override.conf
-    unit              => cfssl-ocsprefresh-discovery.service
-    ensure            => present
-    require           => ['Class[Systemd]']

File[/etc/sudoers.d/nrpe_certificate_check_discovery]

Parameters differences:

--- File[/etc/sudoers.d/nrpe_certificate_check_discovery].orig
+++ File[/etc/sudoers.d/nrpe_certificate_check_discovery]

-    group  => root
-    owner  => root
-    ensure => absent

File[/etc/cfssl/signers/discovery]

Parameters differences:

--- File[/etc/cfssl/signers/discovery].orig
+++ File[/etc/cfssl/signers/discovery]

-    group   => root
-    owner   => root
-    ensure  => directory
-    require => ['Package[golang-cfssl]']
-    mode    => 0550

Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]

Parameters differences:

--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery].orig
+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]

-    splay              => 60
-    accuracy           => 15sec
-    unit_name          => nrpe2nodexp-check_certificate_expiry_discovery.service
-    ensure             => absent
-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]
-    fixed_random_delay => True

Cfssl::Signer[discovery]

Parameters differences:

--- Cfssl::Signer[discovery].orig
+++ Cfssl::Signer[discovery]

-    serve_service    => cfssl-multirootca
-    db_driver        => sqlite3
-    default_crl_url  => http://pki.discovery.wmnet/crl/discovery
-    manage_services  => False
-    listen_port      => 8888
-    db_pass          => changeme
-    log_level        => info
-    serve_ensure     => absent
-    ca_cert_content  => -----BEGIN CERTIFICATE-----
MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw
gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j
MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu
dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3
MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ
V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp
b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw
3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI
wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G
A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw
5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT
NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292
ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f
BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt
ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw
q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4
ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4
4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=
-----END CERTIFICATE-----

-    ca_key_content   => ##### FAKE FOR PUPPET ######

-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery
-    db_name          => cfssl
-    default_expiry   => 672h
-    listen_addr      => pki1001.eqiad.wmnet
-    default_usages   => ['digital signature', 'key encipherment', 'server auth']
-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}
-    db_host          => localhost
-    ca_file          => /etc/cfssl/signers/discovery/ca/discovery.pem
-    default_auth_key => default_auth
-    db_conf_file     => /etc/cfssl/db.conf
-    manage_db        => False
-    ca_key_file      => /etc/cfssl/signers/discovery/ca/discovery-key.pem
-    db_user          => cfssl
-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}

Systemd::Service[cfssl-ocspserve@discovery]

Parameters differences:

--- Systemd::Service[cfssl-ocspserve@discovery].orig
+++ Systemd::Service[cfssl-ocspserve@discovery]

-    override                 => False
-    migration_task           => T407130
-    monitoring_enabled       => False
-    restart                  => True
-    service_params           => {}
-    unit_type                => service
-    monitoring_contact_group => admins
-    monitoring_critical      => False
-    ensure                   => present

File[/etc/cfssl/signers/discovery/ca]

Parameters differences:

--- File[/etc/cfssl/signers/discovery/ca].orig
+++ File[/etc/cfssl/signers/discovery/ca]

-    group   => root
-    owner   => root
-    ensure  => directory
-    require => ['Package[golang-cfssl]']
-    mode    => 0550

File[/etc/cfssl/ocsp/discovery.ocsp]

Parameters differences:

--- File[/etc/cfssl/ocsp/discovery.ocsp].orig
+++ File[/etc/cfssl/ocsp/discovery.ocsp]

-    group  => root
-    owner  => root
-    ensure => file

Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]

Parameters differences:

--- Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)].orig
+++ Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]

-    command     => /bin/systemctl daemon-reload
-    notify      => ['Service[cfssl-ocspserve@discovery]']
-    refreshonly => True

Compilation results for pki1001.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the old catalog

Resources modified

Relevant files