{"host": "ms-fe2009.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3374, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,26 +41,26 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n- typed_per_filter_config:\n- envoy.filters.http.ratelimit.resp:\n- \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n- rate_limits:\n- - hits_addend:\n- format: \"%BYTES_SENT%\"\n- apply_on_stream_done: true\n- # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n- actions:\n- # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n- - request_headers:\n- descriptor_key: user_id\n- header_name: x-client-ip\n- # Hardcode the policy and user class for now\n- - generic_key:\n- descriptor_key: policy\n- descriptor_value: thumbnails\n- - generic_key:\n- descriptor_key: user_class\n- descriptor_value: anon\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n http_filters:\n - name: envoy.filters.http.ratelimit.resp\n typed_config:\n@@ -68,13 +68,13 @@\n domain: upload\n request_type: both\n stage: 0\n- failure_type_deny: false # return 200 if rate limit service is unavailable\n+ failure_mode_deny: false # return 200 if rate limit service is unavailable\n enable_x_ratelimit_headers: DRAFT_VERSION_03\n rate_limit_service:\n transport_api_version: V3\n grpc_service:\n envoy_grpc:\n- cluster_name: cluster_ratelimit\n+ cluster_name: ratelimit\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "Envoyproxy::Conf[cluster_ratelimit]"}, {"resource": "Envoyproxy::Cluster[cluster_ratelimit]"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]", "content": "--- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig\n+++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml\n@@ -1,5 +1,5 @@\n name: ratelimit\n-type: static\n+type: STRICT_DNS\n connect_timeout: 0.25s\n lb_policy: ROUND_ROBIN\n typed_extension_protocol_options:\n@@ -14,5 +14,16 @@\n - endpoint:\n address:\n socket_address:\n- address: ratelimit-media.svc.codfw.wmnet\n+ address: ratelimit-media.svc.codfw.wmnet.\n port_value: 30443\n+transport_socket:\n+ name: envoy.transport_sockets.tls\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext\n+ sni: ratelimit-media.svc.codfw.wmnet\n+ common_tls_context:\n+ tls_params:\n+ cipher_suites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384\n+ validation_context:\n+ trusted_ca:\n+ filename: /etc/ssl/certs/ca-certificates.crt"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}], "perc_changed": "0.18%"}, "core": {"total": 3374, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,26 +41,26 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n- typed_per_filter_config:\n- envoy.filters.http.ratelimit.resp:\n- \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n- rate_limits:\n- - hits_addend:\n- format: \"%BYTES_SENT%\"\n- apply_on_stream_done: true\n- # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n- actions:\n- # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n- - request_headers:\n- descriptor_key: user_id\n- header_name: x-client-ip\n- # Hardcode the policy and user class for now\n- - generic_key:\n- descriptor_key: policy\n- descriptor_value: thumbnails\n- - generic_key:\n- descriptor_key: user_class\n- descriptor_value: anon\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n http_filters:\n - name: envoy.filters.http.ratelimit.resp\n typed_config:\n@@ -68,13 +68,13 @@\n domain: upload\n request_type: both\n stage: 0\n- failure_type_deny: false # return 200 if rate limit service is unavailable\n+ failure_mode_deny: false # return 200 if rate limit service is unavailable\n enable_x_ratelimit_headers: DRAFT_VERSION_03\n rate_limit_service:\n transport_api_version: V3\n grpc_service:\n envoy_grpc:\n- cluster_name: cluster_ratelimit\n+ cluster_name: ratelimit\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]", "content": "--- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig\n+++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml\n@@ -1,5 +1,5 @@\n name: ratelimit\n-type: static\n+type: STRICT_DNS\n connect_timeout: 0.25s\n lb_policy: ROUND_ROBIN\n typed_extension_protocol_options:\n@@ -14,5 +14,16 @@\n - endpoint:\n address:\n socket_address:\n- address: ratelimit-media.svc.codfw.wmnet\n+ address: ratelimit-media.svc.codfw.wmnet.\n port_value: 30443\n+transport_socket:\n+ name: envoy.transport_sockets.tls\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext\n+ sni: ratelimit-media.svc.codfw.wmnet\n+ common_tls_context:\n+ tls_params:\n+ cipher_suites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384\n+ validation_context:\n+ trusted_ca:\n+ filename: /etc/ssl/certs/ca-certificates.crt"}], "perc_changed": "0.06%"}, "main": {"total": 3374, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "Envoyproxy::Cluster[cluster_ratelimit]"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,26 +41,26 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n- typed_per_filter_config:\n- envoy.filters.http.ratelimit.resp:\n- \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n- rate_limits:\n- - hits_addend:\n- format: \"%BYTES_SENT%\"\n- apply_on_stream_done: true\n- # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n- actions:\n- # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n- - request_headers:\n- descriptor_key: user_id\n- header_name: x-client-ip\n- # Hardcode the policy and user class for now\n- - generic_key:\n- descriptor_key: policy\n- descriptor_value: thumbnails\n- - generic_key:\n- descriptor_key: user_class\n- descriptor_value: anon\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n http_filters:\n - name: envoy.filters.http.ratelimit.resp\n typed_config:\n@@ -68,13 +68,13 @@\n domain: upload\n request_type: both\n stage: 0\n- failure_type_deny: false # return 200 if rate limit service is unavailable\n+ failure_mode_deny: false # return 200 if rate limit service is unavailable\n enable_x_ratelimit_headers: DRAFT_VERSION_03\n rate_limit_service:\n transport_api_version: V3\n grpc_service:\n envoy_grpc:\n- cluster_name: cluster_ratelimit\n+ cluster_name: ratelimit\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]", "content": "--- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig\n+++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml\n@@ -1,5 +1,5 @@\n name: ratelimit\n-type: static\n+type: STRICT_DNS\n connect_timeout: 0.25s\n lb_policy: ROUND_ROBIN\n typed_extension_protocol_options:\n@@ -14,5 +14,16 @@\n - endpoint:\n address:\n socket_address:\n- address: ratelimit-media.svc.codfw.wmnet\n+ address: ratelimit-media.svc.codfw.wmnet.\n port_value: 30443\n+transport_socket:\n+ name: envoy.transport_sockets.tls\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext\n+ sni: ratelimit-media.svc.codfw.wmnet\n+ common_tls_context:\n+ tls_params:\n+ cipher_suites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384\n+ validation_context:\n+ trusted_ca:\n+ filename: /etc/ssl/certs/ca-certificates.crt"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}, {"resource": "Envoyproxy::Conf[cluster_ratelimit]"}], "perc_changed": "0.18%"}}}