{"host": "pki1001.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 4897, "only_in_self": ["Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "Cfssl::Config[discovery]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "Cfssl::Ocsp[discovery]", "Cfssl::Signer[discovery]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate initial CRL for discovery]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "Monitoring::Service[check_certificate_expiry_discovery]", "Nrpe::Check[check_check_certificate_expiry_discovery]", "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "Profile::Pki::Multirootca::Monitoring[discovery]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "Prometheus::Blackbox::Check::Http[PKI_discovery]", "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocspserve@discovery]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "Sudo::User[nrpe_certificate_check_discovery]", "Systemd::Service[cfssl-ocsprefresh-discovery]", "Systemd::Service[cfssl-ocspserve@discovery]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer[cfssl-ocsprefresh-discovery]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "Systemd::Unit[cfssl-ocspserve@discovery]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]"], "only_in_other": [], "resource_diffs": [{"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n- restart => False\n- override => False\n- override_filename => puppet-override.conf\n- unit => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer\n- ensure => present\n- require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]\n\n- group => root\n- owner => root\n- backup => False\n- ensure => file\n- show_diff => False\n- mode => 0440\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery.timer]\n\n- restart => False\n- override => False\n- override_filename => puppet-override.conf\n- unit => cfssl-ocsprefresh-discovery.timer\n- ensure => present\n- require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]\n\n- group => root\n- owner => root\n- ensure => file\n- mode => 0440\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "content": "--- /etc/cfssl/signers/discovery/ca/discovery.pem.orig\n+++ /etc/cfssl/signers/discovery/ca/discovery.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\n-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\n-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\n-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/discovery/ca/discovery.pem].orig\n+++ File[/etc/cfssl/signers/discovery/ca/discovery.pem]\n\n- group => root\n- notify => Service[cfssl-multirootca]\n- owner => root\n- ensure => file\n- mode => 0444\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n\n- restart => False\n- override => False\n- override_filename => puppet-override.conf\n- unit => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n- ensure => present\n- require => ['Class[Systemd]']\n"}, {"resource": "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]\n\n- command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n- unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -checkend 952200\n- environment => ['GODEBUG=x509ignoreCN=0']\n- require => Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]\n\n- mode => 0444\n- priority => 25\n- ensure => absent\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]\n\n- restart => False\n- override => False\n- override_filename => puppet-override.conf\n- unit => nrpe2nodexp-check_certificate_expiry_discovery.service\n- ensure => absent\n- require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- splay => 0\n- accuracy => 15sec\n- unit_name => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n- ensure => present\n- timer_intervals => [{'start': 'OnCalendar', 'interval': 'daily'}]\n- fixed_random_delay => False\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]\n\n- command => /bin/systemctl daemon-reload\n- refreshonly => True\n"}, {"resource": "Class[Profile::Pki::Multirootca]", "parameters": "--- Class[Profile::Pki::Multirootca].orig\n+++ Class[Profile::Pki::Multirootca]\n\n@@\n- intermediates => {'debmonitor': {'ocsp_port': 10001}, 'discovery': {'ocsp_port': 10002, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}\n+ intermediates => {'debmonitor': {'ocsp_port': 10001}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}\n"}, {"resource": "Cfssl::Ocsp[discovery]", "parameters": "--- Cfssl::Ocsp[discovery].orig\n+++ Cfssl::Ocsp[discovery]\n\n- ocsprefresh_update => True\n- db_driver => mysql\n- listen_port => 10002\n- refresh_interval => 96h\n- common_name => pki1001.eqiad.wmnet\n- listen_addr => 127.0.0.1\n- additional_names => []\n- ca_file => /etc/cfssl/signers/discovery/ca/discovery.pem\n- db_conf_file => /etc/cfssl/db.conf\n- log_level => info\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[discovery]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[discovery].orig\n+++ Profile::Pki::Multirootca::Monitoring[discovery]\n\n- ca_file => /etc/cfssl/signers/discovery/ca/discovery.pem\n- ensure => present\n- vhost => pki.discovery.wmnet\n- intermediate => discovery\n"}, {"resource": "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]\n\n- command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n- subscribe => File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n- refreshonly => True\n- environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\" then {\n- action(\n- type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/syslog.log\"\n- fileOwner=\"root\" fileGroup=\"root\"\n- fileCreateMode=\"0644\"\n- )\n- & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]\n\n- group => root\n- notify => Service[rsyslog]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_discovery]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_discovery].orig\n+++ Nrpe::Check[check_check_certificate_expiry_discovery]\n\n- command => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem\n- ensure => present\n- sudo_user => root\n- before => Monitoring::Service[check_certificate_expiry_discovery]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-discovery]\n\n- syslog_match_startswith => True\n- command => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery \n- syslog_force_stop => True\n- send_mail_to => root@pki1001.eqiad.wmnet\n- logfile_basedir => /var/log\n- monitoring_contact_groups => admins\n- logfile_group => root\n- logfile_name => syslog.log\n- logging_enabled => True\n- success_exit_status => []\n- ignore_errors => False\n- monitoring_enabled => False\n- send_mail => False\n- environment => {}\n- private_tmp => False\n- fixed_random_delay => False\n- send_mail_only_on_error => True\n- description => OCSP Refresh job - discovery\n- monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n- ensure => present\n- user => root\n- logfile_perms => all\n- interval => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]\n\n- command => /bin/systemctl daemon-reload\n- refreshonly => True\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_discovery].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_discovery]\n\n- privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem']\n- user => nagios\n- ensure => present\n- tag => nrpe::check\n- require => ['Class[Sudo]']\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]\n\n- syslog_match_startswith => True\n- command => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"38e4dbcfd07ed60daf5bb89397abbe29\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery\"\n- syslog_force_stop => True\n- send_mail_to => root@pki1001.eqiad.wmnet\n- logfile_basedir => /var/log\n- splay => 60\n- group => prometheus-node-exporter\n- monitoring_contact_groups => admins\n- logfile_group => root\n- logfile_name => syslog.log\n- logging_enabled => False\n- syslog_identifier => nrpe2nodexp-check_certificate_expiry_discovery\n- success_exit_status => []\n- ignore_errors => True\n- monitoring_enabled => False\n- send_mail => False\n- environment => {}\n- fixed_random_delay => True\n- private_tmp => False\n- send_mail_only_on_error => True\n- description => execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.\n- monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n- ensure => absent\n- user => nagios\n- logfile_perms => all\n- interval => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n\n- group => root\n- notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "content": "--- /etc/cfssl/signers/discovery/ca/discovery-key.pem.orig\n+++ /etc/cfssl/signers/discovery/ca/discovery-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/discovery/ca/discovery-key.pem].orig\n+++ File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]\n\n- group => root\n- notify => Service[cfssl-multirootca]\n- owner => root\n- ensure => file\n- show_diff => False\n- mode => 0400\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-discovery]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-discovery].orig\n+++ File[/var/log/cfssl-ocsprefresh-discovery]\n\n- group => root\n- force => True\n- owner => root\n- backup => False\n- ensure => directory\n- mode => 0755\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n- group => root\n- notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - discovery\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]\n\n- group => root\n- notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_discovery]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]\n\n- group => root\n- notify => Service[nagios-nrpe-server]\n- owner => root\n- ensure => present\n- tag => nrpe::check\n- require => Package[nagios-nrpe-server]\n- mode => 0444\n"}, {"resource": "Httpd::Site[pki.discovery.wmnet]"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n- group => root\n- owner => root\n- ensure => file\n- mode => 0440\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- override => False\n- migration_task => T407130\n- monitoring_enabled => False\n- require => Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n- restart => False\n- service_params => {}\n- unit_type => timer\n- monitoring_contact_group => admins\n- monitoring_critical => False\n- ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-discovery.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-discovery.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]\n\n- group => root\n- notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-discovery\" then {\n- action(\n- type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-discovery/syslog.log\"\n- fileOwner=\"root\" fileGroup=\"root\"\n- fileCreateMode=\"0644\"\n- )\n- & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]\n\n- group => root\n- notify => Service[rsyslog]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/*.log {\n- daily\n- copytruncate\n- missingok\n- compress\n- delaycompress\n- notifempty\n- rotate 15\n- size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- group => root\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/etc/cfssl/multiroot.conf]", "content": "--- /etc/cfssl/multiroot.conf.orig\n+++ /etc/cfssl/multiroot.conf\n@@ -2,12 +2,6 @@\n private = file:///etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n certificate = /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n config = /etc/cfssl/signers/debmonitor/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery]\n-private = file:///etc/cfssl/signers/discovery/ca/discovery-key.pem\n-certificate = /etc/cfssl/signers/discovery/ca/discovery.pem\n-config = /etc/cfssl/signers/discovery/cfssl.conf\n dbconfig = /etc/cfssl/db.conf\n \n [kafka]"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-discovery]\n\n- splay => 0\n- accuracy => 15sec\n- unit_name => cfssl-ocsprefresh-discovery.service\n- ensure => present\n- timer_intervals => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n- fixed_random_delay => False\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]\n\n- user => root\n- environment => {}\n- extra_packages => []\n- require => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n- run_cmd => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom\n- ensure => present\n- filesource => puppet:///modules/prometheus/check_certificate_expiry.py\n- interval => daily\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_discovery\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"38e4dbcfd07ed60daf5bb89397abbe29\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]\n\n- group => root\n- notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]\n- owner => root\n- ensure => absent\n- mode => 0444\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]\n\n- command => /bin/systemctl daemon-reload\n- refreshonly => True\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]\n\n- command => /bin/systemctl daemon-reload\n- refreshonly => True\n- before => ['Service[cfssl-ocsprefresh-discovery.timer]']\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-discovery].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-discovery]\n\n- ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]\n\n- command => /bin/systemctl daemon-reload\n- refreshonly => True\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]\n\n- contact_groups => admins\n- is_volatile => 0\n- check_period => 24x7\n- max_check_attempts => 3\n- check_interval => 1\n- notification_options => c,r,f\n- notification_period => 24x7\n- check_freshness => 0\n- notifications_enabled => 1\n- service_description => Check to ensure the signer certificate is valid CA: discovery\n- notes_url => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n- servicegroups => pki_eqiad\n- retry_interval => 1\n- notification_interval => 0\n- check_command => nrpe_check!check_check_certificate_expiry_discovery!10\n- active_checks_enabled => 1\n- host_name => pki1001\n- passive_checks_enabled => 1\n- ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@discovery]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@discovery].orig\n+++ Systemd::Unit[cfssl-ocspserve@discovery]\n\n- restart => True\n- override => False\n- override_filename => puppet-override.conf\n- unit => cfssl-ocspserve@discovery\n- ensure => present\n- require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Service[cfssl-ocsprefresh-discovery]\n\n- override => False\n- migration_task => T407130\n- monitoring_enabled => False\n- require => Systemd::Unit[cfssl-ocsprefresh-discovery.service]\n- restart => False\n- service_params => {}\n- unit_type => timer\n- monitoring_contact_group => admins\n- monitoring_critical => False\n- ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n- ensure => stopped\n- enable => False\n- provider => systemd\n- before => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]']\n"}, {"resource": "Httpd::Conf[pki.discovery.wmnet]"}, {"resource": "Cfssl::Config[discovery]", "parameters": "--- Cfssl::Config[discovery].orig\n+++ Cfssl::Config[discovery]\n\n- notify => Service[cfssl-multirootca]\n- default_crl_url => http://pki.discovery.wmnet/crl/discovery\n- default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery\n- profiles => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n- default_expiry => 672h\n- default_usages => ['digital signature', 'key encipherment', 'server auth']\n- ensure => present\n- remotes => {}\n- path => /etc/cfssl/signers/discovery/cfssl.conf\n- default_auth_key => default_auth\n- default_auth_remote => {}\n- auth_keys => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]\n\n- group => root\n- owner => root\n- ensure => absent\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n- \"CN\": \"pki1001.eqiad.wmnet\",\n- \"hosts\": [\n- \"pki1001.eqiad.wmnet\"\n- ],\n- \"key\": {\n- \"algo\": \"ecdsa\",\n- \"size\": 256\n- },\n- \"names\": [\n-\n- ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n- group => root\n- owner => root\n- ensure => file\n- mode => 0400\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_discovery].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_discovery]\n\n- nrpe2nodexp_parse_perf_data => False\n- enable_nrpe2nodexp => False\n- retries => 3\n- nrpe_command => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem\n- check_interval => 1\n- contact_group => admins\n- sudo_user => root\n- notes_url => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n- retry_interval => 1\n- migration_task => T350694\n- enable_icinga_check => True\n- critical => False\n- description => Check to ensure the signer certificate is valid CA: discovery\n- ensure => present\n- alertmanager_team => observability\n- timeout => 10\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-discovery]\n\n- readable_by => all\n- programname_comparison => startswith\n- base_dir => /var/log\n- force_stop => True\n- group => root\n- owner => root\n- log_filename => syslog.log\n- ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-discovery-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]\n\n- group => root\n- owner => root\n- source => puppet:///modules/prometheus/check_certificate_expiry.py\n- ensure => present\n- mode => 0555\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-discovery.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-discovery\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-discovery\n-\n-/var/log/cfssl-ocsprefresh-discovery/*.log {\n- daily\n- copytruncate\n- missingok\n- compress\n- delaycompress\n- notifempty\n- rotate 15\n- size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-discovery].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]\n\n- group => root\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_discovery\" then {\n- if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n- # Send logs to kafka\n- set $.log_outputs = \"kafka ecs_170 local\";\n- } else {\n- # Filter out non-relevant nrpe2nodexp messages\n- stop\n- }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]\n\n- group => root\n- notify => Service[rsyslog]\n- owner => root\n- ensure => absent\n- mode => 0444\n"}, {"resource": "Class[Cfssl::Multirootca]", "parameters": "--- Class[Cfssl::Multirootca].orig\n+++ Class[Cfssl::Multirootca]\n\n@@\n- signers => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery': {'private': '/etc/cfssl/signers/discovery/ca/discovery-key.pem', 'certificate': '/etc/cfssl/signers/discovery/ca/discovery.pem', 'config': '/etc/cfssl/signers/discovery/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}\n+ signers => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]\n\n- runbook => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n- for => 3m\n- logs => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_discovery))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n- severity => info\n- dashboard => TODO\n- instance => ops\n- summary => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery\n- group => nrpechecks\n- expr => (nagios_nrpe_check_result{alert_rule_hash=\"38e4dbcfd07ed60daf5bb89397abbe29\",check_name=\"check_check_certificate_expiry_discovery\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n- site => eqiad\n- description => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery\n- alert_name => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__discovery\n- def_label_whitelst => ['team', 'severity']\n- team => observability\n- ensure => absent\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- priority => 40\n- ensure => present\n- require => File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n- mode => 0444\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_discovery.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_discovery.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n- group => root\n- notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]\n- owner => root\n- ensure => absent\n- mode => 0444\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_discovery]", "parameters": "--- Monitoring::Service[check_certificate_expiry_discovery].orig\n+++ Monitoring::Service[check_certificate_expiry_discovery]\n\n- retry_interval => 1\n- migration_task => T350694\n- check_command => nrpe_check!check_check_certificate_expiry_discovery!10\n- passive => False\n- retries => 3\n- freshness => 36000\n- critical => False\n- check_interval => 1\n- description => Check to ensure the signer certificate is valid CA: discovery\n- contact_group => admins\n- config_dir => /etc/nagios\n- ensure => present\n- notes_url => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n- host => pki1001\n"}, {"resource": "File[/srv/cfssl/bundles/discovery.pem]", "content": "--- /srv/cfssl/bundles/discovery.pem.orig\n+++ /srv/cfssl/bundles/discovery.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\n-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\n-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\n-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/discovery.pem].orig\n+++ File[/srv/cfssl/bundles/discovery.pem]\n\n- group => root\n- owner => root\n- ensure => file\n- mode => 0444\n"}, {"resource": "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]\n\n- notify => Service[cfssl-ocspserve@discovery]\n- profile => ocsp\n- names => []\n- provide_chain => False\n- notify_services => []\n- group => root\n- owner => root\n- label => discovery\n- tls_cert => /etc/cfssl/mutual_tls_client_cert.pem\n- before_services => []\n- hosts => []\n- common_name => pki1001.eqiad.wmnet\n- key => {'algo': 'ecdsa', 'size': 256}\n- environment => ['GODEBUG=x509ignoreCN=0']\n- before => Systemd::Timer::Job[cfssl-ocsprefresh-discovery]\n- signer_config => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n- mode => 0740\n- auto_renew => True\n- renew_seconds => 952200\n- outdir => /etc/cfssl/ssl/ocsp\n- ensure => present\n- tls_key => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n- ensure => running\n- enable => True\n- provider => systemd\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]\n\n- override => False\n- migration_task => T407130\n- monitoring_enabled => False\n- require => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]\n- restart => False\n- service_params => {}\n- unit_type => timer\n- monitoring_contact_group => admins\n- monitoring_critical => False\n- ensure => absent\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@discovery.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@discovery.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (discovery)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n- -address 127.0.0.1 \\\n- -port 10002 \\\n- -responses /etc/cfssl/ocsp/discovery.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@discovery.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@discovery.service]\n\n- group => root\n- notify => Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]\n- owner => root\n- ensure => present\n- mode => 0444\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-discovery].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-discovery]\n\n- priority => 40\n- ensure => present\n- require => File[/var/log/cfssl-ocsprefresh-discovery]\n- mode => 0444\n"}, {"resource": "Sudo::User[nrpe_certificate_check_discovery]", "parameters": "--- Sudo::User[nrpe_certificate_check_discovery].orig\n+++ Sudo::User[nrpe_certificate_check_discovery]\n\n- privileges => []\n- ensure => absent\n- user => nrpe_certificate_check_discovery\n- require => ['Class[Sudo]']\n"}, {"resource": "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "content": "--- /etc/apache2/sites-available/50-pki-discovery-wmnet.conf.orig\n+++ /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n@@ -24,9 +24,6 @@\n # debmonitor\n ProxyPass /ocsp/debmonitor http://localhost:10001/\n ProxyPassReverse /ocsp/debmonitor http://localhost:10001/\n- # discovery\n- ProxyPass /ocsp/discovery http://localhost:10002/\n- ProxyPassReverse /ocsp/discovery http://localhost:10002/\n # kafka\n ProxyPass /ocsp/kafka http://localhost:10003/\n ProxyPassReverse /ocsp/kafka http://localhost:10003/"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]\n\n- command => /bin/systemctl daemon-reload\n- refreshonly => True\n- before => ['Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]']\n"}, {"resource": "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]\n\n- command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n- unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n- environment => ['GODEBUG=x509ignoreCN=0']\n- require => Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_discovery]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_discovery].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_discovery]\n\n- probe_summary => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n- probe_dashboard => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n- probe_runbook => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n- port => 443\n- ip6 => 2620:0:861:101:10:64:0:10\n- header_matches => []\n- ssl_expired_summary => Certificate for service {{ $labels.instance }} is about to expire\n- site => eqiad\n- body_raw => {\"label\":\"discovery\"}\n- req_headers => {}\n- certificate_expiry_days => 10\n- status_matches => []\n- force_tls => False\n- ip4 => 10.64.0.10\n- probe_description => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n- alert_after => 2m\n- ip_families => ['ip4', 'ip6']\n- severity => critical\n- path => /api/v1/cfssl/info\n- body_regex_not_matches => []\n- insecure_tls => False\n- method => POST\n- follow_redirects => False\n- ssl_expired_runbook => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n- body => {}\n- ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n- body_regex_matches => ['\"success\":true']\n- server_name => pki.discovery.wmnet\n- use_client_auth => True\n- client_auth_cert => /etc/prometheus/ssl/cert.pem\n- prometheus_instance => ops\n- instance_label => pki1001\n- header_not_matches => []\n- team => sre\n- ssl_expired_dashboard => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n- client_auth_key => /etc/prometheus/ssl/server.key\n- timeout => 3s\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n- restart => False\n- override => False\n- override_filename => puppet-override.conf\n- unit => nrpe2nodexp-check_certificate_expiry_discovery.timer\n- ensure => absent\n- require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- syslog_match_startswith => True\n- command => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom\n- syslog_force_stop => True\n- send_mail_to => root@pki1001.eqiad.wmnet\n- logfile_basedir => /var/log\n- monitoring_contact_groups => admins\n- logfile_group => root\n- logfile_name => syslog.log\n- logging_enabled => True\n- success_exit_status => []\n- ignore_errors => False\n- monitoring_enabled => False\n- send_mail => False\n- environment => {}\n- private_tmp => False\n- fixed_random_delay => False\n- send_mail_only_on_error => True\n- description => Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry\n- monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n- ensure => present\n- user => root\n- logfile_perms => all\n- interval => {'start': 'OnCalendar', 'interval': 'daily'}\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- group => root\n- force => True\n- owner => root\n- backup => False\n- ensure => directory\n- mode => 0755\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]\n\n- group => root\n- validate_cmd => /usr/sbin/visudo -cqf %\n- owner => root\n- ensure => present\n- require => Package[nagios-nrpe-server]\n- mode => 0440\n"}, {"resource": "Exec[Generate initial CRL for discovery]", "parameters": "--- Exec[Generate initial CRL for discovery].orig\n+++ Exec[Generate initial CRL for discovery]\n\n- command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/discovery/ca/discovery.pem /etc/cfssl/signers/discovery/ca/discovery-key.pem 157680000 /srv/cfssl/crl/discovery\n- creates => /srv/cfssl/crl/discovery\n- path => ['/usr/bin']\n- require => ['Package[golang-cfssl]']\n"}, {"resource": "Service[cfssl-ocsprefresh-discovery.timer]", "parameters": "--- Service[cfssl-ocsprefresh-discovery.timer].orig\n+++ Service[cfssl-ocsprefresh-discovery.timer]\n\n- ensure => running\n- enable => True\n- provider => systemd\n"}, {"resource": "Service[cfssl-ocspserve@discovery]", "parameters": "--- Service[cfssl-ocspserve@discovery].orig\n+++ Service[cfssl-ocspserve@discovery]\n\n- ensure => running\n- enable => True\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n- readable_by => all\n- programname_comparison => startswith\n- base_dir => /var/log\n- force_stop => True\n- group => root\n- owner => root\n- log_filename => syslog.log\n- ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/discovery/cfssl.conf]", "content": "--- /etc/cfssl/signers/discovery/cfssl.conf.orig\n+++ /etc/cfssl/signers/discovery/cfssl.conf\n@@ -1,129 +0,0 @@\n-{\n- \"auth_keys\": {\n- \"default_auth\": {\n- \"key\": \"aaaabbbbccccdddd\",\n- \"type\": \"standard\"\n- },\n- \"k8s_staging\": {\n- \"key\": \"ddddccccbbbbaaaa\",\n- \"type\": \"standard\"\n- },\n- \"k8s_wikikube\": {\n- \"key\": \"ddddccccbbbbaaab\",\n- \"type\": \"standard\"\n- },\n- \"k8s_mlserve\": {\n- \"key\": \"bbbbccccddddaaaa\",\n- \"type\": \"standard\"\n- },\n- \"k8s_mlstaging\": {\n- \"key\": \"ccccbbbbaaaadddd\",\n- \"type\": \"standard\"\n- },\n- \"k8s_dse\": {\n- \"key\": \"bbbbaaaaddddcccc\",\n- \"type\": \"standard\"\n- },\n- \"k8s_aux\": {\n- \"key\": \"ffffffffffffffff\",\n- \"type\": \"standard\"\n- }\n- },\n- \"signing\": {\n- \"default\": {\n- \"auth_key\": \"default_auth\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ],\n- \"expiry\": \"672h\",\n- \"crl_url\": \"http://pki.discovery.wmnet/crl/discovery\",\n- \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/discovery\"\n- },\n- \"profiles\": {\n- \"ocsp\": {\n- \"auth_key\": \"default_auth\",\n- \"expiry\": \"43800h\",\n- \"usages\": [\n- \"digital signature\",\n- \"ocsp signing\"\n- ]\n- },\n- \"server\": {\n- \"auth_key\": \"default_auth\",\n- \"expiry\": \"672h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ]\n- },\n- \"k8s_staging\": {\n- \"auth_key\": \"k8s_staging\",\n- \"expiry\": \"24h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ]\n- },\n- \"k8s_wikikube\": {\n- \"auth_key\": \"k8s_wikikube\",\n- \"expiry\": \"672h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ]\n- },\n- \"k8s_mlserve\": {\n- \"auth_key\": \"k8s_mlserve\",\n- \"expiry\": \"672h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ]\n- },\n- \"k8s_mlstaging\": {\n- \"auth_key\": \"k8s_mlstaging\",\n- \"expiry\": \"24h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ]\n- },\n- \"k8s_dse\": {\n- \"auth_key\": \"k8s_dse\",\n- \"expiry\": \"672h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\",\n- \"client auth\"\n- ]\n- },\n- \"k8s_dse_opensearch\": {\n- \"auth_key\": \"k8s_dse\",\n- \"expiry\": \"4380h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\",\n- \"client auth\"\n- ]\n- },\n- \"k8s_aux\": {\n- \"auth_key\": \"k8s_aux\",\n- \"expiry\": \"672h\",\n- \"usages\": [\n- \"digital signature\",\n- \"key encipherment\",\n- \"server auth\"\n- ]\n- }\n- }\n- }\n-}", "parameters": "--- File[/etc/cfssl/signers/discovery/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/discovery/cfssl.conf]\n\n- group => root\n- owner => root\n- ensure => present\n- show_diff => False\n- mode => 0440\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n- common_name => pki1001.eqiad.wmnet\n- hosts => []\n- names => []\n- ensure => present\n- key => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery.service]\n\n- restart => False\n- override => False\n- override_filename => puppet-override.conf\n- unit => cfssl-ocsprefresh-discovery.service\n- ensure => present\n- require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_discovery].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_discovery]\n\n- group => root\n- owner => root\n- ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/discovery]", "parameters": "--- File[/etc/cfssl/signers/discovery].orig\n+++ File[/etc/cfssl/signers/discovery]\n\n- group => root\n- owner => root\n- ensure => directory\n- require => ['Package[golang-cfssl]']\n- mode => 0550\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]\n\n- splay => 60\n- accuracy => 15sec\n- unit_name => nrpe2nodexp-check_certificate_expiry_discovery.service\n- ensure => absent\n- timer_intervals => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n- fixed_random_delay => True\n"}, {"resource": "Cfssl::Signer[discovery]", "parameters": "--- Cfssl::Signer[discovery].orig\n+++ Cfssl::Signer[discovery]\n\n- serve_service => cfssl-multirootca\n- db_driver => sqlite3\n- default_crl_url => http://pki.discovery.wmnet/crl/discovery\n- manage_services => False\n- listen_port => 8888\n- db_pass => changeme\n- log_level => info\n- serve_ensure => absent\n- ca_cert_content => -----BEGIN CERTIFICATE-----\nMIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\nwyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\nNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\nBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\nZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\nq+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\nZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n-----END CERTIFICATE-----\n\n- ca_key_content => ##### FAKE FOR PUPPET ######\n\n- default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery\n- db_name => cfssl\n- default_expiry => 672h\n- listen_addr => pki1001.eqiad.wmnet\n- default_usages => ['digital signature', 'key encipherment', 'server auth']\n- profiles => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n- db_host => localhost\n- ca_file => /etc/cfssl/signers/discovery/ca/discovery.pem\n- default_auth_key => default_auth\n- db_conf_file => /etc/cfssl/db.conf\n- manage_db => False\n- ca_key_file => /etc/cfssl/signers/discovery/ca/discovery-key.pem\n- db_user => cfssl\n- auth_keys => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@discovery]", "parameters": "--- Systemd::Service[cfssl-ocspserve@discovery].orig\n+++ Systemd::Service[cfssl-ocspserve@discovery]\n\n- override => False\n- migration_task => T407130\n- monitoring_enabled => False\n- restart => True\n- service_params => {}\n- unit_type => service\n- monitoring_contact_group => admins\n- monitoring_critical => False\n- ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca]", "parameters": "--- File[/etc/cfssl/signers/discovery/ca].orig\n+++ File[/etc/cfssl/signers/discovery/ca]\n\n- group => root\n- owner => root\n- ensure => directory\n- require => ['Package[golang-cfssl]']\n- mode => 0550\n"}, {"resource": "File[/etc/cfssl/ocsp/discovery.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/discovery.ocsp].orig\n+++ File[/etc/cfssl/ocsp/discovery.ocsp]\n\n- group => root\n- owner => root\n- ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]\n\n- command => /bin/systemctl daemon-reload\n- notify => ['Service[cfssl-ocspserve@discovery]']\n- refreshonly => True\n"}], "perc_changed": "3.55%"}, "core": {"total": 4897, "only_in_self": ["Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate initial CRL for discovery]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocspserve@discovery]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]"], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "content": "--- /etc/apache2/sites-available/50-pki-discovery-wmnet.conf.orig\n+++ /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n@@ -24,9 +24,6 @@\n # debmonitor\n ProxyPass /ocsp/debmonitor http://localhost:10001/\n ProxyPassReverse /ocsp/debmonitor http://localhost:10001/\n- # discovery\n- ProxyPass /ocsp/discovery http://localhost:10002/\n- ProxyPassReverse /ocsp/discovery http://localhost:10002/\n # kafka\n ProxyPass /ocsp/kafka http://localhost:10003/\n ProxyPassReverse /ocsp/kafka http://localhost:10003/"}, {"resource": "File[/etc/cfssl/multiroot.conf]", "content": "--- /etc/cfssl/multiroot.conf.orig\n+++ /etc/cfssl/multiroot.conf\n@@ -2,12 +2,6 @@\n private = file:///etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n certificate = /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n config = /etc/cfssl/signers/debmonitor/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery]\n-private = file:///etc/cfssl/signers/discovery/ca/discovery-key.pem\n-certificate = /etc/cfssl/signers/discovery/ca/discovery.pem\n-config = /etc/cfssl/signers/discovery/cfssl.conf\n dbconfig = /etc/cfssl/db.conf\n \n [kafka]"}], "perc_changed": "0.96%"}, "main": {"total": 4897, "only_in_self": ["Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "Cfssl::Config[discovery]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "Cfssl::Ocsp[discovery]", "Cfssl::Signer[discovery]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate initial CRL for discovery]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "Monitoring::Service[check_certificate_expiry_discovery]", "Nrpe::Check[check_check_certificate_expiry_discovery]", "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "Profile::Pki::Multirootca::Monitoring[discovery]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "Prometheus::Blackbox::Check::Http[PKI_discovery]", "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocspserve@discovery]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "Sudo::User[nrpe_certificate_check_discovery]", "Systemd::Service[cfssl-ocsprefresh-discovery]", "Systemd::Service[cfssl-ocspserve@discovery]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer[cfssl-ocsprefresh-discovery]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "Systemd::Unit[cfssl-ocspserve@discovery]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]"], "only_in_other": [], "resource_diffs": [{"resource": "Httpd::Conf[pki.discovery.wmnet]"}, {"resource": "Class[Cfssl::Multirootca]", "parameters": "--- Class[Cfssl::Multirootca].orig\n+++ Class[Cfssl::Multirootca]\n\n@@\n- signers => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery': {'private': '/etc/cfssl/signers/discovery/ca/discovery-key.pem', 'certificate': '/etc/cfssl/signers/discovery/ca/discovery.pem', 'config': '/etc/cfssl/signers/discovery/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}\n+ signers => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}\n"}, {"resource": "Class[Profile::Pki::Multirootca]", "parameters": "--- Class[Profile::Pki::Multirootca].orig\n+++ Class[Profile::Pki::Multirootca]\n\n@@\n- intermediates => {'debmonitor': {'ocsp_port': 10001}, 'discovery': {'ocsp_port': 10002, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}\n+ intermediates => {'debmonitor': {'ocsp_port': 10001}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}\n"}, {"resource": "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "content": "--- /etc/apache2/sites-available/50-pki-discovery-wmnet.conf.orig\n+++ /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n@@ -24,9 +24,6 @@\n # debmonitor\n ProxyPass /ocsp/debmonitor http://localhost:10001/\n ProxyPassReverse /ocsp/debmonitor http://localhost:10001/\n- # discovery\n- ProxyPass /ocsp/discovery http://localhost:10002/\n- ProxyPassReverse /ocsp/discovery http://localhost:10002/\n # kafka\n ProxyPass /ocsp/kafka http://localhost:10003/\n ProxyPassReverse /ocsp/kafka http://localhost:10003/"}, {"resource": "Httpd::Site[pki.discovery.wmnet]"}, {"resource": "File[/etc/cfssl/multiroot.conf]", "content": "--- /etc/cfssl/multiroot.conf.orig\n+++ /etc/cfssl/multiroot.conf\n@@ -2,12 +2,6 @@\n private = file:///etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n certificate = /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n config = /etc/cfssl/signers/debmonitor/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery]\n-private = file:///etc/cfssl/signers/discovery/ca/discovery-key.pem\n-certificate = /etc/cfssl/signers/discovery/ca/discovery.pem\n-config = /etc/cfssl/signers/discovery/cfssl.conf\n dbconfig = /etc/cfssl/db.conf\n \n [kafka]"}], "perc_changed": "1.84%"}}}