Compilation results for ms-fe1010.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

• File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]
• Envoyproxy::Conf[cluster_ratelimit]
• Envoyproxy::Cluster[cluster_ratelimit]

Resources modified

• File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]

  Content differences:

  --- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig
  +++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml
  @@ -41,7 +41,41 @@
                 retry_policy:
                   num_retries: 1
                   retry_on: "5xx"
  +            typed_per_filter_config:
  +              envoy.filters.http.ratelimit.resp:
  +                "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute
  +                rate_limits:
  +                  - hits_addend:
  +                      format: "%BYTES_SENT%"
  +                    apply_on_stream_done: true
  +                    # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.
  +                    actions:
  +                      # Hardcode the policy and user class for now
  +                      - generic_key:
  +                          descriptor_key: policy
  +                          descriptor_value: thumbnails
  +                      - generic_key:
  +                          descriptor_key: user_class
  +                          descriptor_value: anon
  +                      # Provide the user's identity (x-client-ip is set at the edge) as the counter key
  +                      - request_headers:
  +                          descriptor_key: user_id
  +                          header_name: x-client-ip
         http_filters:
  +      - name: envoy.filters.http.ratelimit.resp
  +        typed_config:
  +          "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
  +          domain: upload
  +          request_type: both
  +          stage: 0
  +          failure_mode_deny: false # return 200 if rate limit service is unavailable
  +          enable_x_ratelimit_headers: DRAFT_VERSION_03
  +          rate_limit_service:
  +            transport_api_version: V3
  +            grpc_service:
  +              envoy_grpc:
  +                cluster_name: ratelimit
  +                authority: ratelimit-media.svc.eqiad.wmnet # Set HTTP/2 authority, SNI from the cluster is not enough
         - name: envoy.filters.http.router
           typed_config:
             "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

• Envoyproxy::Listener[tls_terminator_443]

• Envoyproxy::Tls_terminator[443]

  Parameters differences:

  --- Envoyproxy::Tls_terminator[443].orig
  +++ Envoyproxy::Tls_terminator[443]
  
  @@
  -    rate_limit_enabled => False
  +    rate_limit_enabled => True
  

• Envoyproxy::Conf[cluster_ratelimit]

  Parameters differences:

  --- Envoyproxy::Conf[cluster_ratelimit].orig
  +++ Envoyproxy::Conf[cluster_ratelimit]
  
  +    priority  => 1
  +    conf_type => cluster
  

• Envoyproxy::Conf[tls_terminator_443]

• Class[Profile::Tlsproxy::Envoy]

  Parameters differences:

  --- Class[Profile::Tlsproxy::Envoy].orig
  +++ Class[Profile::Tlsproxy::Envoy]
  
  @@
  -    rate_limit_enabled => False
  +    rate_limit_enabled => True
  

• File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]

  Parameters differences:

  --- File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml].orig
  +++ File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]
  
  +    notify => Exec[verify-envoy-config]
  +    owner  => root
  +    group  => root
  +    ensure => present
  +    mode   => 0444
  

  Content differences:

  --- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig
  +++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml
  @@ -0,0 +1,27 @@
  +name: ratelimit
  +type: STRICT_DNS
  +connect_timeout: 0.25s
  +lb_policy: ROUND_ROBIN
  +typed_extension_protocol_options:
  +  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
  +    "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
  +    explicit_http_config:
  +      http2_protocol_options: {}
  +load_assignment:
  +  cluster_name: ratelimit
  +  endpoints:
  +  - lb_endpoints:
  +    - endpoint:
  +        address:
  +          socket_address:
  +            address: ratelimit-media.svc.eqiad.wmnet.
  +            port_value: 30443
  +transport_socket:
  +  name: envoy.transport_sockets.tls
  +  typed_config:
  +    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
  +    sni: ratelimit-media.svc.eqiad.wmnet
  +    common_tls_context:
  +      validation_context:
  +        trusted_ca:
  +          filename: /etc/ssl/certs/ca-certificates.crt

• Envoyproxy::Cluster[cluster_ratelimit]

  Parameters differences:

  --- Envoyproxy::Cluster[cluster_ratelimit].orig
  +++ Envoyproxy::Cluster[cluster_ratelimit]
  
  +    priority => 1
  

Relevant files

• Production catalog
• Change catalog
• Production errors/warnings
• Change errors/warnings
• Core Diff
• Standard Diff