Compilation results for dse-k8s-wdqs-test1001.eqiad.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	2862
Resources added:	435
Resources removed:	4
Resources modified:	454
Change percentage:	31.20%

Resources only in the new catalog

Exec[disable-rp-filter-ens2f0np0]
Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]
Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]
Systemd::Unit[rsyslog-imfile-remedy.service]
Class[Profile::Kubernetes::Node::Dse_k8s]
Rsyslog::Conf[kubernetes-node-filters]
Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]
Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]
Nrpe::Monitor_service[check_tcp-mss-clamper_status]
Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]
Systemd::Syslog[set-rbd-readahead]
Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Class[Calico]
Lvm::Physical_volume[/dev/md1]
Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]
File[/lib/systemd/system/rsyslog-imfile-remedy.service]
Package[mmdb-bin]
Service[cpufrequtils]
Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]
Rsyslog::Conf[output_kafka_k8s]
Ferm::Rule[ipip]
Service[prometheus_lvs_realserver_mss.timer]
Exec[Generate cert dse__calico-cni]
Interface::Ipip[ipip_ipv4]
File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]
File[/etc/nerdctl/nerdctl.toml]
File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]
Exec[ip link add name ipip0 type ipip external]
File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]
Systemd::Unit[rsyslog-imfile-remedy.timer]
Lvm::Logical_volume[srv]
Systemd::Service[prometheus_lvs_realserver_mss]
Rsyslog::Conf[input-file-kubernetes-json]
File[/etc/cfssl/csr/dse__kubelet_server.csr]
Prometheus::Node_ferm_mss[ferm_clamped_ipport]
Class[Base::Sysctl::Inotify]
Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]
Rsyslog::Conf[shellbox]
K8s::Kubelet::Cni[calico]
Class[Role::Dse_k8s::Worker::Wdqs]
Motd::Script[dse_k8s::worker::wdqs]
Systemd::Timer[prometheus_ferm_mss]
File[/etc/sysctl.d/70-increase_inotify_limits.conf]
Logical_volume[srv]
Class[Profile::Amd_gpu]
File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]
Service[apparmor]
File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem]
Exec[Generate cert dse__calico-cni refresh]
Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]
Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]
File[/srv/spark]
Systemd::Timer[set-rbd-readahead]
Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]
File[/usr/share/GeoIP]
File[/etc/default/wikimedia-lvs-realserver]
Package[istio-cni]
Ferm::Rule[ip6ip6]
File[/etc/kubernetes/kube-proxy-config.yaml]
Class[Role::Dse_k8s::Worker]
Apt::Package_from_bpo[linux-6.12-bookworm]
File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]
Exec[ip link set up dev ipip0]
File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem]
File[/etc/kubernetes/proxy.conf]
Interface::Manual[ipip_ipv6]
Nrpe::Plugin[check_systemd_unit_status]
Service[rsyslog-imfile-remedy.timer]
Exec[ip addr add 127.0.0.42/32 dev ipip0]
Ferm::Service[calico-bird]
Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]
Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]
File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]
Exec[renew certificate - dse__calicoctl]
File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]
Package[calicoctl]
File[/var/run/kubernetes]
Class[Profile::Lvs::Realserver]
Interface::Post_up_command[clsact_lo]
File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]
Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]
Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]
Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]
Motd::Message[dse_k8s::worker::wdqs]
Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]
Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]
Systemd::Timer[rsyslog-imfile-remedy]
File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]
Exec[Generate cert dse__rsyslog refresh]
File[/etc/kubernetes/pki/dse__calicoctl-key.pem]
File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]
Exec[Generate cert dse__calicoctl]
File[/etc/ferm/conf.d/10_calico_typha]
Class[Profile::Kubernetes::Container_runtime]
File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]
File[/etc/cni/net.d]
File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]
Class[Profile::Lvs::Realserver::Ipip]
Systemd::Override[container-runtime]
Class[Profile::Rsyslog::Shellbox]
Exec[apt_package_from_component_istio115]
File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]
File[/etc/logrotate.d/set-rbd-readahead]
K8s::Package[proxy]
Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Service[kube-proxy]
File[/etc/calico/pki]
Apt::Package_from_component[kubernetes131]
Cfssl::Cert[dse__system_kube-proxy]
Monitoring::Service[check_tcp-mss-clamper_status]
Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]
File[/etc/kubernetes/pki/dse__calicoctl.csr]
File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]
Systemd::Unit[prometheus_lvs_realserver_mss.timer]
K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]
Class[Cpufrequtils]
File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]
Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]
Exec[Generate cert dse__rsyslog refresh on intermediate ca change]
Volume_group[vg_raid0]
Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]
Class[Containerd::Configuration]
Service[set-rbd-readahead.timer]
Systemd::Unit[tcp-mss-clamper]
Class[K8s::Clusters]
Systemd::Service[kube-proxy]
Sysctl::Parameters[kube_proxy_icmp]
Systemd::Unit[kubelet-container-runtime]
Systemd::Syslog[prometheus_lvs_realserver_mss]
Mount[/srv]
File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]
Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]
Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]
Class[K8s::Proxy]
Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh]
Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Exec[Generate cert dse__kubelet_server refresh]
Interface::Ipip[ipip_ipv6]
Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Systemd::Timer::Job[set-rbd-readahead]
Rsyslog::Conf[set-rbd-readahead]
Systemd::Unit[ferm-ferm-service-auto-restart]
File[/lib/systemd/system/rsyslog-imfile-remedy.timer]
File[/etc/kubernetes/pki/dse__calico-cni.csr]
File[/etc/default/kubelet]
File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]
File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]
File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]
File[/lib/systemd/system/prometheus_ferm_mss.timer]
File[/etc/kubernetes]
Systemd::Syslog[prometheus_ferm_mss]
Firewall::Service[calico-typha]
Exec[renew certificate - dse__kubelet_server]
Systemd::Unit[kube-proxy]
Package[linux-image-6.12.88+deb12-amd64]
Systemd::Unit[prometheus_lvs_realserver_mss.service]
Class[Profile::Containerd]
File[/etc/sysctl.d/75-kube_proxy_icmp.conf]
User[kube]
File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]
File[/etc/calico]
Service[rsyslog-release-deleted-inotify-watches.timer]
Sysctl::Conffile[increase_inotify_limits]
K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]
File[/etc/rsyslog.d/00-imfile.conf]
File[/etc/sysctl.d/70-opensearch.conf]
Class[Lvm]
Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
Package[kubernetes-node]
Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]
Systemd::Unit[prometheus_ferm_mss.timer]
Systemd::Unit[set-rbd-readahead.service]
Systemd::Service[set-rbd-readahead]
Exec[Generate cert dse__system_kube-proxy]
Filesystem[/dev/vg_raid0/srv]
File[/etc/ferm/conf.d/10_clamp-mss-ipv4]
File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]
File[/etc/cni]
File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]
Exec[cpufrequtils_reload]
Cfssl::Cert[dse__istio-cni]
File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]
Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 check_tcp-mss-clamper_status]
File[/lib/systemd/system/tcp-mss-clamper.service]
Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]
Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]
Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]
Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]
K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]
Sysctl::Conffile[opensearch]
File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]
Package[crictl]
Augeas[ipip0_add_up]
Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Class[K8s::Base_dirs]
File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]
File[/etc/kubernetes/pki/dse__calicoctl.pem]
Ferm::Rule[clamp-mss-ipv4]
File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]
Sysctl::Parameters[kube_proxy_conntrack]
Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]
Exec[Generate cert dse__rsyslog]
Systemd::Timer[rsyslog-release-deleted-inotify-watches]
File[/etc/kubernetes/pki/dse__calico-cni-key.pem]
File[/etc/kubernetes/pki/dse__istio-cni.csr]
Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]
Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]
Rsyslog::Conf[prometheus_ferm_mss]
Systemd::Monitor[tcp-mss-clamper]
Class[Profile::Kubernetes::Node::Dse_k8s::Wdqs]
Class[Geoip::Data::Puppet]
Package[socat]
Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]
Sysctl::Conffile[kube_proxy_conntrack]
File[/etc/ferm/conf.d/10_kubelet-http]
Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]
Service[tcp-mss-clamper]
K8s::Kubeconfig[/etc/kubernetes/proxy.conf]
File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]
File[/var/lib/kubelet]
Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Exec[disable-rp-filter-ipip0]
File[/etc/default/cpufrequtils]
Exec[disable-rp-filter-ipip60]
File[/etc/cfssl/csr/dse__calico-cni.csr]
Rsyslog::Conf[imfile]
Systemd::Service[rsyslog-release-deleted-inotify-watches]
Class[Profile::Rsyslog::Kubernetes]
Systemd::Service[prometheus_ferm_mss]
Augeas[ipip60_add_up]
Ferm::Rule[clamp-mss-ipv6]
File[/etc/cfssl/csr/dse__calicoctl.csr]
Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]
File[/etc/cfssl/csr/dse__istio-cni.csr]
File[/etc/kubernetes/pki/dse__istio-cni.pem]
Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh on intermediate ca change]
File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]
File[/etc/containerd/config.toml]
Class[Geoip]
File[/lib/systemd/system/set-rbd-readahead.service]
Interface::Clsact[clsact_lo]
Systemd::Service[rsyslog-imfile-remedy]
Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]
File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]
Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Service[containerd]
Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]
Augeas[ipip0_127.0.0.42/32]
File[/etc/kubernetes/kubelet.conf]
File[/etc/cni/net.d/calico-kubeconfig]
K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]
Interface::Manual[ipip_ipv4]
File[/usr/local/bin/prometheus-lvs-realserver-mss]
Udev::Rule[kube_proxy_conntrack]
File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]
Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]
File[/etc/default/kube-proxy]
File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]
Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]
File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]
Interface::Clsact[clsact_ens2f0np0]
Package[cpufrequtils]
Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]
Nrpe::Check[check_check_tcp-mss-clamper_status]
Exec[renew certificate - dse__rsyslog]
Sudo::User[nrpe-check_check_tcp-mss-clamper_status]
Class[Lvs::Realserver]
Systemd::Override[ferm-service-auto-restart]
File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]
Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]
File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]
File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]
Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
Ferm::Service[kubelet-http]
File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]
Class[Toil::Rsyslog_imfile_remedy]
Systemd::Syslog[rsyslog-release-deleted-inotify-watches]
Package[geoip-bin]
Interface::Post_up_command[clsact_ens2f0np0]
Cfssl::Cert[dse__rsyslog]
Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]
File[/etc/calico/calicoctl-kubeconfig]
Augeas[ipip60_manual]
File[/etc/kubernetes/pki/dse__kubelet_server.pem]
File[/etc/cni/net.d/10-calico.conflist]
File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]
File[/etc/ferm/conf.d/10_ip6ip6]
File[/etc/rsyslog.d/35-output-kafka-k8s.conf]
File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem]
Service[prometheus_ferm_mss.timer]
Package[calico-cni]
File[/etc/kubernetes/pki/dse__istio-cni-key.pem]
File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]
Cfssl::Cert[dse__calico-cni]
File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]
Kmod::Module[overlay]
Service[kubelet]
Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]
Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]
Class[Profile::Lvs::Configuration]
Physical_volume[/dev/md1]
Package[wikimedia-lvs-realserver]
File[/etc/rsyslog.d/40-set-rbd-readahead.conf]
File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]
File[/usr/local/sbin/set-rbd-readahead.py]
Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]
Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]
Logrotate::Conf[rsyslog-release-deleted-inotify-watches]
Cfssl::Cert[dse__kubelet_server]
File_line[rm_post-up_lo_clsact_lo]
Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]
File[/etc/rsyslog.d/09-kubernetes.conf]
File[/etc/nerdctl]
Class[Profile::Calico::Kubernetes]
Systemd::Unit[prometheus_ferm_mss.service]
Exec[ip link add name ipip60 type ip6tnl external]
Systemd::Timer[prometheus_lvs_realserver_mss]
Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]
File[/var/log/set-rbd-readahead]
Exec[Generate cert dse__calico-cni refresh on intermediate ca change]
Package[containerd]
Package[apparmor]
Exec[apt_package_from_component_kubernetes131]
Augeas[ipip0_manual]
Class[K8s::Kubelet]
Kmod::Blacklist[r440_wdat_wdt]
Logrotate::Conf[prometheus_ferm_mss]
Logrotate::Conf[prometheus_lvs_realserver_mss]
File[/etc/ferm/conf.d/10_calico-bird]
Interface::Ip[ipip_ipv4 ipv4]
Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]
Apt::Package_from_component[istio115]
Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]
Systemd::Unit[set-rbd-readahead.timer]
File[/var/log/prometheus_lvs_realserver_mss]
File[/etc/rsyslog.d/20-shellbox.conf]
Rsyslog::Conf[prometheus_lvs_realserver_mss]
Exec[/sbin/modprobe overlay]
File[/etc/ferm/conf.d/10_clamp-mss-ipv6]
Package[nerdctl]
File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]
File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]
Sysctl::Conffile[ipv6-fowarding-accept-ra]
Exec[/usr/sbin/tc qdisc del dev lo clsact]
Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]
Exec[Generate cert dse__calicoctl refresh]
Exec[renew certificate - dse__system_kube-proxy]
File[/etc/containerd]
Exec[Generate cert dse__calicoctl refresh on intermediate ca change]
Augeas[ipip0_set_up]
File[/etc/apparmor.d/abstractions]
File[/etc/ferm/conf.d/10_ipip]
File[/etc/logrotate.d/prometheus_ferm_mss]
Systemd::Service[tcp-mss-clamper]
File[/lib/systemd/system/set-rbd-readahead.timer]
File[/var/log/prometheus_ferm_mss]
Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
File[/etc/cfssl/csr/dse__system_kube-proxy.csr]
Exec[Generate cert dse__kubelet_server]
Package[linux-base]
Sysctl::Parameters[opensearch]
File[/etc/cfssl/csr/dse__rsyslog.csr]
Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]
Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]
File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]
File[/etc/cni/net.d/istio-kubeconfig]
File[/etc/kubernetes/pki/dse__calico-cni.pem]
Exec[rmmod-r440_wdat_wdt]
Rsyslog::Input::File[kubernetes-json]
File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]
File[/etc/systemd/system/kubelet.service.d]
Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]
File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]
Class[Containerd::Nerdctl]
Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]
Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]
File[/usr/local/bin/prometheus-ferm-mss]
File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]
Exec[Generate cert dse__system_kube-proxy refresh]
Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]
Class[K8s::Kubelet::Cni::Base]
Group[kube]
Cfssl::Cert[dse__calicoctl]
Exec[ip link set up dev ipip60]
File[/etc/systemd/system/kube-proxy.service.d]
Package[tcp-mss-clamper]
File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]
Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]
Lvm::Volume_group[vg_raid0]
Rsyslog::Conf[kubernetes]
Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]
File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]
Apt::Package_from_component[calico329]
Class[Wmflib::Service::Catalog]
Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]
Augeas[ipip60_set_up]
K8s::Package[kubelet]
Exec[ensure mountpoint '/srv' exists]
Exec[apt_package_from_component_calico329]
File[/etc/cfssl/ssl/dse__rsyslog]
Ferm::Service[calico_typha]
Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]
Class[Geoip::Bin]
Systemd::Timer::Job[prometheus_ferm_mss]
File[/etc/calico/calicoctl.cfg]
Class[Profile::Kubernetes::Node]
File[/lib/systemd/system/prometheus_ferm_mss.service]
Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]
Exec[renew certificate - dse__calico-cni]
Package[rsyslog-kubernetes]
Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]
Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]
Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
Class[Containerd]
Sysctl::Parameters[ipv6-fowarding-accept-ra]
Sysctl::Parameters[increase_inotify_limits]
File[/etc/kubernetes/pki]
File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]
File[/etc/kubernetes/pki/dse__kubelet_server.csr]
File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]
Class[Profile::Analytics::Geoip]
Sysctl::Conffile[kube_proxy_icmp]
Systemd::Timer::Job[rsyslog-imfile-remedy]
File[/etc/kubernetes/kubelet-config.yaml]
Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]
File[/etc/logrotate.d/prometheus_lvs_realserver_mss]
Systemd::Timer::Job[prometheus_lvs_realserver_mss]
File[/etc/modules-load.d/overlay.conf]
Class[Apparmor]
File[/var/log/rsyslog-release-deleted-inotify-watches]
Logrotate::Conf[set-rbd-readahead]
File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]

Resources only in the old catalog

Motd::Message[insetup::data_platform_ferm]
Class[Role::Insetup::Data_platform_ferm]
Motd::Script[insetup::data_platform_ferm]
File[/etc/update-motd.d/05-insetup--data-platform-ferm]

Resources modified

Rsyslog::Conf[kubernetes-node-filters]

Parameters differences:

--- Rsyslog::Conf[kubernetes-node-filters].orig
+++ Rsyslog::Conf[kubernetes-node-filters]

+    mode     => 0444
+    source   => puppet:///modules/profile/kubernetes/node/kubernetes-node-filters.rsyslog.conf
+    ensure   => present
+    priority => 10

Rsyslog::Conf[output_kafka_k8s]

Parameters differences:

--- Rsyslog::Conf[output_kafka_k8s].orig
+++ Rsyslog::Conf[output_kafka_k8s]

+    mode     => 0444
+    ensure   => present
+    priority => 35

File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem].orig
+++ File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]

+    ensure  => file
+    group   => root
+    require => Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]
+    owner   => kube

Rsyslog::Conf[input-file-kubernetes-json]

Parameters differences:

--- Rsyslog::Conf[input-file-kubernetes-json].orig
+++ Rsyslog::Conf[input-file-kubernetes-json]

+    mode     => 0444
+    ensure   => present
+    require  => Rsyslog::Conf[imfile]
+    priority => 8

Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    tag    => _etc_apt_sources.list.d_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    order  => 10
+    target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Content differences:

--- component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.orig
+++ component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia
@@ -0,0 +1,5 @@
+Types: deb deb-src
+URIs: http://apt.wikimedia.org/wikimedia
+Suites: bookworm-wikimedia
+Components: component/istio115
+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg

File[/etc/kubernetes/kube-proxy-config.yaml]

Parameters differences:

--- File[/etc/kubernetes/kube-proxy-config.yaml].orig
+++ File[/etc/kubernetes/kube-proxy-config.yaml]

+    mode    => 0400
+    notify  => Service[kube-proxy]
+    group   => kube
+    require => K8s::Package[proxy]
+    owner   => kube
+    ensure  => file

Content differences:

--- /etc/kubernetes/kube-proxy-config.yaml.orig
+++ /etc/kubernetes/kube-proxy-config.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+hostnameOverride: dse-k8s-wdqs-test1001.eqiad.wmnet
+clientConnection:
+  kubeconfig: "/etc/kubernetes/proxy.conf"
+clusterCIDR: 10.67.24.0/21
+mode: iptables
+metricsBindAddress: 0.0.0.0
+nodePortAddresses:
+- 0.0.0.0/0
+- "::/0"

File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => kube
+    backup    => False
+    ensure    => file

Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- Rsyslog::Conf[rsyslog-release-deleted-inotify-watches].orig
+++ Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]

+    mode     => 0444
+    ensure   => absent
+    require  => File[/var/log/rsyslog-release-deleted-inotify-watches]
+    priority => 40

Exec[apt_package_from_component_istio115]

Parameters differences:

--- Exec[apt_package_from_component_istio115].orig
+++ Exec[apt_package_from_component_istio115]

+    before      => ['Package[istio-cni]']
+    command     => /usr/bin/apt-get update
+    subscribe   => Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
+    refreshonly => True

K8s::Package[proxy]

Parameters differences:

--- K8s::Package[proxy].orig
+++ K8s::Package[proxy]

+    uri             => http://apt.wikimedia.org/wikimedia
+    version         => 1.31
+    require         => ['Class[K8s::Base_dirs]']
+    distro          => bookworm-wikimedia
+    ensure_packages => True
+    package         => node
+    priority        => 1001

Motd::Message[insetup::data_platform_ferm]

Parameters differences:

--- Motd::Message[insetup::data_platform_ferm].orig
+++ Motd::Message[insetup::data_platform_ferm]

-    message  => dse-k8s-wdqs-test1001 is a Host being setup by Data Platform SREs (insetup::data_platform_ferm)
-    ensure   => present
-    priority => 5

Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig
+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => nrpe2nodexp-check_tcp-mss-clamper_status.timer

Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    uri                      => http://apt.wikimedia.org/wikimedia
+    trust_repo               => False
+    allow_releaseinfo_change => False
+    keyfile                  => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg
+    bin                      => True
+    ensure                   => present
+    source                   => True
+    dist                     => bookworm-wikimedia
+    components               => component/calico329

File[/etc/kubernetes/pki/dse__calico-cni.csr]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calico-cni.csr].orig
+++ File[/etc/kubernetes/pki/dse__calico-cni.csr]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => root

File[/etc/default/kubelet]

Parameters differences:

--- File[/etc/default/kubelet].orig
+++ File[/etc/default/kubelet]

+    mode   => 0644
+    notify => Service[kubelet]
+    group  => root
+    owner  => root
+    ensure => file

Content differences:

--- /etc/default/kubelet.orig
+++ /etc/default/kubelet
@@ -0,0 +1,11 @@
+###
+# kubernetes kubelet (minion) config
+
+DAEMON_ARGS="--config=/etc/kubernetes/kubelet-config.yaml \
+ --hostname-override=dse-k8s-wdqs-test1001.eqiad.wmnet \
+ --kubeconfig=/etc/kubernetes/kubelet.conf \
+ --node-ip=10.64.185.3 \
+ --node-labels=dedicated=wdqs,node.kubernetes.io/disk-type=ssd,topology.kubernetes.io/region=eqiad,topology.kubernetes.io/zone=row-d6 \
+ --register-schedulable=false \
+ --system-reserved=cpu=3.3,memory=13.00Gi \
+ --v=0"

File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr].orig
+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => root

File[/etc/kubernetes]

Parameters differences:

--- File[/etc/kubernetes].orig
+++ File[/etc/kubernetes]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Systemd::Syslog[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Syslog[prometheus_ferm_mss].orig
+++ Systemd::Syslog[prometheus_ferm_mss]

+    group                  => root
+    force_stop             => True
+    log_filename           => syslog.log
+    owner                  => root
+    ensure                 => absent
+    base_dir               => /var/log
+    readable_by            => all
+    programname_comparison => startswith

Exec[renew certificate - dse__kubelet_server]

Parameters differences:

--- Exec[renew certificate - dse__kubelet_server].orig
+++ Exec[renew certificate - dse__kubelet_server]

+    unless      => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__kubelet_server.pem -checkend 952200
+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    require     => Exec[Generate cert dse__kubelet_server]
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse -profile server /etc/kubernetes/pki/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server

Service[rsyslog-release-deleted-inotify-watches.timer]

Parameters differences:

--- Service[rsyslog-release-deleted-inotify-watches.timer].orig
+++ Service[rsyslog-release-deleted-inotify-watches.timer]

+    before   => ['Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]']
+    ensure   => stopped
+    enable   => False
+    provider => systemd

File[/etc/cni]

Parameters differences:

--- File[/etc/cni].orig
+++ File[/etc/cni]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Sysctl::Conffile[opensearch]

Parameters differences:

--- Sysctl::Conffile[opensearch].orig
+++ Sysctl::Conffile[opensearch]

+    no_priority_prefix => False
+    ensure             => present
+    priority           => 70

Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    tag    => _etc_apt_sources.list.d_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    order  => 10
+    target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Content differences:

--- component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.orig
+++ component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia
@@ -0,0 +1,5 @@
+Types: deb deb-src
+URIs: http://apt.wikimedia.org/wikimedia
+Suites: bookworm-wikimedia
+Components: component/kubernetes131
+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg

File[/etc/kubernetes/pki/dse__calicoctl.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calicoctl.pem].orig
+++ File[/etc/kubernetes/pki/dse__calicoctl.pem]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => root

File[/etc/kubernetes/pki/dse__calico-cni-key.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calico-cni-key.pem].orig
+++ File[/etc/kubernetes/pki/dse__calico-cni-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => root
+    backup    => False
+    ensure    => file

Service[tcp-mss-clamper]

Parameters differences:

--- Service[tcp-mss-clamper].orig
+++ Service[tcp-mss-clamper]

+    before => ['Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]']
+    ensure => stopped
+    enable => False

Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh on intermediate ca change].orig
+++ Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]
+    refreshonly => True
+    subscribe   => File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet

File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]

Parameters differences:

--- File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf].orig
+++ File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/systemd/system/kube-proxy.service.d/puppet-override.conf.orig
+++ /etc/systemd/system/kube-proxy.service.d/puppet-override.conf
@@ -0,0 +1,2 @@
+[Unit]
+After = ferm.service

Sudo::User[nrpe-check_check_tcp-mss-clamper_status]

Parameters differences:

--- Sudo::User[nrpe-check_check_tcp-mss-clamper_status].orig
+++ Sudo::User[nrpe-check_check_tcp-mss-clamper_status]

+    require    => ['Class[Sudo]']
+    privileges => []
+    user       => nagios
+    ensure     => absent
+    tag        => nrpe::check

File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_kube-proxy.csr].orig
+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => kube

Ferm::Service[kubelet-http]

Parameters differences:

--- Ferm::Service[kubelet-http].orig
+++ Ferm::Service[kubelet-http]

+    ensure              => present
+    srange              => (@resolve((dse-k8s-ctrl1001.eqiad.wmnet dse-k8s-ctrl1002.eqiad.wmnet)) @resolve((dse-k8s-ctrl1001.eqiad.wmnet dse-k8s-ctrl1002.eqiad.wmnet), AAAA))
+    notrack             => False
+    prio                => 10
+    desc                => 
+    proto               => tcp
+    unrestricted_access => False
+    port                => 10250

File[/etc/ferm/conf.d/10_ip6ip6]

Parameters differences:

--- File[/etc/ferm/conf.d/10_ip6ip6].orig
+++ File[/etc/ferm/conf.d/10_ip6ip6]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => present
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_ip6ip6.orig
+++ /etc/ferm/conf.d/10_ip6ip6
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_ip6ip6: 
+
+domain (ip6) {
+	table filter {
+		chain INPUT {
+			saddr 0100::/64 proto ipv6 ACCEPT;
+		}
+	}
+}

File[/etc/rsyslog.d/35-output-kafka-k8s.conf]

Parameters differences:

--- File[/etc/rsyslog.d/35-output-kafka-k8s.conf].orig
+++ File[/etc/rsyslog.d/35-output-kafka-k8s.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/rsyslog.d/35-output-kafka-k8s.conf.orig
+++ /etc/rsyslog.d/35-output-kafka-k8s.conf
@@ -0,0 +1,24 @@
+
+
+if ( $.log_outputs contains "k8s" ) then {
+    action(type="mmjsonparse" name="mmjsonparse_kafka_k8s")
+
+    action(type="omkafka"
+           name="omkafka_k8s"
+           broker=["kafka-logging1001.eqiad.wmnet:9093","kafka-logging1002.eqiad.wmnet:9093","kafka-logging1003.eqiad.wmnet:9093","kafka-logging1004.eqiad.wmnet:9093","kafka-logging1005.eqiad.wmnet:9093"]
+           topic="k8s-dse-k8s-eqiad"
+           partitions.auto="on"
+           template="syslog_cee"
+           queue.type="LinkedList" queue.size="10000" queue.filename="output_kafka_k8s"
+           queue.highWatermark="7000" queue.lowWatermark="6000"
+           queue.checkpointInterval="5"
+           queue.maxDiskSpace="40960000"
+           confParam=[ "security.protocol=ssl",
+                       "ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt",
+                       "compression.codec=snappy",
+                       "socket.timeout.ms=10000",
+                       "socket.keepalive.enable=true",
+                       "queue.buffering.max.ms=50",
+                       "batch.num.messages=1000" ]
+    )
+}

Package[calico-cni]

Parameters differences:

--- Package[calico-cni].orig
+++ Package[calico-cni]

+    ensure   => >=3.29 <3.30
+    provider => apt

Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]

Parameters differences:

--- Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet].orig
+++ Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]

+    mode            => 0740
+    group           => root
+    provide_chain   => True
+    owner           => kube
+    ensure          => present
+    hosts           => []
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    names           => [{'organisation': 'system:nodes'}]
+    label           => dse
+    auto_renew      => True
+    notify_services => ['kubelet']
+    renew_seconds   => 952200
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    outdir          => /etc/kubernetes/pki
+    common_name     => system:node:dse-k8s-wdqs-test1001.eqiad.wmnet

File[/etc/rsyslog.d/09-kubernetes.conf]

Parameters differences:

--- File[/etc/rsyslog.d/09-kubernetes.conf].orig
+++ File[/etc/rsyslog.d/09-kubernetes.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/rsyslog.d/09-kubernetes.conf.orig
+++ /etc/rsyslog.d/09-kubernetes.conf
@@ -0,0 +1,9 @@
+module(load="mmkubernetes"
+        KubernetesURL="https://dse-k8s-ctrl.svc.eqiad.wmnet:6443"
+        tls.mycert="/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem"
+        tls.myprivkey="/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem")
+action(type="mmkubernetes"
+       name="mmkubernetes"
+       action.resumeRetryCount="-1"
+       action.resumeIntervalMax="300"
+       action.reportSuspensionContinuation="on")

Augeas[ipip0_manual]

Parameters differences:

--- Augeas[ipip0_manual].orig
+++ Augeas[ipip0_manual]

+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    context => /files/etc/network/interfaces
+    changes => ["set auto[./1 = 'ipip0']/1 'ipip0'", "set iface[. = 'ipip0'] 'ipip0'", "set iface[. = 'ipip0']/family 'inet'", "set iface[. = 'ipip0']/method 'manual'"]

File[/var/log/prometheus_lvs_realserver_mss]

Parameters differences:

--- File[/var/log/prometheus_lvs_realserver_mss].orig
+++ File[/var/log/prometheus_lvs_realserver_mss]

+    mode   => 0755
+    group  => root
+    force  => True
+    owner  => root
+    backup => False
+    ensure => absent

File[/etc/apparmor.d/abstractions]

Parameters differences:

--- File[/etc/apparmor.d/abstractions].orig
+++ File[/etc/apparmor.d/abstractions]

+    mode    => 0755
+    group   => root
+    require => Package[apparmor]
+    owner   => root
+    ensure  => directory

Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 ssh]

Parameters differences:

--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 ssh].orig
+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 ssh]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => dse_k8s_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Class[Containerd::Nerdctl]

Parameters differences:

--- Class[Containerd::Nerdctl].orig
+++ Class[Containerd::Nerdctl]

+    ensure    => present
+    namespace => k8s.io

File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]

Parameters differences:

--- File[/etc/sysctl.d/75-kube_proxy_conntrack.conf].orig
+++ File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]

+    group  => root
+    ensure => present
+    notify => Exec[update_sysctl]
+    owner  => root

Content differences:

--- /etc/sysctl.d/75-kube_proxy_conntrack.conf.orig
+++ /etc/sysctl.d/75-kube_proxy_conntrack.conf
@@ -0,0 +1,2 @@
+# sysctl parameters managed by Puppet.
+net.netfilter.nf_conntrack_max = 1048576

File[/etc/systemd/system/kube-proxy.service.d]

Parameters differences:

--- File[/etc/systemd/system/kube-proxy.service.d].orig
+++ File[/etc/systemd/system/kube-proxy.service.d]

+    mode   => 0555
+    ensure => directory
+    group  => root
+    owner  => root

Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)].orig
+++ Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Augeas[ipip60_set_up]

Parameters differences:

--- Augeas[ipip60_set_up].orig
+++ Augeas[ipip60_set_up]

+    lens    => Interfaces.lns
+    onlyif  => match up[. = 'ip link set up dev ipip60'] size == 0
+    require => Augeas[ipip60_add_up]
+    context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']
+    incl    => /etc/network/interfaces
+    changes => set up[last()+1] 'ip link set up dev ipip60'

Concat_fragment[main contacts]

Content differences:

--- main contacts.orig
+++ main contacts
@@ -1,3 +1,3 @@
 ---
-role::insetup::data_platform_ferm:
+role::dse_k8s::worker::wdqs:
 - Data Platform

File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]

Parameters differences:

--- File[/etc/rsyslog.d/10-kubernetes-node-filters.conf].orig
+++ File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]

+    mode   => 0444
+    group  => root
+    notify => Service[rsyslog]
+    owner  => root
+    source => puppet:///modules/profile/kubernetes/node/kubernetes-node-filters.rsyslog.conf
+    ensure => present

Nrpe::Monitor_service[check_tcp-mss-clamper_status]

Parameters differences:

--- Nrpe::Monitor_service[check_tcp-mss-clamper_status].orig
+++ Nrpe::Monitor_service[check_tcp-mss-clamper_status]

+    retries                     => 2
+    contact_group               => admins
+    retry_interval              => 1
+    ensure                      => absent
+    timeout                     => 10
+    nrpe_command                => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper
+    alertmanager_team           => observability
+    notes_url                   => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    enable_nrpe2nodexp          => False
+    enable_icinga_check         => True
+    nrpe2nodexp_parse_perf_data => False
+    critical                    => False
+    migration_task              => T407130
+    description                 => Check unit status of tcp-mss-clamper
+    check_interval              => 10

Service[cpufrequtils]

Parameters differences:

--- Service[cpufrequtils].orig
+++ Service[cpufrequtils]

+    ensure => running
+    enable => True

File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem].orig
+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]

+    ensure  => file
+    group   => root
+    require => Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]
+    owner   => root

Interface::Ipip[ipip_ipv4]

Parameters differences:

--- Interface::Ipip[ipip_ipv4].orig
+++ Interface::Ipip[ipip_ipv4]

+    ensure    => present
+    address   => 127.0.0.42
+    interface => ipip0
+    family    => inet

File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service.orig
+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=nagios
+
+Group=prometheus-node-exporter
+SyslogIdentifier=nrpe2nodexp-check_tcp-mss-clamper_status
+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash "295d6d5dd0a784bb9ba1d5983fd1894f" --timeout 10 --check-command "check_check_tcp-mss-clamper_status"

Prometheus::Node_ferm_mss[ferm_clamped_ipport]

Parameters differences:

--- Prometheus::Node_ferm_mss[ferm_clamped_ipport].orig
+++ Prometheus::Node_ferm_mss[ferm_clamped_ipport]

+    ensure         => absent
+    clamped_ipport => ['10.2.2.91:30443']
+    outfile        => /var/lib/prometheus/node.d/ferm-mss.prom

Motd::Script[dse_k8s::worker::wdqs]

Parameters differences:

--- Motd::Script[dse_k8s::worker::wdqs].orig
+++ Motd::Script[dse_k8s::worker::wdqs]

+    ensure   => present
+    priority => 5

File[/usr/share/GeoIP]

Parameters differences:

--- File[/usr/share/GeoIP].orig
+++ File[/usr/share/GeoIP]

+    mode      => 0644
+    group     => root
+    owner     => root
+    source    => puppet:///volatile/GeoIP
+    ensure    => directory
+    show_diff => False
+    backup    => False
+    recurse   => True

Ferm::Rule[ip6ip6]

Parameters differences:

--- Ferm::Rule[ip6ip6].orig
+++ Ferm::Rule[ip6ip6]

+    table  => filter
+    prio   => 10
+    domain => (ip6)
+    desc   => 
+    ensure => present
+    chain  => INPUT
+    rule   => saddr 0100::/64 proto ipv6 ACCEPT;

Interface::Post_up_command[clsact_lo]

Parameters differences:

--- Interface::Post_up_command[clsact_lo].orig
+++ Interface::Post_up_command[clsact_lo]

+    command   => /usr/sbin/tc qdisc add dev lo clsact
+    ensure    => absent
+    interface => lo

Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]

Parameters differences:

--- Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f].orig
+++ Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]

+    team               => observability
+    group              => nrpechecks
+    alert_name         => nrpe_Check_unit_status_of_tcp_mss_clamper
+    instance           => ops
+    ensure             => absent
+    dashboard          => TODO
+    summary            => NRPE CHECK: Check unit status of tcp-mss-clamper
+    severity           => info
+    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_tcp-mss-clamper_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))
+    site               => eqiad
+    description        => NRPE CHECK: Check unit status of tcp-mss-clamper
+    def_label_whitelst => ['team', 'severity']
+    for                => 11m
+    expr               => (nagios_nrpe_check_result{alert_rule_hash="295d6d5dd0a784bb9ba1d5983fd1894f",check_name="check_check_tcp-mss-clamper_status", status=~"(WARNING|CRITICAL)", severity=~"(warning|critical)"} > 0) * on (instance) group_left (team) role_owner
+    runbook            => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments

Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]

+    hosts       => []
+    names       => [{'organisation': 'system:nodes'}]
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => system:node:dse-k8s-wdqs-test1001.eqiad.wmnet

Systemd::Override[container-runtime]

Parameters differences:

--- Systemd::Override[container-runtime].orig
+++ Systemd::Override[container-runtime]

+    ensure  => present
+    restart => True
+    unit    => kubelet

Systemd::Service[kube-proxy]

Parameters differences:

--- Systemd::Service[kube-proxy].orig
+++ Systemd::Service[kube-proxy]

+    unit_type                => service
+    service_params           => {}
+    monitoring_contact_group => admins
+    subscribe                => File[/etc/kubernetes/proxy.conf]
+    ensure                   => present
+    restart                  => True
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => True

Sysctl::Conffile[increase_inotify_limits]

Parameters differences:

--- Sysctl::Conffile[increase_inotify_limits].orig
+++ Sysctl::Conffile[increase_inotify_limits]

+    no_priority_prefix => False
+    ensure             => present
+    priority           => 70

File[/etc/sysctl.d/70-opensearch.conf]

Parameters differences:

--- File[/etc/sysctl.d/70-opensearch.conf].orig
+++ File[/etc/sysctl.d/70-opensearch.conf]

+    group  => root
+    ensure => present
+    notify => Exec[update_sysctl]
+    owner  => root

Content differences:

--- /etc/sysctl.d/70-opensearch.conf.orig
+++ /etc/sysctl.d/70-opensearch.conf
@@ -0,0 +1,2 @@
+# sysctl parameters managed by Puppet.
+vm.max_map_count = 1048576

Class[Profile::Base::Production]

Parameters differences:

--- Class[Profile::Base::Production].orig
+++ Class[Profile::Base::Production]

@@
-    role_description => Host being setup by Data Platform SREs
+    role_description => DSE Kubernetes worker node - dedicated to wdqs

Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

Parameters differences:

--- Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig
+++ Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

+    mode           => 0444
+    notify         => Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
+    group          => root
+    ensure_newline => False
+    owner          => root
+    ensure         => present
+    warn           => False
+    path           => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    format         => plain
+    show_diff      => True
+    force          => False
+    backup         => puppet
+    replace        => True
+    order          => alpha

Exec[Generate cert dse__system_kube-proxy]

Parameters differences:

--- Exec[Generate cert dse__system_kube-proxy].orig
+++ Exec[Generate cert dse__system_kube-proxy]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_kube-proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__system_kube-proxy-key.pem 2>&1)"

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kube-proxy]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy

File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches].orig
+++ File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]

+    mode   => 0544
+    ensure => absent
+    group  => root
+    owner  => root

Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 check_tcp-mss-clamper_status]

Parameters differences:

--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 check_tcp-mss-clamper_status].orig
+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 check_tcp-mss-clamper_status]

+    contact_groups         => admins
+    ensure                 => absent
+    check_period           => 24x7
+    service_description    => Check unit status of tcp-mss-clamper
+    notification_options   => c,r,f
+    servicegroups          => dse_k8s_eqiad
+    host_name              => dse-k8s-wdqs-test1001
+    check_command          => nrpe_check!check_check_tcp-mss-clamper_status!10
+    check_freshness        => 0
+    is_volatile            => 0
+    retry_interval         => 1
+    notifications_enabled  => 1
+    max_check_attempts     => 2
+    active_checks_enabled  => 1
+    notes_url              => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    passive_checks_enabled => 1
+    notification_period    => 24x7
+    notification_interval  => 0
+    check_interval         => 10

File[/etc/sysctl.d/51-ubuntu-defaults.conf]

Content differences:

--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig
+++ /etc/sysctl.d/51-ubuntu-defaults.conf
@@ -4,7 +4,7 @@
 kernel.kptr_restrict = 1
 kernel.printk = 4 4 1 7
 kernel.yama.ptrace_scope = 1
-net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.tcp_syncookies = 1
 vm.mmap_min_addr = 65536

File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]

Parameters differences:

--- File[/usr/local/lib/nagios/plugins/check_systemd_unit_status].orig
+++ File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]

+    mode    => 0555
+    group   => root
+    require => File[/usr/local/lib/nagios/plugins/]
+    owner   => root
+    source  => puppet:///modules/systemd/check_systemd_unit_status
+    ensure  => file
+    tag     => nrpe::plugin

Exec[Generate cert dse__rsyslog]

Parameters differences:

--- Exec[Generate cert dse__rsyslog].orig
+++ Exec[Generate cert dse__rsyslog]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem 2>&1)"

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[rsyslog]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog

K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]

Parameters differences:

--- K8s::Kubeconfig[/etc/kubernetes/kubelet.conf].orig
+++ K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]

+    mode        => 0400
+    group       => kube
+    require     => ['Class[K8s::Base_dirs]']
+    owner       => kube
+    username    => default-auth
+    ensure      => present
+    auth_cert   => {'cert': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem', 'key': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem', 'chain': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem', 'chained': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem'}
+    master_host => dse-k8s-ctrl.svc.eqiad.wmnet

Systemd::Override[ferm-service-auto-restart]

Parameters differences:

--- Systemd::Override[ferm-service-auto-restart].orig
+++ Systemd::Override[ferm-service-auto-restart]

+    source  => puppet:///modules/profile/kubernetes/node/ferm_systemd_override
+    ensure  => present
+    restart => False
+    unit    => ferm

File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]

Parameters differences:

--- File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status].orig
+++ File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]

+    ensure  => absent
+    group   => root
+    require => Package[nagios-nrpe-server]
+    owner   => root

Kmod::Module[overlay]

Parameters differences:

--- Kmod::Module[overlay].orig
+++ Kmod::Module[overlay]

+    ensure => present

Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]

Parameters differences:

--- Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo].orig
+++ Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]

+    command     => /usr/bin/apt-get update
+    refreshonly => True

Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem].orig
+++ Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/kubernetes/pki/dse__system_kube-proxy.pem /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem | sha512sum)" == "$(/bin/cat /etc/kubernetes/pki/dse__system_kube-proxy.chained.pem | sha512sum)"

+    notify    => ['Service[kube-proxy]']
+    require   => Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]
+    subscribe => ['Exec[renew certificate - dse__system_kube-proxy]', 'File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]', 'File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]']
+    command   => /bin/cat /etc/kubernetes/pki/dse__system_kube-proxy.pem /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem > /etc/kubernetes/pki/dse__system_kube-proxy.chained.pem

Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]

+    splay              => 300
+    accuracy           => 15sec
+    unit_name          => nrpe2nodexp-check_tcp-mss-clamper_status.service
+    fixed_random_delay => True
+    ensure             => absent
+    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}, {'interval': '1s', 'start': 'OnActiveSec'}]

Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]

Parameters differences:

--- Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)].orig
+++ Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Class[Profile::Cumin::Target]

Parameters differences:

--- Class[Profile::Cumin::Target].orig
+++ Class[Profile::Cumin::Target]

@@
-    cluster => insetup
+    cluster => dse_k8s

Logrotate::Conf[prometheus_ferm_mss]

Parameters differences:

--- Logrotate::Conf[prometheus_ferm_mss].orig
+++ Logrotate::Conf[prometheus_ferm_mss]

+    ensure => absent

Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

File[/etc/rsyslog.d/20-shellbox.conf]

Parameters differences:

--- File[/etc/rsyslog.d/20-shellbox.conf].orig
+++ File[/etc/rsyslog.d/20-shellbox.conf]

+    mode   => 0444
+    group  => root
+    notify => Service[rsyslog]
+    owner  => root
+    source => puppet:///modules/profile/rsyslog/shellbox.rsyslog.conf
+    ensure => present

Rsyslog::Conf[prometheus_lvs_realserver_mss]

Parameters differences:

--- Rsyslog::Conf[prometheus_lvs_realserver_mss].orig
+++ Rsyslog::Conf[prometheus_lvs_realserver_mss]

+    mode     => 0444
+    ensure   => absent
+    require  => File[/var/log/prometheus_lvs_realserver_mss]
+    priority => 40

File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem].orig
+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => root
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => file

Exec[Generate cert dse__calicoctl refresh]

Parameters differences:

--- Exec[Generate cert dse__calicoctl refresh].orig
+++ Exec[Generate cert dse__calicoctl refresh]

+    subscribe   => File[/etc/cfssl/csr/dse__calicoctl.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl

+    environment => ['GODEBUG=x509ignoreCN=0']
+    refreshonly => True

File[/etc/ferm/conf.d/10_ipip]

Parameters differences:

--- File[/etc/ferm/conf.d/10_ipip].orig
+++ File[/etc/ferm/conf.d/10_ipip]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => present
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_ipip.orig
+++ /etc/ferm/conf.d/10_ipip
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_ipip: 
+
+domain (ip) {
+	table filter {
+		chain INPUT {
+			saddr 172.16.0.0/12 proto ipencap ACCEPT;
+		}
+	}
+}

File[/var/log/prometheus_ferm_mss]

Parameters differences:

--- File[/var/log/prometheus_ferm_mss].orig
+++ File[/var/log/prometheus_ferm_mss]

+    mode   => 0755
+    group  => root
+    force  => True
+    owner  => root
+    backup => False
+    ensure => absent

Class[Cumin::Selector]

Parameters differences:

--- Class[Cumin::Selector].orig
+++ Class[Cumin::Selector]

@@
-    cluster => insetup
+    cluster => dse_k8s

Sysctl::Parameters[opensearch]

Parameters differences:

--- Sysctl::Parameters[opensearch].orig
+++ Sysctl::Parameters[opensearch]

+    no_priority_prefix => False
+    ensure             => present
+    values             => {'vm.max_map_count': 1048576}
+    priority           => 70

File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => kube
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => file

File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]

+    ensure  => file
+    group   => root
+    require => Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]
+    owner   => kube

Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]

+    hosts       => []
+    names       => []
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => calico-cni

Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]

Parameters differences:

--- Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo].orig
+++ Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]

+    command     => /usr/bin/apt-get update
+    refreshonly => True

Rsyslog::Conf[kubernetes]

Parameters differences:

--- Rsyslog::Conf[kubernetes].orig
+++ Rsyslog::Conf[kubernetes]

+    mode     => 0444
+    ensure   => present
+    priority => 9

Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]

+    mode     => 0444
+    ensure   => absent
+    priority => 25

Systemd::Timer::Job[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Timer::Job[prometheus_ferm_mss].orig
+++ Systemd::Timer::Job[prometheus_ferm_mss]

+    fixed_random_delay        => False
+    private_tmp               => False
+    ensure                    => absent
+    logging_enabled           => True
+    syslog_force_stop         => True
+    environment               => {}
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_only_on_error   => True
+    send_mail_to              => root@dse-k8s-wdqs-test1001.eqiad.wmnet
+    user                      => root
+    description               => Regular job to collect MSS values of ferm-based hosts
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    monitoring_contact_groups => admins
+    logfile_group             => root
+    interval                  => {'start': 'OnCalendar', 'interval': 'minutely'}
+    command                   => /usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 10.2.2.91:30443
+    send_mail                 => False
+    ignore_errors             => False
+    logfile_perms             => all
+    logfile_name              => syslog.log
+    monitoring_enabled        => False
+    success_exit_status       => []

File[/etc/calico/calicoctl.cfg]

Parameters differences:

--- File[/etc/calico/calicoctl.cfg].orig
+++ File[/etc/calico/calicoctl.cfg]

+    mode   => 0444
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/calico/calicoctl.cfg.orig
+++ /etc/calico/calicoctl.cfg
@@ -0,0 +1,10 @@
+# This configures calicoctl to use the kubernetes datastore.
+# The user referenced in the kubeconfig file probably needs broad permissions, see:
+# https://docs.projectcalico.org/getting-started/clis/calicoctl/configure/overview
+# https://docs.projectcalico.org/getting-started/kubernetes/hardway/end-user-rbac
+apiVersion: projectcalico.org/v3
+kind: CalicoAPIConfig
+metadata:
+spec:
+  datastoreType: "kubernetes"
+  kubeconfig: "/etc/calico/calicoctl-kubeconfig"

Nrpe::Check[check_disk_space]

Parameters differences:

--- Nrpe::Check[check_disk_space].orig
+++ Nrpe::Check[check_disk_space]

@@
-    command => /usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i "/srv/sd[a-b][1-3]" -i "/srv/nvme[0-9]n[0-9]p[0-9]" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs
+    command => /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs

File[/var/log/rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- File[/var/log/rsyslog-release-deleted-inotify-watches].orig
+++ File[/var/log/rsyslog-release-deleted-inotify-watches]

+    mode   => 0755
+    group  => root
+    force  => True
+    owner  => root
+    backup => False
+    ensure => absent

Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]

Parameters differences:

--- Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo].orig
+++ Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]

+    pin      => release a=bookworm-backports
+    notify   => Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]
+    before   => ['Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]']
+    ensure   => present
+    package  => linux-base linux-image-6.12.88+deb12-amd64
+    priority => 1001

Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    command     => /usr/bin/apt-get update 
+    refreshonly => True

Class[Base::Sysctl::Inotify]

Parameters differences:

--- Class[Base::Sysctl::Inotify].orig
+++ Class[Base::Sysctl::Inotify]

+    max_user_instances => 512
+    max_user_watches   => 32768

File[/etc/sysctl.d/70-increase_inotify_limits.conf]

Parameters differences:

--- File[/etc/sysctl.d/70-increase_inotify_limits.conf].orig
+++ File[/etc/sysctl.d/70-increase_inotify_limits.conf]

+    group  => root
+    ensure => present
+    notify => Exec[update_sysctl]
+    owner  => root

Content differences:

--- /etc/sysctl.d/70-increase_inotify_limits.conf.orig
+++ /etc/sysctl.d/70-increase_inotify_limits.conf
@@ -0,0 +1,3 @@
+# sysctl parameters managed by Puppet.
+fs.inotify.max_user_instances = 512
+fs.inotify.max_user_watches = 32768

Service[apparmor]

Parameters differences:

--- Service[apparmor].orig
+++ Service[apparmor]

+    hasstatus  => True
+    ensure     => running
+    require    => Package[apparmor]
+    hasrestart => True

File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => kube

Systemd::Timer[set-rbd-readahead]

Parameters differences:

--- Systemd::Timer[set-rbd-readahead].orig
+++ Systemd::Timer[set-rbd-readahead]

+    splay              => 0
+    accuracy           => 15sec
+    unit_name          => set-rbd-readahead.service
+    fixed_random_delay => False
+    ensure             => absent
+    timer_intervals    => [{'start': 'OnCalendar', 'interval': '*:0/5'}]

Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]

Parameters differences:

--- Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)].orig
+++ Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Exec[ip link set up dev ipip0]

Parameters differences:

--- Exec[ip link set up dev ipip0].orig
+++ Exec[ip link set up dev ipip0]

+    path    => /bin:/usr/bin
+    unless  => ip link show ipip0 | grep -q UP
+    returns => [0, 2]

Exec[ip addr add 127.0.0.42/32 dev ipip0]

Parameters differences:

--- Exec[ip addr add 127.0.0.42/32 dev ipip0].orig
+++ Exec[ip addr add 127.0.0.42/32 dev ipip0]

+    path    => /bin:/usr/bin
+    unless  => ip address show ipip0 | grep -q 127.0.0.42/32
+    returns => [0, 2]

Class[Profile::Lvs::Realserver]

Parameters differences:

--- Class[Profile::Lvs::Realserver].orig
+++ Class[Profile::Lvs::Realserver]

+    poolcounter_backends => [{'label': 'pc1', 'fqdn': 'poolcounter1006.eqiad.wmnet'}, {'label': 'pc2', 'fqdn': 'poolcounter1007.eqiad.wmnet'}]
+    pools                => {'k8s-ingress-dse': {}, 'k8s-ingress-dse-aa': {}}
+    use_conftool         => False

Class[Profile::Lvs::Realserver::Ipip]

Parameters differences:

--- Class[Profile::Lvs::Realserver::Ipip].orig
+++ Class[Profile::Lvs::Realserver::Ipip]

+    firewall_provider => ferm
+    ipv4_mss          => 1440
+    ipv6_mss          => 1400
+    enabled           => True
+    interfaces        => ['ens2f0np0', 'lo']
+    clamping_enabled  => False
+    pools             => {'k8s-ingress-dse': {}, 'k8s-ingress-dse-aa': {}}

Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

Parameters differences:

--- Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig
+++ Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

+    mode           => 0444
+    group          => root
+    ensure_newline => False
+    owner          => root
+    tag            => _etc_apt_sources.list.d_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    format         => plain
+    show_diff      => True
+    force          => False
+    backup         => puppet
+    replace        => True
+    order          => alpha

Systemd::Unit[prometheus_lvs_realserver_mss.timer]

Parameters differences:

--- Systemd::Unit[prometheus_lvs_realserver_mss.timer].orig
+++ Systemd::Unit[prometheus_lvs_realserver_mss.timer]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => prometheus_lvs_realserver_mss.timer

Class[Cpufrequtils]

Parameters differences:

--- Class[Cpufrequtils].orig
+++ Class[Cpufrequtils]

+    ensure   => present
+    governor => performance

Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]

Parameters differences:

--- Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)].orig
+++ Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]

+    command     => /bin/systemctl daemon-reload
+    notify      => ['Service[kube-proxy]']
+    refreshonly => True

Volume_group[vg_raid0]

Parameters differences:

--- Volume_group[vg_raid0].orig
+++ Volume_group[vg_raid0]

+    createonly       => True
+    ensure           => present
+    followsymlinks   => False
+    physical_volumes => {'/dev/md1': {'unless_vg': 'vg_raid0'}}

Class[Containerd::Configuration]

Parameters differences:

--- Class[Containerd::Configuration].orig
+++ Class[Containerd::Configuration]

+    dragonfly_enabled => False
+    registry_username => kubernetes
+    ensure            => present
+    sandbox_image     => docker-registry.discovery.wmnet/pause:3.6-1

Sysctl::Parameters[kube_proxy_icmp]

Parameters differences:

--- Sysctl::Parameters[kube_proxy_icmp].orig
+++ Sysctl::Parameters[kube_proxy_icmp]

+    no_priority_prefix => False
+    ensure             => present
+    values             => {'net.ipv4.conf.all.send_redirects': 0, 'net.ipv4.conf.default.send_redirects': 0, 'net.ipv4.conf.ens2f0np0.send_redirects': 0}
+    priority           => 75

File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /etc/rsyslog.d/40-prometheus-ferm-mss.conf.orig
+++ /etc/rsyslog.d/40-prometheus-ferm-mss.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "prometheus_ferm_mss" then {
+    action(
+        type="omfile" file="/var/log/prometheus_ferm_mss/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

Rsyslog::Conf[set-rbd-readahead]

Parameters differences:

--- Rsyslog::Conf[set-rbd-readahead].orig
+++ Rsyslog::Conf[set-rbd-readahead]

+    mode     => 0444
+    ensure   => absent
+    require  => File[/var/log/set-rbd-readahead]
+    priority => 40

File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]

Parameters differences:

--- File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules].orig
+++ File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]

+    mode   => 0444
+    notify => Exec[udev_reload]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/udev/rules.d/75-kube_proxy_conntrack.rules.orig
+++ /etc/udev/rules.d/75-kube_proxy_conntrack.rules
@@ -0,0 +1,2 @@
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="nf_conntrack", \
+    RUN+="/usr/lib/systemd/systemd-sysctl --prefix net.netfilter.nf_conntrack_max"

File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]

Parameters differences:

--- File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer].orig
+++ File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer.orig
+++ /lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of rsyslog-release-deleted-inotify-watches.service
+
+[Timer]
+Unit=rsyslog-release-deleted-inotify-watches.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=*-*-* *:45:00
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

File[/etc/sysctl.d/75-kube_proxy_icmp.conf]

Parameters differences:

--- File[/etc/sysctl.d/75-kube_proxy_icmp.conf].orig
+++ File[/etc/sysctl.d/75-kube_proxy_icmp.conf]

+    group  => root
+    ensure => present
+    notify => Exec[update_sysctl]
+    owner  => root

Content differences:

--- /etc/sysctl.d/75-kube_proxy_icmp.conf.orig
+++ /etc/sysctl.d/75-kube_proxy_icmp.conf
@@ -0,0 +1,4 @@
+# sysctl parameters managed by Puppet.
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.ens2f0np0.send_redirects = 0

Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)].orig
+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]

Parameters differences:

--- File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0].orig
+++ File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]

+    path              => /etc/network/interfaces
+    match_for_absence => True
+    ensure            => absent
+    match             => post-up /usr/sbin/tc qdisc add dev ens2f0np0 clsact

Exec[cpufrequtils_reload]

Parameters differences:

--- Exec[cpufrequtils_reload].orig
+++ Exec[cpufrequtils_reload]

+    unless  => /usr/bin/cpufreq-info -p | /bin/grep -wq performance
+    command => /usr/bin/systemctl reload cpufrequtils
+    require => File[/etc/default/cpufrequtils]

Cfssl::Cert[dse__istio-cni]

Parameters differences:

--- Cfssl::Cert[dse__istio-cni].orig
+++ Cfssl::Cert[dse__istio-cni]

+    mode            => 0740
+    group           => root
+    provide_chain   => True
+    owner           => root
+    ensure          => absent
+    hosts           => []
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    names           => []
+    label           => dse
+    auto_renew      => True
+    notify_services => []
+    renew_seconds   => 952200
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    outdir          => /etc/kubernetes/pki
+    common_name     => istio-cni

Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]

Parameters differences:

--- Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)].orig
+++ Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem].orig
+++ Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/kubernetes/pki/dse__calico-cni.pem /etc/kubernetes/pki/dse__calico-cni.chain.pem | sha512sum)" == "$(/bin/cat /etc/kubernetes/pki/dse__calico-cni.chained.pem | sha512sum)"

+    command   => /bin/cat /etc/kubernetes/pki/dse__calico-cni.pem /etc/kubernetes/pki/dse__calico-cni.chain.pem > /etc/kubernetes/pki/dse__calico-cni.chained.pem
+    require   => Exec[Generate cert dse__calico-cni refresh on intermediate ca change]
+    subscribe => ['Exec[renew certificate - dse__calico-cni]', 'File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]', 'File[/etc/kubernetes/pki/dse__calico-cni.pem]']

Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 disk_space]

Parameters differences:

--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 disk_space].orig
+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 disk_space]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => dse_k8s_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Sysctl::Parameters[kube_proxy_conntrack]

Parameters differences:

--- Sysctl::Parameters[kube_proxy_conntrack].orig
+++ Sysctl::Parameters[kube_proxy_conntrack]

+    values             => {'net.netfilter.nf_conntrack_max': 1048576}
+    no_priority_prefix => False
+    ensure             => present
+    module             => nf_conntrack
+    priority           => 75

Systemd::Timer[rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- Systemd::Timer[rsyslog-release-deleted-inotify-watches].orig
+++ Systemd::Timer[rsyslog-release-deleted-inotify-watches]

+    splay              => 0
+    accuracy           => 15sec
+    unit_name          => rsyslog-release-deleted-inotify-watches.service
+    fixed_random_delay => False
+    ensure             => absent
+    timer_intervals    => [{'start': 'OnCalendar', 'interval': '*-*-* *:45:00'}]

Rsyslog::Conf[prometheus_ferm_mss]

Parameters differences:

--- Rsyslog::Conf[prometheus_ferm_mss].orig
+++ Rsyslog::Conf[prometheus_ferm_mss]

+    mode     => 0444
+    ensure   => absent
+    require  => File[/var/log/prometheus_ferm_mss]
+    priority => 40

Class[Geoip::Data::Puppet]

Parameters differences:

--- Class[Geoip::Data::Puppet].orig
+++ Class[Geoip::Data::Puppet]

+    data_directory        => /usr/share/GeoIP
+    data_directory_ipinfo => /usr/share/GeoIPInfo
+    source                => puppet:///volatile/GeoIP
+    fetch_ipinfo_dbs      => False
+    source_ipinfo         => puppet:///volatile/GeoIPInfo

Systemd::Service[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Service[prometheus_ferm_mss].orig
+++ Systemd::Service[prometheus_ferm_mss]

+    unit_type                => timer
+    service_params           => {}
+    require                  => Systemd::Unit[prometheus_ferm_mss.service]
+    monitoring_contact_group => admins
+    ensure                   => absent
+    restart                  => False
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => False

Augeas[ipip60_add_up]

Parameters differences:

--- Augeas[ipip60_add_up].orig
+++ Augeas[ipip60_add_up]

+    lens    => Interfaces.lns
+    onlyif  => match up[. = 'ip link add name ipip60 type ip6tnl external'] size == 0
+    require => Interface::Manual[ipip_ipv6]
+    context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']
+    incl    => /etc/network/interfaces
+    changes => set up[last()+1] 'ip link add name ipip60 type ip6tnl external'

File[/etc/cfssl/csr/dse__istio-cni.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__istio-cni.csr].orig
+++ File[/etc/cfssl/csr/dse__istio-cni.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__istio-cni.csr.orig
+++ /etc/cfssl/csr/dse__istio-cni.csr
@@ -0,0 +1,13 @@
+{
+  "CN": "istio-cni",
+  "hosts": [
+    "istio-cni"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

File[/lib/systemd/system/set-rbd-readahead.service]

Parameters differences:

--- File[/lib/systemd/system/set-rbd-readahead.service].orig
+++ File[/lib/systemd/system/set-rbd-readahead.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/set-rbd-readahead.service.orig
+++ /lib/systemd/system/set-rbd-readahead.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Set readahead for OpenSearch pod RBDs (block devices)
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/sbin/set-rbd-readahead.py

File[/etc/kubernetes/kubelet.conf]

Parameters differences:

--- File[/etc/kubernetes/kubelet.conf].orig
+++ File[/etc/kubernetes/kubelet.conf]

+    mode   => 0400
+    ensure => present
+    group  => kube
+    owner  => kube

Content differences:

--- /etc/kubernetes/kubelet.conf.orig
+++ /etc/kubernetes/kubelet.conf
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+preferences: {}
+current-context: default-system
+contexts:
+- name: default-system
+  context:
+    cluster: default-cluster
+    user: default-auth
+clusters:
+- name: default-cluster
+  cluster:
+    server: https://dse-k8s-ctrl.svc.eqiad.wmnet:6443
+users:
+- name: default-auth
+  user:
+    client-certificate: /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem
+    client-key: /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem

Interface::Manual[ipip_ipv4]

Parameters differences:

--- Interface::Manual[ipip_ipv4].orig
+++ Interface::Manual[ipip_ipv4]

+    interface => ipip0
+    ensure    => present
+    hotplug   => False
+    family    => inet

Sysctl::Conffile[ubuntu defaults]

Udev::Rule[kube_proxy_conntrack]

Parameters differences:

--- Udev::Rule[kube_proxy_conntrack].orig
+++ Udev::Rule[kube_proxy_conntrack]

+    ensure   => present
+    priority => 75

Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]

+    group                     => prometheus-node-exporter
+    fixed_random_delay        => True
+    private_tmp               => False
+    ensure                    => absent
+    logging_enabled           => False
+    splay                     => 300
+    syslog_identifier         => nrpe2nodexp-check_tcp-mss-clamper_status
+    environment               => {}
+    syslog_force_stop         => True
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_only_on_error   => True
+    send_mail_to              => root@dse-k8s-wdqs-test1001.eqiad.wmnet
+    user                      => nagios
+    description               => execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    monitoring_contact_groups => admins
+    logfile_group             => root
+    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]
+    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash "295d6d5dd0a784bb9ba1d5983fd1894f" --timeout 10 --check-command "check_check_tcp-mss-clamper_status"
+    ignore_errors             => True
+    send_mail                 => False
+    logfile_perms             => all
+    logfile_name              => syslog.log
+    monitoring_enabled        => False
+    success_exit_status       => []

Interface::Clsact[clsact_ens2f0np0]

Parameters differences:

--- Interface::Clsact[clsact_ens2f0np0].orig
+++ Interface::Clsact[clsact_ens2f0np0]

+    ensure    => absent
+    interface => ens2f0np0

Exec[renew certificate - dse__rsyslog]

Parameters differences:

--- Exec[renew certificate - dse__rsyslog].orig
+++ Exec[renew certificate - dse__rsyslog]

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem -checkend 952200
+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[rsyslog]']
+    require     => Exec[Generate cert dse__rsyslog]
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog

Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)].orig
+++ Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf.orig
+++ /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "prometheus_lvs_realserver_mss" then {
+    action(
+        type="omfile" file="/var/log/prometheus_lvs_realserver_mss/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

Service[kubelet]

Parameters differences:

--- Service[kubelet].orig
+++ Service[kubelet]

+    subscribe => ['File[/etc/kubernetes/kubelet.conf]']
+    ensure    => running
+    enable    => True

Physical_volume[/dev/md1]

Parameters differences:

--- Physical_volume[/dev/md1].orig
+++ Physical_volume[/dev/md1]

+    unless_vg => vg_raid0
+    ensure    => present
+    force     => False

File_line[rm_post-up_lo_clsact_lo]

Parameters differences:

--- File_line[rm_post-up_lo_clsact_lo].orig
+++ File_line[rm_post-up_lo_clsact_lo]

+    path              => /etc/network/interfaces
+    match_for_absence => True
+    ensure            => absent
+    match             => post-up /usr/sbin/tc qdisc add dev lo clsact

Systemd::Unit[prometheus_ferm_mss.service]

Parameters differences:

--- Systemd::Unit[prometheus_ferm_mss.service].orig
+++ Systemd::Unit[prometheus_ferm_mss.service]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => prometheus_ferm_mss.service

Exec[apt_package_from_component_kubernetes131]

Parameters differences:

--- Exec[apt_package_from_component_kubernetes131].orig
+++ Exec[apt_package_from_component_kubernetes131]

+    before      => []
+    command     => /usr/bin/apt-get update
+    subscribe   => Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
+    refreshonly => True

Class[K8s::Kubelet]

Parameters differences:

--- Class[K8s::Kubelet].orig
+++ Class[K8s::Kubelet]

+    cni_conf_dir              => /etc/cni/net.d
+    node_taints               => [{'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoExecute'}, {'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoSchedule'}]
+    cluster_domain            => cluster.local
+    cni_bin_dir               => /opt/cni/bin
+    node_labels               => ['dedicated=wdqs', 'topology.kubernetes.io/region=eqiad', 'topology.kubernetes.io/zone=row-d6', 'node.kubernetes.io/disk-type=ssd']
+    ipv6dualstack             => False
+    version                   => 1.31
+    system_reserved           => {'cpu': '3.3', 'memory': '13.00Gi'}
+    kubelet_cert              => {'cert': '/etc/kubernetes/pki/dse__kubelet_server.pem', 'key': '/etc/kubernetes/pki/dse__kubelet_server-key.pem', 'chain': '/etc/kubernetes/pki/dse__kubelet_server.chain.pem', 'chained': '/etc/kubernetes/pki/dse__kubelet_server.chained.pem'}
+    cluster_dns               => ['10.67.32.3']
+    pod_infra_container_image => docker-registry.discovery.wmnet/pause:3.6-1
+    v_log_level               => 0
+    kubeconfig                => /etc/kubernetes/kubelet.conf

Interface::Ip[ipip_ipv4 ipv4]

Parameters differences:

--- Interface::Ip[ipip_ipv4 ipv4].orig
+++ Interface::Ip[ipip_ipv4 ipv4]

+    require   => Augeas[ipip0_set_up]
+    interface => ipip0
+    address   => 127.0.0.42
+    prefixlen => 32
+    ensure    => present

Systemd::Unit[set-rbd-readahead.timer]

Parameters differences:

--- Systemd::Unit[set-rbd-readahead.timer].orig
+++ Systemd::Unit[set-rbd-readahead.timer]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => set-rbd-readahead.timer

Sysctl::Conffile[ipv6-fowarding-accept-ra]

Parameters differences:

--- Sysctl::Conffile[ipv6-fowarding-accept-ra].orig
+++ Sysctl::Conffile[ipv6-fowarding-accept-ra]

+    no_priority_prefix => False
+    ensure             => present
+    priority           => 70

File[/etc/cfssl/csr/dse__system_kube-proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__system_kube-proxy.csr].orig
+++ File[/etc/cfssl/csr/dse__system_kube-proxy.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__system_kube-proxy.csr.orig
+++ /etc/cfssl/csr/dse__system_kube-proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "system:kube-proxy",
+  "hosts": [
+    "system:kube-proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "C": null,
+      "L": null,
+      "O": "system:node-proxier",
+      "OU": null,
+      "S": null
+    }
+  ]
+}

Package[linux-base]

Parameters differences:

--- Package[linux-base].orig
+++ Package[linux-base]

+    ensure   => 4.12.1~bpo12+1
+    provider => apt

File[/etc/cni/net.d/istio-kubeconfig]

Parameters differences:

--- File[/etc/cni/net.d/istio-kubeconfig].orig
+++ File[/etc/cni/net.d/istio-kubeconfig]

+    mode   => 0400
+    ensure => absent
+    group  => root
+    owner  => root

Content differences:

--- /etc/cni/net.d/istio-kubeconfig.orig
+++ /etc/cni/net.d/istio-kubeconfig
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+preferences: {}
+current-context: default-system
+contexts:
+- name: default-system
+  context:
+    cluster: default-cluster
+    user: istio-cni
+clusters:
+- name: default-cluster
+  cluster:
+    server: https://dse-k8s-ctrl.svc.eqiad.wmnet:6443
+users:
+- name: istio-cni
+  user:
+    client-certificate: /etc/kubernetes/pki/dse__istio-cni.pem
+    client-key: /etc/kubernetes/pki/dse__istio-cni-key.pem

File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_kube-proxy.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => kube

Class[Prometheus::Node_exporter]

Parameters differences:

--- Class[Prometheus::Node_exporter].orig
+++ Class[Prometheus::Node_exporter]

@@
-    collectors_extra => []
+    collectors_extra => ['processes']

Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]

+    hosts       => []
+    names       => []
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => calicoctl

File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__istio-cni.chain.pem].orig
+++ File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => root
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => absent

File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]

Parameters differences:

--- File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom].orig
+++ File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]

+    ensure => absent
+    group  => root
+    owner  => root

Sysctl::Conffile[kube_proxy_icmp]

Parameters differences:

--- Sysctl::Conffile[kube_proxy_icmp].orig
+++ Sysctl::Conffile[kube_proxy_icmp]

+    no_priority_prefix => False
+    ensure             => present
+    priority           => 75

File[/etc/kubernetes/kubelet-config.yaml]

Parameters differences:

--- File[/etc/kubernetes/kubelet-config.yaml].orig
+++ File[/etc/kubernetes/kubelet-config.yaml]

+    mode    => 0400
+    notify  => Service[kubelet]
+    group   => kube
+    require => K8s::Package[kubelet]
+    owner   => kube
+    ensure  => file

Content differences:

--- /etc/kubernetes/kubelet-config.yaml.orig
+++ /etc/kubernetes/kubelet-config.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: kubelet.config.k8s.io/v1beta1
+kind: KubeletConfiguration
+tlsPrivateKeyFile: "/etc/kubernetes/pki/dse__kubelet_server-key.pem"
+tlsCertFile: "/etc/kubernetes/pki/dse__kubelet_server.chained.pem"
+clusterDomain: cluster.local
+clusterDNS:
+- 10.67.32.3
+containerRuntimeEndpoint: unix:///run/containerd/containerd.sock
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    enabled: true
+  x509:
+    clientCAFile: "/etc/kubernetes/pki/dse__kubelet_server.chain.pem"
+authorization:
+  mode: Webhook
+registerWithTaints:
+- key: dedicated
+  value: wdqs
+  effect: NoExecute
+- key: dedicated
+  value: wdqs
+  effect: NoSchedule
+seccompDefault: true
+cgroupDriver: systemd
+evictionHard:
+  imagefs.available: 15%
+  memory.available: 300M
+  nodefs.available: 10%
+  nodefs.inodesFree: 5%

Systemd::Timer::Job[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Timer::Job[prometheus_lvs_realserver_mss].orig
+++ Systemd::Timer::Job[prometheus_lvs_realserver_mss]

+    fixed_random_delay        => False
+    private_tmp               => False
+    ensure                    => absent
+    logging_enabled           => True
+    syslog_force_stop         => True
+    environment               => {}
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_only_on_error   => True
+    send_mail_to              => root@dse-k8s-wdqs-test1001.eqiad.wmnet
+    user                      => root
+    description               => Regular job to collect MSS values of realserver endpoints
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    monitoring_contact_groups => admins
+    logfile_group             => root
+    interval                  => {'start': 'OnCalendar', 'interval': 'minutely'}
+    command                   => /usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 10.2.2.91:30443
+    send_mail                 => False
+    ignore_errors             => False
+    logfile_perms             => all
+    logfile_name              => syslog.log
+    monitoring_enabled        => False
+    success_exit_status       => []

Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]

Parameters differences:

--- Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet].orig
+++ Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet-key.pem 2>&1)"

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet

Systemd::Unit[rsyslog-imfile-remedy.service]

Parameters differences:

--- Systemd::Unit[rsyslog-imfile-remedy.service].orig
+++ Systemd::Unit[rsyslog-imfile-remedy.service]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => present
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => rsyslog-imfile-remedy.service

Class[Profile::Kubernetes::Node::Dse_k8s]

Parameters differences:

--- Class[Profile::Kubernetes::Node::Dse_k8s].orig
+++ Class[Profile::Kubernetes::Node::Dse_k8s]

+    set_rbd_readahead => False

Lvm::Physical_volume[/dev/md1]

Parameters differences:

--- Lvm::Physical_volume[/dev/md1].orig
+++ Lvm::Physical_volume[/dev/md1]

+    unless_vg => vg_raid0
+    ensure    => present
+    force     => False

Package[mmdb-bin]

Parameters differences:

--- Package[mmdb-bin].orig
+++ Package[mmdb-bin]

+    ensure   => present
+    provider => apt

Class[Profile::Apt]

Parameters differences:

--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[cpufrequtils]', 'Package[apparmor]', 'Package[socat]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[wikimedia-lvs-realserver]', 'Package[tcp-mss-clamper]', 'Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']

Service[prometheus_lvs_realserver_mss.timer]

Parameters differences:

--- Service[prometheus_lvs_realserver_mss.timer].orig
+++ Service[prometheus_lvs_realserver_mss.timer]

+    before   => ['Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]']
+    ensure   => stopped
+    enable   => False
+    provider => systemd

Logical_volume[srv]

Parameters differences:

--- Logical_volume[srv].orig
+++ Logical_volume[srv]

+    volume_group => vg_raid0
+    thinpool     => False
+    size         => 10G
+    before       => ['Filesystem[/dev/vg_raid0/srv]']
+    ensure       => present

Class[Base::Sysctl]

Parameters differences:

--- Class[Base::Sysctl].orig
+++ Class[Base::Sysctl]

@@
-    all_rp_filter => 1
+    all_rp_filter => 0

Apt::Package_from_bpo[linux-6.12-bookworm]

Parameters differences:

--- Apt::Package_from_bpo[linux-6.12-bookworm].orig
+++ Apt::Package_from_bpo[linux-6.12-bookworm]

+    ensure_packages => True
+    priority        => 1001
+    packages        => {'linux-base': '4.12.1~bpo12+1', 'linux-image-6.12.88+deb12-amd64': 'present'}
+    distro          => bookworm

Exec[Generate cert dse__rsyslog refresh]

Parameters differences:

--- Exec[Generate cert dse__rsyslog refresh].orig
+++ Exec[Generate cert dse__rsyslog refresh]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[rsyslog]']
+    refreshonly => True
+    subscribe   => File[/etc/cfssl/csr/dse__rsyslog.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog

File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches].orig
+++ File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]

+    mode   => 0444
+    ensure => absent
+    group  => root
+    owner  => root

Content differences:

--- /etc/logrotate.d/rsyslog-release-deleted-inotify-watches.orig
+++ /etc/logrotate.d/rsyslog-release-deleted-inotify-watches
@@ -0,0 +1,12 @@
+# logrotate(8) config for rsyslog-release-deleted-inotify-watches
+
+/var/log/rsyslog-release-deleted-inotify-watches/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

File[/etc/cni/net.d]

Parameters differences:

--- File[/etc/cni/net.d].orig
+++ File[/etc/cni/net.d]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Service[kube-proxy]

Parameters differences:

--- Service[kube-proxy].orig
+++ Service[kube-proxy]

+    ensure => running
+    enable => True

Cfssl::Cert[dse__system_kube-proxy]

Parameters differences:

--- Cfssl::Cert[dse__system_kube-proxy].orig
+++ Cfssl::Cert[dse__system_kube-proxy]

+    mode            => 0740
+    group           => root
+    provide_chain   => True
+    owner           => kube
+    ensure          => present
+    hosts           => []
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    names           => [{'organisation': 'system:node-proxier'}]
+    label           => dse
+    auto_renew      => True
+    notify_services => ['kube-proxy']
+    renew_seconds   => 952200
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    outdir          => /etc/kubernetes/pki
+    common_name     => system:kube-proxy

File[/etc/kubernetes/pki/dse__calicoctl.csr]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calicoctl.csr].orig
+++ File[/etc/kubernetes/pki/dse__calicoctl.csr]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => root

File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]

Parameters differences:

--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf].orig
+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf.orig
+++ /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: Apache-2.0
+if $programname contains "nrpe2nodexp-check_tcp-mss-clamper_status" then {
+    if ($msg contains "\"ecs.version\": \"1.7.0\"") then {
+        # Send logs to kafka
+        set $.log_outputs = "kafka ecs_170 local";
+    } else {
+        # Filter out non-relevant nrpe2nodexp messages
+        stop
+    }
+}

Service[set-rbd-readahead.timer]

Parameters differences:

--- Service[set-rbd-readahead.timer].orig
+++ Service[set-rbd-readahead.timer]

+    before   => ['Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]']
+    ensure   => stopped
+    enable   => False
+    provider => systemd

Class[Profile::Contacts]

Parameters differences:

--- Class[Profile::Contacts].orig
+++ Class[Profile::Contacts]

@@
-    cluster => insetup
+    cluster => dse_k8s

Systemd::Unit[kube-proxy]

Parameters differences:

--- Systemd::Unit[kube-proxy].orig
+++ Systemd::Unit[kube-proxy]

+    require           => ['Class[Systemd]']
+    override          => True
+    ensure            => present
+    override_filename => puppet-override.conf
+    restart           => True
+    unit              => kube-proxy

User[kube]

Parameters differences:

--- User[kube].orig
+++ User[kube]

+    system => True
+    gid    => kube
+    shell  => /usr/sbin/nologin
+    ensure => present
+    home   => /nonexistent

Systemd::Unit[set-rbd-readahead.service]

Parameters differences:

--- Systemd::Unit[set-rbd-readahead.service].orig
+++ Systemd::Unit[set-rbd-readahead.service]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => set-rbd-readahead.service

Filesystem[/dev/vg_raid0/srv]

Parameters differences:

--- Filesystem[/dev/vg_raid0/srv].orig
+++ Filesystem[/dev/vg_raid0/srv]

+    before  => ['Mount[/srv]']
+    ensure  => present
+    fs_type => ext4

Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]

+    hosts       => []
+    names       => []
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => istio-cni

Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]

Parameters differences:

--- Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact].orig
+++ Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]

+    onlyif => /usr/sbin/tc qdisc show dev ens2f0np0 | grep -q clsact

File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]

Parameters differences:

--- File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf].orig
+++ File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]

+    mode   => 0444
+    notify => ['Exec[update-initramfs]', 'Exec[rmmod-r440_wdat_wdt]']
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/modprobe.d/blacklist-r440_wdat_wdt.conf.orig
+++ /etc/modprobe.d/blacklist-r440_wdat_wdt.conf
@@ -0,0 +1,5 @@
+# r440_wdat_wdt - blacklisted kernel modules
+# This file is managed by Puppet
+#
+blacklist wdat_wdt
+install wdat_wdt /bin/true

Monitoring::Exported_nagios_host[dse-k8s-wdqs-test1001]

Parameters differences:

--- Monitoring::Exported_nagios_host[dse-k8s-wdqs-test1001].orig
+++ Monitoring::Exported_nagios_host[dse-k8s-wdqs-test1001]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    hostgroups            => insetup_eqiad,lsw1-d6-eqiad
+    hostgroups            => dse_k8s_eqiad,lsw1-d6-eqiad

Rsyslog::Conf[imfile]

Parameters differences:

--- Rsyslog::Conf[imfile].orig
+++ Rsyslog::Conf[imfile]

+    mode     => 0444
+    ensure   => present
+    priority => 0

Class[Geoip]

Parameters differences:

--- Class[Geoip].orig
+++ Class[Geoip]

+    load_data_from_puppetserver => True
+    fetch_ipinfo_dbs            => False

Systemd::Service[rsyslog-imfile-remedy]

Parameters differences:

--- Systemd::Service[rsyslog-imfile-remedy].orig
+++ Systemd::Service[rsyslog-imfile-remedy]

+    unit_type                => timer
+    service_params           => {}
+    require                  => Systemd::Unit[rsyslog-imfile-remedy.service]
+    monitoring_contact_group => admins
+    ensure                   => present
+    restart                  => False
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => False

Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    order  => 10
+    target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Service[containerd]

Parameters differences:

--- Service[containerd].orig
+++ Service[containerd]

+    ensure => running

Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]

+    hosts       => ['dse-k8s-wdqs-test1001', 'dse-k8s-wdqs-test1001.eqiad.wmnet', '10.64.185.3', '2620:0:861:13f:10:64:185:3']
+    names       => []
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => kubelet

Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]

Parameters differences:

--- Systemd::Unit[rsyslog-release-deleted-inotify-watches.service].orig
+++ Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => rsyslog-release-deleted-inotify-watches.service

File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => kube
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => file

Package[cpufrequtils]

Parameters differences:

--- Package[cpufrequtils].orig
+++ Package[cpufrequtils]

+    ensure   => installed
+    provider => apt

File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr].orig
+++ File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr.orig
+++ /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "system:node:dse-k8s-wdqs-test1001.eqiad.wmnet",
+  "hosts": [
+    "system:node:dse-k8s-wdqs-test1001.eqiad.wmnet"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "C": null,
+      "L": null,
+      "O": "system:nodes",
+      "OU": null,
+      "S": null
+    }
+  ]
+}

Package[wikimedia-lvs-realserver]

Parameters differences:

--- Package[wikimedia-lvs-realserver].orig
+++ Package[wikimedia-lvs-realserver]

+    ensure   => present
+    require  => File[/etc/default/wikimedia-lvs-realserver]
+    provider => apt

File[/var/log/set-rbd-readahead]

Parameters differences:

--- File[/var/log/set-rbd-readahead].orig
+++ File[/var/log/set-rbd-readahead]

+    mode   => 0755
+    group  => root
+    force  => True
+    owner  => root
+    backup => False
+    ensure => absent

Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]

Parameters differences:

--- Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)].orig
+++ Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]

+    command     => /bin/systemctl daemon-reload
+    notify      => ['Service[kubelet]']
+    refreshonly => True

Augeas[ipip0_set_up]

Parameters differences:

--- Augeas[ipip0_set_up].orig
+++ Augeas[ipip0_set_up]

+    lens    => Interfaces.lns
+    onlyif  => match up[. = 'ip link set up dev ipip0'] size == 0
+    require => Augeas[ipip0_add_up]
+    context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+    incl    => /etc/network/interfaces
+    changes => set up[last()+1] 'ip link set up dev ipip0'

File[/etc/logrotate.d/prometheus_ferm_mss]

Parameters differences:

--- File[/etc/logrotate.d/prometheus_ferm_mss].orig
+++ File[/etc/logrotate.d/prometheus_ferm_mss]

+    mode   => 0444
+    ensure => absent
+    group  => root
+    owner  => root

Content differences:

--- /etc/logrotate.d/prometheus_ferm_mss.orig
+++ /etc/logrotate.d/prometheus_ferm_mss
@@ -0,0 +1,12 @@
+# logrotate(8) config for prometheus_ferm_mss
+
+/var/log/prometheus_ferm_mss/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    command     => /usr/bin/apt-get update 
+    refreshonly => True

File[/etc/systemd/system/kubelet.service.d]

Parameters differences:

--- File[/etc/systemd/system/kubelet.service.d].orig
+++ File[/etc/systemd/system/kubelet.service.d]

+    mode   => 0555
+    ensure => directory
+    group  => root
+    owner  => root

Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)].orig
+++ Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]

Parameters differences:

--- File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg].orig
+++ File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]

+    mode    => 0444
+    notify  => Service[nagios-nrpe-server]
+    group   => root
+    require => Package[nagios-nrpe-server]
+    owner   => root
+    ensure  => absent
+    tag     => nrpe::check

Content differences:

--- /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg.orig
+++ /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg
@@ -0,0 +1,2 @@
+# File generated by puppet. DO NOT edit by hand
+command[check_check_tcp-mss-clamper_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper

Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)].orig
+++ Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]

Parameters differences:

--- File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref].orig
+++ File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]

+    mode   => 0444
+    notify => Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref.orig
+++ /etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref
@@ -0,0 +1,3 @@
+Package: linux-base linux-image-6.12.88+deb12-amd64
+Pin: release a=bookworm-backports
+Pin-Priority: 1001

Apt::Package_from_component[calico329]

Parameters differences:

--- Apt::Package_from_component[calico329].orig
+++ Apt::Package_from_component[calico329]

+    uri             => http://apt.wikimedia.org/wikimedia
+    packages        => {'calicoctl': '>=3.29 <3.30', 'calico-cni': '>=3.29 <3.30'}
+    distro          => bookworm-wikimedia
+    component       => component/calico329
+    ensure          => present
+    ensure_packages => True
+    priority        => 1001

Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem].orig
+++ Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem | sha512sum)" == "$(/bin/cat /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem | sha512sum)"

+    notify    => ['Service[rsyslog]']
+    require   => Exec[Generate cert dse__rsyslog refresh on intermediate ca change]
+    subscribe => ['Exec[renew certificate - dse__rsyslog]', 'File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]', 'File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]']
+    command   => /bin/cat /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem > /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem

Exec[renew certificate - dse__calico-cni]

Parameters differences:

--- Exec[renew certificate - dse__calico-cni].orig
+++ Exec[renew certificate - dse__calico-cni]

+    unless      => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calico-cni.pem -checkend 952200
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/kubernetes/pki/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Exec[Generate cert dse__calico-cni]

Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]

Parameters differences:

--- Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport].orig
+++ Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]

+    ensure         => absent
+    clamped_ipport => ['10.2.2.91:30443']
+    outfile        => /var/lib/prometheus/node.d/lvs-realserver-mss.prom

File[/etc/logrotate.d/prometheus_lvs_realserver_mss]

Parameters differences:

--- File[/etc/logrotate.d/prometheus_lvs_realserver_mss].orig
+++ File[/etc/logrotate.d/prometheus_lvs_realserver_mss]

+    mode   => 0444
+    ensure => absent
+    group  => root
+    owner  => root

Content differences:

--- /etc/logrotate.d/prometheus_lvs_realserver_mss.orig
+++ /etc/logrotate.d/prometheus_lvs_realserver_mss
@@ -0,0 +1,12 @@
+# logrotate(8) config for prometheus_lvs_realserver_mss
+
+/var/log/prometheus_lvs_realserver_mss/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

Logrotate::Conf[set-rbd-readahead]

Parameters differences:

--- Logrotate::Conf[set-rbd-readahead].orig
+++ Logrotate::Conf[set-rbd-readahead]

+    ensure => absent

Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)].orig
+++ Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]

+    before      => ['Service[rsyslog-imfile-remedy.timer]']
+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Class[Monitoring]

Parameters differences:

--- Class[Monitoring].orig
+++ Class[Monitoring]

@@
-    nagios_group          => insetup_eqiad
+    nagios_group          => dse_k8s_eqiad
@@
-    notifications_enabled => False
+    notifications_enabled => True
@@
-    cluster               => insetup
+    cluster               => dse_k8s

File[/lib/systemd/system/rsyslog-imfile-remedy.service]

Parameters differences:

--- File[/lib/systemd/system/rsyslog-imfile-remedy.service].orig
+++ File[/lib/systemd/system/rsyslog-imfile-remedy.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /lib/systemd/system/rsyslog-imfile-remedy.service.orig
+++ /lib/systemd/system/rsyslog-imfile-remedy.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Restart rsyslog T357616
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/systemctl try-restart rsyslog

Lvm::Logical_volume[srv]

Parameters differences:

--- Lvm::Logical_volume[srv].orig
+++ Lvm::Logical_volume[srv]

+    mountpath         => /srv
+    mountpath_require => False
+    mounted           => True
+    size              => 10G
+    ensure            => present
+    dump              => 0
+    volume_group      => vg_raid0
+    fs_type           => ext4
+    options           => defaults
+    pass              => 2
+    createfs          => True
+    thinpool          => False

Rsyslog::Conf[shellbox]

Parameters differences:

--- Rsyslog::Conf[shellbox].orig
+++ Rsyslog::Conf[shellbox]

+    mode     => 0444
+    source   => puppet:///modules/profile/rsyslog/shellbox.rsyslog.conf
+    ensure   => present
+    priority => 20

K8s::Kubelet::Cni[calico]

Parameters differences:

--- K8s::Kubelet::Cni[calico].orig
+++ K8s::Kubelet::Cni[calico]

+    config   => {'name': 'k8s-pod-network', 'cniVersion': '0.3.1', 'plugins': [{'type': 'calico', 'log_level': 'info', 'datastore_type': 'kubernetes', 'mtu': 1460, 'ipam': {'type': 'calico-ipam', 'assign_ipv4': 'true', 'assign_ipv6': 'true'}, 'policy': {'type': 'k8s'}, 'kubernetes': {'kubeconfig': '/etc/cni/net.d/calico-kubeconfig'}}]}
+    require  => ['Class[K8s::Kubelet::Cni::Base]']
+    priority => 10

Systemd::Timer[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Timer[prometheus_ferm_mss].orig
+++ Systemd::Timer[prometheus_ferm_mss]

+    splay              => 0
+    accuracy           => 15sec
+    unit_name          => prometheus_ferm_mss.service
+    fixed_random_delay => False
+    ensure             => absent
+    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'minutely'}]

Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]

+    hosts       => []
+    names       => [{'organisation': 'system:node-proxier'}]
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => system:kube-proxy

Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]

+    unit_type                => timer
+    service_params           => {}
+    require                  => Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]
+    monitoring_contact_group => admins
+    ensure                   => absent
+    restart                  => False
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => False

File[/srv/spark]

Parameters differences:

--- File[/srv/spark].orig
+++ File[/srv/spark]

+    ensure => directory
+    group  => root
+    owner  => root

Package[istio-cni]

Parameters differences:

--- Package[istio-cni].orig
+++ Package[istio-cni]

+    ensure   => absent
+    provider => apt

Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

Parameters differences:

--- Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig
+++ Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

+    source => puppet:///modules/apt/sources-deb822-header.txt
+    order  => 01
+    target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    order  => 10
+    target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Package[calicoctl]

Parameters differences:

--- Package[calicoctl].orig
+++ Package[calicoctl]

+    ensure   => >=3.29 <3.30
+    provider => apt

Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches].orig
+++ Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]

+    fixed_random_delay        => False
+    private_tmp               => False
+    ensure                    => absent
+    logging_enabled           => True
+    syslog_force_stop         => True
+    environment               => {}
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_only_on_error   => True
+    send_mail_to              => root@dse-k8s-wdqs-test1001.eqiad.wmnet
+    user                      => root
+    description               => Restart rsyslog to release inotify watches of deleted container logs
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    monitoring_contact_groups => admins
+    logfile_group             => root
+    interval                  => {'start': 'OnCalendar', 'interval': '*-*-* *:45:00'}
+    command                   => /usr/local/sbin/rsyslog-release-deleted-inotify-watches
+    send_mail                 => False
+    ignore_errors             => False
+    logfile_perms             => all
+    logfile_name              => syslog.log
+    monitoring_enabled        => False
+    success_exit_status       => []

Systemd::Timer[rsyslog-imfile-remedy]

Parameters differences:

--- Systemd::Timer[rsyslog-imfile-remedy].orig
+++ Systemd::Timer[rsyslog-imfile-remedy]

+    splay              => 30
+    accuracy           => 15sec
+    unit_name          => rsyslog-imfile-remedy.service
+    fixed_random_delay => False
+    ensure             => present
+    timer_intervals    => [{'start': 'OnCalendar', 'interval': '*-*-* 00/3:19:00'}]

File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]

Parameters differences:

--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer].orig
+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/prometheus_lvs_realserver_mss.timer.orig
+++ /lib/systemd/system/prometheus_lvs_realserver_mss.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of prometheus_lvs_realserver_mss.service
+
+[Timer]
+Unit=prometheus_lvs_realserver_mss.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=minutely
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

File[/etc/logrotate.d/set-rbd-readahead]

Parameters differences:

--- File[/etc/logrotate.d/set-rbd-readahead].orig
+++ File[/etc/logrotate.d/set-rbd-readahead]

+    mode   => 0444
+    ensure => absent
+    group  => root
+    owner  => root

Content differences:

--- /etc/logrotate.d/set-rbd-readahead.orig
+++ /etc/logrotate.d/set-rbd-readahead
@@ -0,0 +1,12 @@
+# logrotate(8) config for set-rbd-readahead
+
+/var/log/set-rbd-readahead/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

Monitoring::Service[check_tcp-mss-clamper_status]

Parameters differences:

--- Monitoring::Service[check_tcp-mss-clamper_status].orig
+++ Monitoring::Service[check_tcp-mss-clamper_status]

+    check_command  => nrpe_check!check_check_tcp-mss-clamper_status!10
+    retries        => 2
+    contact_group  => admins
+    retry_interval => 1
+    ensure         => absent
+    notes_url      => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    config_dir     => /etc/nagios
+    passive        => False
+    host           => dse-k8s-wdqs-test1001
+    critical       => False
+    migration_task => T407130
+    description    => Check unit status of tcp-mss-clamper
+    check_interval => 10
+    freshness      => 36000

K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]

Parameters differences:

--- K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig].orig
+++ K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]

+    mode        => 0400
+    group       => root
+    require     => ['File[/etc/cni/net.d]', 'Class[K8s::Base_dirs]']
+    owner       => root
+    username    => calico-cni
+    ensure      => present
+    auth_cert   => {'cert': '/etc/kubernetes/pki/dse__calico-cni.pem', 'key': '/etc/kubernetes/pki/dse__calico-cni-key.pem', 'chain': '/etc/kubernetes/pki/dse__calico-cni.chain.pem', 'chained': '/etc/kubernetes/pki/dse__calico-cni.chained.pem'}
+    master_host => dse-k8s-ctrl.svc.eqiad.wmnet

Systemd::Unit[tcp-mss-clamper]

Parameters differences:

--- Systemd::Unit[tcp-mss-clamper].orig
+++ Systemd::Unit[tcp-mss-clamper]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => tcp-mss-clamper

Class[K8s::Proxy]

Parameters differences:

--- Class[K8s::Proxy].orig
+++ Class[K8s::Proxy]

+    ipv6dualstack => False
+    version       => 1.31
+    cluster_cidr  => {'v4': '10.67.24.0/21', 'v6': '2620:0:861:302::/64'}
+    v_log_level   => 0
+    proxy_mode    => iptables
+    kubeconfig    => /etc/kubernetes/proxy.conf

Firewall::Service[calico-typha]

Parameters differences:

--- Firewall::Service[calico-typha].orig
+++ Firewall::Service[calico-typha]

+    src_sets            => ['DOMAIN_NETWORKS']
+    ensure              => present
+    notrack             => False
+    prio                => 10
+    desc                => 
+    proto               => tcp
+    unrestricted_access => False
+    port                => 5473

Package[linux-image-6.12.88+deb12-amd64]

Parameters differences:

--- Package[linux-image-6.12.88+deb12-amd64].orig
+++ Package[linux-image-6.12.88+deb12-amd64]

+    ensure   => installed
+    provider => apt

Class[Profile::Containerd]

Parameters differences:

--- Class[Profile::Containerd].orig
+++ Class[Profile::Containerd]

+    kubernetes_cluster_name => dse-k8s-eqiad
+    ensure                  => present
+    registry_username       => kubernetes

Package[kubernetes-node]

Parameters differences:

--- Package[kubernetes-node].orig
+++ Package[kubernetes-node]

+    ensure   => >=1.31 <1.32
+    require  => Apt::Package_from_component[kubernetes131]
+    provider => apt

File[/lib/systemd/system/tcp-mss-clamper.service]

Parameters differences:

--- File[/lib/systemd/system/tcp-mss-clamper.service].orig
+++ File[/lib/systemd/system/tcp-mss-clamper.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/tcp-mss-clamper.service.orig
+++ /lib/systemd/system/tcp-mss-clamper.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=eBPF based TCP MSS clamper
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+LimitMEMLOCK=infinity
+ExecStart=/usr/bin/tcp-mss-clamper --ipv4-mss 1440 --ipv6-mss 1400 -p :2200 -s "10.2.2.91:30443" -i ens2f0np0,lo
+Restart=on-failure

K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]

Parameters differences:

--- K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig].orig
+++ K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]

+    mode        => 0400
+    group       => root
+    require     => ['Class[K8s::Base_dirs]']
+    owner       => root
+    username    => calicoctl
+    ensure      => present
+    auth_cert   => {'cert': '/etc/kubernetes/pki/dse__calicoctl.pem', 'key': '/etc/kubernetes/pki/dse__calicoctl-key.pem', 'chain': '/etc/kubernetes/pki/dse__calicoctl.chain.pem', 'chained': '/etc/kubernetes/pki/dse__calicoctl.chained.pem'}
+    master_host => dse-k8s-ctrl.svc.eqiad.wmnet

Concat::Fragment[main contacts]

Package[crictl]

Parameters differences:

--- Package[crictl].orig
+++ Package[crictl]

+    ensure   => installed
+    provider => apt

Ferm::Rule[clamp-mss-ipv4]

Parameters differences:

--- Ferm::Rule[clamp-mss-ipv4].orig
+++ Ferm::Rule[clamp-mss-ipv4]

+    table  => filter
+    prio   => 10
+    domain => (ip)
+    desc   => 
+    ensure => absent
+    chain  => OUTPUT
+    rule   => outerface (ens2f0np0 lo) saddr @ipfilter(10.2.2.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1440;

Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

Parameters differences:

--- Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig
+++ Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

+    source => puppet:///modules/apt/sources-deb822-header.txt
+    order  => 01
+    target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Systemd::Monitor[tcp-mss-clamper]

Parameters differences:

--- Systemd::Monitor[tcp-mss-clamper].orig
+++ Systemd::Monitor[tcp-mss-clamper]

+    notes_url      => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    retries        => 2
+    contact_group  => admins
+    migration_task => T407130
+    critical       => False
+    ensure         => absent
+    check_interval => 10

Package[socat]

Parameters differences:

--- Package[socat].orig
+++ Package[socat]

+    ensure   => installed
+    provider => apt

Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service].orig
+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => nrpe2nodexp-check_tcp-mss-clamper_status.service

Motd::Script[insetup::data_platform_ferm]

Parameters differences:

--- Motd::Script[insetup::data_platform_ferm].orig
+++ Motd::Script[insetup::data_platform_ferm]

-    ensure   => present
-    priority => 5

Class[Lvs::Realserver]

Parameters differences:

--- Class[Lvs::Realserver].orig
+++ Class[Lvs::Realserver]

+    realserver_ips => ['10.2.2.91']

Package[geoip-bin]

Parameters differences:

--- Package[geoip-bin].orig
+++ Package[geoip-bin]

+    ensure   => present
+    provider => apt

Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change].orig
+++ Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kube-proxy]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]
+    refreshonly => True
+    subscribe   => File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy

File[/etc/kubernetes/pki/dse__kubelet_server.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__kubelet_server.pem].orig
+++ File[/etc/kubernetes/pki/dse__kubelet_server.pem]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => kube

File[/etc/cni/net.d/10-calico.conflist]

Parameters differences:

--- File[/etc/cni/net.d/10-calico.conflist].orig
+++ File[/etc/cni/net.d/10-calico.conflist]

+    mode  => 0755
+    group => root
+    owner => root

Content differences:

--- /etc/cni/net.d/10-calico.conflist.orig
+++ /etc/cni/net.d/10-calico.conflist
@@ -0,0 +1,23 @@
+{
+  "name": "k8s-pod-network",
+  "cniVersion": "0.3.1",
+  "plugins": [
+    {
+      "type": "calico",
+      "log_level": "info",
+      "datastore_type": "kubernetes",
+      "mtu": 1460,
+      "ipam": {
+        "type": "calico-ipam",
+        "assign_ipv4": "true",
+        "assign_ipv6": "true"
+      },
+      "policy": {
+        "type": "k8s"
+      },
+      "kubernetes": {
+        "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
+      }
+    }
+  ]
+}

Cfssl::Cert[dse__calico-cni]

Parameters differences:

--- Cfssl::Cert[dse__calico-cni].orig
+++ Cfssl::Cert[dse__calico-cni]

+    mode            => 0740
+    group           => root
+    provide_chain   => True
+    owner           => root
+    ensure          => present
+    hosts           => []
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    names           => []
+    label           => dse
+    auto_renew      => True
+    notify_services => []
+    renew_seconds   => 952200
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    outdir          => /etc/kubernetes/pki
+    common_name     => calico-cni

File[/etc/rsyslog.d/40-set-rbd-readahead.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-set-rbd-readahead.conf].orig
+++ File[/etc/rsyslog.d/40-set-rbd-readahead.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /etc/rsyslog.d/40-set-rbd-readahead.conf.orig
+++ /etc/rsyslog.d/40-set-rbd-readahead.conf
@@ -0,0 +1,9 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "set-rbd-readahead" then {
+    action(
+        type="omfile" file="/var/log/set-rbd-readahead/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+}

Exec[Generate cert dse__calico-cni refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert dse__calico-cni refresh on intermediate ca change].orig
+++ Exec[Generate cert dse__calico-cni refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]
+    refreshonly => True
+    subscribe   => File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni

Package[containerd]

Parameters differences:

--- Package[containerd].orig
+++ Package[containerd]

+    ensure   => installed
+    provider => apt

Kmod::Blacklist[r440_wdat_wdt]

Parameters differences:

--- Kmod::Blacklist[r440_wdat_wdt].orig
+++ Kmod::Blacklist[r440_wdat_wdt]

+    modules => ['wdat_wdt']
+    ensure  => present
+    rmmod   => True

File[/etc/containerd]

Parameters differences:

--- File[/etc/containerd].orig
+++ File[/etc/containerd]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Systemd::Service[tcp-mss-clamper]

Parameters differences:

--- Systemd::Service[tcp-mss-clamper].orig
+++ Systemd::Service[tcp-mss-clamper]

+    unit_type                => service
+    service_params           => {}
+    monitoring_contact_group => admins
+    ensure                   => absent
+    restart                  => False
+    monitoring_notes_url     => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => True
+    override                 => False

Exec[Generate cert dse__kubelet_server]

Parameters differences:

--- Exec[Generate cert dse__kubelet_server].orig
+++ Exec[Generate cert dse__kubelet_server]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__kubelet_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__kubelet_server-key.pem 2>&1)"

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse -profile server /etc/cfssl/csr/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server

File[/etc/cfssl/csr/dse__rsyslog.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__rsyslog.csr].orig
+++ File[/etc/cfssl/csr/dse__rsyslog.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__rsyslog.csr.orig
+++ /etc/cfssl/csr/dse__rsyslog.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "rsyslog",
+  "hosts": [
+    "rsyslog"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "C": null,
+      "L": null,
+      "O": "view",
+      "OU": null,
+      "S": null
+    }
+  ]
+}

Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]

Parameters differences:

--- Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)].orig
+++ Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]

+    before      => ['Service[ferm]']
+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Exec[rmmod-r440_wdat_wdt]

Parameters differences:

--- Exec[rmmod-r440_wdat_wdt].orig
+++ Exec[rmmod-r440_wdat_wdt]

+    command     => /sbin/modprobe -r wdat_wdt
+    refreshonly => True

Rsyslog::Input::File[kubernetes-json]

Parameters differences:

--- Rsyslog::Input::File[kubernetes-json].orig
+++ Rsyslog::Input::File[kubernetes-json]

+    reopen_on_truncate => on
+    ensure             => present
+    addmetadata        => on
+    priority           => 8
+    path               => /var/log/containers/*.log
+    syslog_tag_prefix  => input-file
+    addceetag          => on
+    syslog_tag         => kubernetes

File[/etc/default/prometheus-node-exporter]

Content differences:

--- /etc/default/prometheus-node-exporter.orig
+++ /etc/default/prometheus-node-exporter
@@ -15,6 +15,7 @@
  --collector.netdev \
  --collector.netstat \
  --collector.netstat.fields=^(.*) \
+ --collector.processes \
  --collector.sockstat \
  --collector.stat \
  --collector.systemd.enable-restarts-metrics \

K8s::Package[kubelet]

Parameters differences:

--- K8s::Package[kubelet].orig
+++ K8s::Package[kubelet]

+    uri             => http://apt.wikimedia.org/wikimedia
+    version         => 1.31
+    require         => ['Class[K8s::Base_dirs]']
+    distro          => bookworm-wikimedia
+    ensure_packages => True
+    package         => node
+    priority        => 1001

Exec[ensure mountpoint '/srv' exists]

Parameters differences:

--- Exec[ensure mountpoint '/srv' exists].orig
+++ Exec[ensure mountpoint '/srv' exists]

+    path    => ['/bin', '/usr/bin']
+    command => mkdir -p /srv
+    before  => Mount[/srv]
+    unless  => test -d /srv

File[/etc/cfssl/ssl/dse__rsyslog]

Parameters differences:

--- File[/etc/cfssl/ssl/dse__rsyslog].orig
+++ File[/etc/cfssl/ssl/dse__rsyslog]

+    mode    => 0740
+    group   => root
+    owner   => root
+    ensure  => directory
+    recurse => True

Class[Profile::Kubernetes::Node]

Parameters differences:

--- Class[Profile::Kubernetes::Node].orig
+++ Class[Profile::Kubernetes::Node]

+    feature_flags           => {}
+    require                 => ['Class[Profile::Rsyslog::Kubernetes]', 'Class[Profile::Netbox::Host]']
+    kubelet_node_labels     => ['dedicated=wdqs']
+    kubernetes_cluster_name => dse-k8s-eqiad
+    kubelet_node_taints     => [{'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoExecute'}, {'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoSchedule'}]

Package[rsyslog-kubernetes]

Parameters differences:

--- Package[rsyslog-kubernetes].orig
+++ Package[rsyslog-kubernetes]

+    ensure   => installed
+    provider => apt

Class[Containerd]

Parameters differences:

--- Class[Containerd].orig
+++ Class[Containerd]

+    ensure  => present
+    require => ['Class[Containerd::Configuration]']

File[/etc/kubernetes/pki]

Parameters differences:

--- File[/etc/kubernetes/pki].orig
+++ File[/etc/kubernetes/pki]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Systemd::Timer::Job[rsyslog-imfile-remedy]

Parameters differences:

--- Systemd::Timer::Job[rsyslog-imfile-remedy].orig
+++ Systemd::Timer::Job[rsyslog-imfile-remedy]

+    fixed_random_delay        => False
+    private_tmp               => False
+    ensure                    => present
+    logging_enabled           => False
+    splay                     => 30
+    environment               => {}
+    syslog_force_stop         => True
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_only_on_error   => True
+    send_mail_to              => root@dse-k8s-wdqs-test1001.eqiad.wmnet
+    user                      => root
+    description               => Restart rsyslog T357616
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    monitoring_contact_groups => admins
+    logfile_group             => root
+    interval                  => {'start': 'OnCalendar', 'interval': '*-*-* 00/3:19:00'}
+    command                   => /usr/bin/systemctl try-restart rsyslog
+    send_mail                 => False
+    ignore_errors             => False
+    logfile_perms             => all
+    logfile_name              => syslog.log
+    monitoring_enabled        => False
+    success_exit_status       => []

Exec[Generate cert dse__calico-cni]

Parameters differences:

--- Exec[Generate cert dse__calico-cni].orig
+++ Exec[Generate cert dse__calico-cni]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calico-cni.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__calico-cni-key.pem 2>&1)"

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]

File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__istio-cni.chained.pem].orig
+++ File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]

+    ensure => absent
+    group  => root
+    owner  => root

Exec[Generate cert dse__calico-cni refresh]

Parameters differences:

--- Exec[Generate cert dse__calico-cni refresh].orig
+++ Exec[Generate cert dse__calico-cni refresh]

+    subscribe   => File[/etc/cfssl/csr/dse__calico-cni.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni

+    environment => ['GODEBUG=x509ignoreCN=0']
+    refreshonly => True

File[/etc/default/wikimedia-lvs-realserver]

Parameters differences:

--- File[/etc/default/wikimedia-lvs-realserver].orig
+++ File[/etc/default/wikimedia-lvs-realserver]

+    mode   => 0444
+    ensure => present
+    group  => root
+    owner  => root

Content differences:

--- /etc/default/wikimedia-lvs-realserver.orig
+++ /etc/default/wikimedia-lvs-realserver
@@ -0,0 +1,10 @@
+# This file is managed by puppet!
+
+
+
+# Location of the sysctl file containing LVS ARP settings
+SYSCTLFILE=/usr/share/wikimedia-lvs-realserver/sysctl.conf
+
+# LVS service IPs to be bound to the loopback interface,
+# separate using spaces
+LVS_SERVICE_IPS="10.2.2.91"

File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]

Parameters differences:

--- File[/etc/systemd/system/kubelet.service.d/container-runtime.conf].orig
+++ File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/systemd/system/kubelet.service.d/container-runtime.conf.orig
+++ /etc/systemd/system/kubelet.service.d/container-runtime.conf
@@ -0,0 +1,3 @@
+[Unit]
+After=containerd.service
+Requires=containerd.service

File[/etc/modprobe.d/blacklist-wmf_overlay.conf]

Parameters differences:

--- File[/etc/modprobe.d/blacklist-wmf_overlay.conf].orig
+++ File[/etc/modprobe.d/blacklist-wmf_overlay.conf]

@@
-    ensure => present
+    ensure => absent

Content differences:

--- /etc/modprobe.d/blacklist-wmf_overlay.conf.orig
+++ /etc/modprobe.d/blacklist-wmf_overlay.conf
@@ -1,7 +1,3 @@
 # wmf_overlay - blacklisted kernel modules
 # This file is managed by Puppet
 #
-blacklist overlay
-install overlay /bin/true
-blacklist overlayfs
-install overlayfs /bin/true

File[/etc/kubernetes/proxy.conf]

Parameters differences:

--- File[/etc/kubernetes/proxy.conf].orig
+++ File[/etc/kubernetes/proxy.conf]

+    mode   => 0400
+    ensure => present
+    group  => kube
+    owner  => kube

Content differences:

--- /etc/kubernetes/proxy.conf.orig
+++ /etc/kubernetes/proxy.conf
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+preferences: {}
+current-context: default-system
+contexts:
+- name: default-system
+  context:
+    cluster: default-cluster
+    user: default-proxy
+clusters:
+- name: default-cluster
+  cluster:
+    server: https://dse-k8s-ctrl.svc.eqiad.wmnet:6443
+users:
+- name: default-proxy
+  user:
+    client-certificate: /etc/kubernetes/pki/dse__system_kube-proxy.pem
+    client-key: /etc/kubernetes/pki/dse__system_kube-proxy-key.pem

Interface::Manual[ipip_ipv6]

Parameters differences:

--- Interface::Manual[ipip_ipv6].orig
+++ Interface::Manual[ipip_ipv6]

+    interface => ipip60
+    ensure    => present
+    hotplug   => False
+    family    => inet6

Nrpe::Plugin[check_systemd_unit_status]

Parameters differences:

--- Nrpe::Plugin[check_systemd_unit_status].orig
+++ Nrpe::Plugin[check_systemd_unit_status]

+    source => puppet:///modules/systemd/check_systemd_unit_status
+    ensure => present

Ferm::Service[calico-bird]

Parameters differences:

--- Ferm::Service[calico-bird].orig
+++ Ferm::Service[calico-bird]

+    ensure              => present
+    srange              => ($NETWORK_INFRA 10.64.185.1)
+    notrack             => False
+    prio                => 10
+    desc                => 
+    proto               => tcp
+    unrestricted_access => False
+    port                => 179

Exec[renew certificate - dse__calicoctl]

Parameters differences:

--- Exec[renew certificate - dse__calicoctl].orig
+++ Exec[renew certificate - dse__calicoctl]

+    unless      => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calicoctl.pem -checkend 952200
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/kubernetes/pki/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Exec[Generate cert dse__calicoctl]

File[/var/run/kubernetes]

Parameters differences:

--- File[/var/run/kubernetes].orig
+++ File[/var/run/kubernetes]

+    mode   => 0700
+    ensure => directory
+    group  => root
+    owner  => root

Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert dse__kubelet_server refresh on intermediate ca change].orig
+++ Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]
+    refreshonly => True
+    subscribe   => File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse -profile server /etc/cfssl/csr/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server

File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]

Parameters differences:

--- File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf].orig
+++ File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]

+    group  => root
+    ensure => present
+    notify => Exec[update_sysctl]
+    owner  => root

Content differences:

--- /etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf.orig
+++ /etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf
@@ -0,0 +1,3 @@
+# sysctl parameters managed by Puppet.
+net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.ens2f0np0.accept_ra = 2

Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    order  => 10
+    target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

Parameters differences:

--- Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig
+++ Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

+    mode           => 0444
+    group          => root
+    ensure_newline => False
+    owner          => root
+    tag            => _etc_apt_sources.list.d_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    format         => plain
+    show_diff      => True
+    force          => False
+    backup         => puppet
+    replace        => True
+    order          => alpha

Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 ferm_active]

Parameters differences:

--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 ferm_active].orig
+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 ferm_active]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => dse_k8s_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Systemd::Timer::Job[set-rbd-readahead]

Parameters differences:

--- Systemd::Timer::Job[set-rbd-readahead].orig
+++ Systemd::Timer::Job[set-rbd-readahead]

+    require                   => File[/usr/local/sbin/set-rbd-readahead.py]
+    fixed_random_delay        => False
+    private_tmp               => False
+    ensure                    => absent
+    logging_enabled           => True
+    syslog_force_stop         => False
+    environment               => {}
+    logfile_name              => syslog.log
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_only_on_error   => True
+    send_mail_to              => root@dse-k8s-wdqs-test1001.eqiad.wmnet
+    user                      => root
+    description               => Set readahead for OpenSearch pod RBDs (block devices)
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    monitoring_contact_groups => admins
+    logfile_group             => root
+    interval                  => {'start': 'OnCalendar', 'interval': '*:0/5'}
+    send_mail                 => False
+    ignore_errors             => False
+    logfile_perms             => all
+    command                   => /usr/local/sbin/set-rbd-readahead.py
+    monitoring_enabled        => False
+    success_exit_status       => []

Systemd::Unit[ferm-ferm-service-auto-restart]

Parameters differences:

--- Systemd::Unit[ferm-ferm-service-auto-restart].orig
+++ Systemd::Unit[ferm-ferm-service-auto-restart]

+    require           => ['Class[Systemd]']
+    override          => True
+    source            => puppet:///modules/profile/kubernetes/node/ferm_systemd_override
+    ensure            => present
+    override_filename => ferm-service-auto-restart
+    restart           => False
+    unit              => ferm

File[/lib/systemd/system/prometheus_ferm_mss.timer]

Parameters differences:

--- File[/lib/systemd/system/prometheus_ferm_mss.timer].orig
+++ File[/lib/systemd/system/prometheus_ferm_mss.timer]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/prometheus_ferm_mss.timer.orig
+++ /lib/systemd/system/prometheus_ferm_mss.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of prometheus_ferm_mss.service
+
+[Timer]
+Unit=prometheus_ferm_mss.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=minutely
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

Systemd::Unit[prometheus_lvs_realserver_mss.service]

Parameters differences:

--- Systemd::Unit[prometheus_lvs_realserver_mss.service].orig
+++ Systemd::Unit[prometheus_lvs_realserver_mss.service]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => prometheus_lvs_realserver_mss.service

K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]

Parameters differences:

--- K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig].orig
+++ K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]

+    mode        => 0400
+    group       => root
+    require     => ['File[/etc/cni/net.d]', 'Class[K8s::Base_dirs]']
+    username    => istio-cni
+    owner       => root
+    ensure      => absent
+    auth_cert   => {'cert': '/etc/kubernetes/pki/dse__istio-cni.pem', 'key': '/etc/kubernetes/pki/dse__istio-cni-key.pem', 'chain': '/etc/kubernetes/pki/dse__istio-cni.chain.pem', 'chained': '/etc/kubernetes/pki/dse__istio-cni.chained.pem'}
+    master_host => dse-k8s-ctrl.svc.eqiad.wmnet

File[/etc/rsyslog.d/00-imfile.conf]

Parameters differences:

--- File[/etc/rsyslog.d/00-imfile.conf].orig
+++ File[/etc/rsyslog.d/00-imfile.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/rsyslog.d/00-imfile.conf.orig
+++ /etc/rsyslog.d/00-imfile.conf
@@ -0,0 +1 @@
+module(load="imfile")

Class[Lvm]

Parameters differences:

--- Class[Lvm].orig
+++ Class[Lvm]

+    volume_groups  => {'vg_raid0': {'createonly': True, 'physical_volumes': {'/dev/md1': {'unless_vg': 'vg_raid0'}}, 'logical_volumes': {'srv': {'size': '10G', 'fs_type': 'ext4', 'mountpath': '/srv'}}}}
+    package_ensure => installed
+    manage_pkg     => False

File[/etc/ferm/conf.d/10_clamp-mss-ipv4]

Parameters differences:

--- File[/etc/ferm/conf.d/10_clamp-mss-ipv4].orig
+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv4]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => absent
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_clamp-mss-ipv4.orig
+++ /etc/ferm/conf.d/10_clamp-mss-ipv4
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_clamp-mss-ipv4: 
+
+domain (ip) {
+	table filter {
+		chain OUTPUT {
+			outerface (ens2f0np0 lo) saddr @ipfilter(10.2.2.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1440;
+		}
+	}
+}

Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 raid_md]

Parameters differences:

--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 raid_md].orig
+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test1001 raid_md]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => dse_k8s_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    uri                      => http://apt.wikimedia.org/wikimedia
+    trust_repo               => False
+    allow_releaseinfo_change => False
+    keyfile                  => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg
+    bin                      => True
+    ensure                   => present
+    source                   => True
+    dist                     => bookworm-wikimedia
+    components               => component/istio115

Exec[disable-rp-filter-ipip0]

Parameters differences:

--- Exec[disable-rp-filter-ipip0].orig
+++ Exec[disable-rp-filter-ipip0]

+    unless  => /usr/sbin/sysctl -n net.ipv4.conf.ipip0.rp_filter |grep -- '0'
+    command => /usr/sbin/sysctl -q net.ipv4.conf.ipip0.rp_filter=0
+    require => Interface::Ipip[ipip_ipv4]

File[/etc/cfssl/csr/dse__calicoctl.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__calicoctl.csr].orig
+++ File[/etc/cfssl/csr/dse__calicoctl.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__calicoctl.csr.orig
+++ /etc/cfssl/csr/dse__calicoctl.csr
@@ -0,0 +1,13 @@
+{
+  "CN": "calicoctl",
+  "hosts": [
+    "calicoctl"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

Parameters differences:

--- Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig
+++ Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

+    mode           => 0444
+    group          => root
+    ensure_newline => False
+    owner          => root
+    tag            => _etc_apt_sources.list.d_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    format         => plain
+    show_diff      => True
+    force          => False
+    backup         => puppet
+    replace        => True
+    order          => alpha

File[/etc/containerd/config.toml]

Parameters differences:

--- File[/etc/containerd/config.toml].orig
+++ File[/etc/containerd/config.toml]

+    mode   => 0440
+    notify => Service[containerd]
+    group  => root
+    owner  => root
+    ensure => file

Content differences:

--- /etc/containerd/config.toml.orig
+++ /etc/containerd/config.toml
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: Apache-2.0
+# This is based on the config shipped with the containerd package in Debian (1.6.20~ds1-1+b1)
+#
+# All possible config values including their defaults can be found by running:
+# containerd config default
+version = 2
+
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    # Define our sandbox image
+    sandbox_image = "docker-registry.discovery.wmnet/pause:3.6-1"
+    # max_container_log_line_size is the maximum log line size in bytes for a container.
+    # Log line longer than the limit will be split into multiple lines. -1 means no
+    # limit.
+    max_container_log_line_size = -1
+    # By default docker does set net.ipv4.ip_unprivileged_port_start=0 allowing containers to bind to ports
+    # below 1024 without explicit NET_BIND_SERVICE capability.
+    # It also sets net.ipv4.ping_group_range="0 2147483647", allowing ICMP sockets without CAP_NET_RAW.
+    # The following two options ensure compatibility with current workloads.
+    #
+    # enable_unprivileged_ports configures net.ipv4.ip_unprivileged_port_start=0
+    # for all containers which are not using host network and if it is not overwritten by PodSandboxConfig
+    # Note that currently default is set to disabled but target change it in future, see:
+    # https://github.com/kubernetes/kubernetes/issues/102612
+    enable_unprivileged_ports = true
+    # enable_unprivileged_icmp configures net.ipv4.ping_group_range="0 2147483647"
+    # for all containers which are not using host network, are not running in user namespace and if it is not
+    # overwritten by PodSandboxConfig.
+    # Note that currently default is set to disabled but target change it in future together with enable_unprivileged_ports
+    enable_unprivileged_icmp = true
+    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+      # Re-define the runtime type as defining runc.options would shadow the default setting.
+      # Without this kubelet will fail to run containers with the following error:
+      # failed to create containerd container: create container failed validation: container.Runtime.Name must be set: invalid argument
+      runtime_type = "io.containerd.runc.v2"
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+        # With cgroup v2 we need to use the systemd cgroup driver
+        SystemdCgroup = true
+    # If dragonfly is enabled, configure the local dfget as registry mirror
+    # https://d7y.io/docs/v2.0.2/setup/runtime/containerd/mirror
+  [plugins."io.containerd.internal.v1.opt"]
+    # Debian overrides path from /opt/containerd
+    path = "/var/lib/containerd/opt"

File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calicoctl.chain.pem].orig
+++ File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => root
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => file

File[/usr/local/bin/prometheus-lvs-realserver-mss]

Parameters differences:

--- File[/usr/local/bin/prometheus-lvs-realserver-mss].orig
+++ File[/usr/local/bin/prometheus-lvs-realserver-mss]

+    mode   => 0555
+    group  => root
+    owner  => root
+    source => puppet:///modules/prometheus/usr/local/bin/prometheus-lvs-realserver-mss.py
+    ensure => absent

Nrpe::Check[check_check_tcp-mss-clamper_status]

Parameters differences:

--- Nrpe::Check[check_check_tcp-mss-clamper_status].orig
+++ Nrpe::Check[check_check_tcp-mss-clamper_status]

+    before  => Monitoring::Service[check_tcp-mss-clamper_status]
+    ensure  => absent
+    command => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper

File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]

Parameters differences:

--- File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list].orig
+++ File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]

+    ensure => absent
+    group  => root
+    owner  => root

Class[Toil::Rsyslog_imfile_remedy]

Parameters differences:

--- Class[Toil::Rsyslog_imfile_remedy].orig
+++ Class[Toil::Rsyslog_imfile_remedy]

+    period_hours => 3
+    ensure       => present

Interface::Post_up_command[clsact_ens2f0np0]

Parameters differences:

--- Interface::Post_up_command[clsact_ens2f0np0].orig
+++ Interface::Post_up_command[clsact_ens2f0np0]

+    command   => /usr/sbin/tc qdisc add dev ens2f0np0 clsact
+    ensure    => absent
+    interface => ens2f0np0

File[/etc/calico/calicoctl-kubeconfig]

Parameters differences:

--- File[/etc/calico/calicoctl-kubeconfig].orig
+++ File[/etc/calico/calicoctl-kubeconfig]

+    mode   => 0400
+    ensure => present
+    group  => root
+    owner  => root

Content differences:

--- /etc/calico/calicoctl-kubeconfig.orig
+++ /etc/calico/calicoctl-kubeconfig
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+preferences: {}
+current-context: default-system
+contexts:
+- name: default-system
+  context:
+    cluster: default-cluster
+    user: calicoctl
+clusters:
+- name: default-cluster
+  cluster:
+    server: https://dse-k8s-ctrl.svc.eqiad.wmnet:6443
+users:
+- name: calicoctl
+  user:
+    client-certificate: /etc/kubernetes/pki/dse__calicoctl.pem
+    client-key: /etc/kubernetes/pki/dse__calicoctl-key.pem

Nrpe::Monitor_service[disk_space]

Parameters differences:

--- Nrpe::Monitor_service[disk_space].orig
+++ Nrpe::Monitor_service[disk_space]

@@
-    nrpe_command => /usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i "/srv/sd[a-b][1-3]" -i "/srv/nvme[0-9]n[0-9]p[0-9]" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs
+    nrpe_command => /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs

File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => kube
+    backup    => False
+    ensure    => file

File[/usr/local/sbin/set-rbd-readahead.py]

Parameters differences:

--- File[/usr/local/sbin/set-rbd-readahead.py].orig
+++ File[/usr/local/sbin/set-rbd-readahead.py]

+    mode   => 0755
+    group  => root
+    owner  => root
+    source => puppet:///modules/profile/kubernetes/node/dse_k8s/set-rbd-readahead.py
+    ensure => absent

Logrotate::Conf[rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- Logrotate::Conf[rsyslog-release-deleted-inotify-watches].orig
+++ Logrotate::Conf[rsyslog-release-deleted-inotify-watches]

+    ensure => absent

File[/etc/nerdctl]

Parameters differences:

--- File[/etc/nerdctl].orig
+++ File[/etc/nerdctl]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Exec[ip link add name ipip60 type ip6tnl external]

Parameters differences:

--- Exec[ip link add name ipip60 type ip6tnl external].orig
+++ Exec[ip link add name ipip60 type ip6tnl external]

+    path    => /bin:/usr/bin
+    unless  => ip link show ipip60
+    returns => [0, 2]

Systemd::Timer[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Timer[prometheus_lvs_realserver_mss].orig
+++ Systemd::Timer[prometheus_lvs_realserver_mss]

+    splay              => 0
+    accuracy           => 15sec
+    unit_name          => prometheus_lvs_realserver_mss.service
+    fixed_random_delay => False
+    ensure             => absent
+    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'minutely'}]

Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

Parameters differences:

--- Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig
+++ Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

+    mode           => 0444
+    notify         => Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
+    group          => root
+    ensure_newline => False
+    owner          => root
+    ensure         => present
+    warn           => False
+    path           => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    format         => plain
+    show_diff      => True
+    force          => False
+    backup         => puppet
+    replace        => True
+    order          => alpha

Apt::Package_from_component[istio115]

Parameters differences:

--- Apt::Package_from_component[istio115].orig
+++ Apt::Package_from_component[istio115]

+    uri             => http://apt.wikimedia.org/wikimedia
+    packages        => {'istio-cni': 'absent'}
+    distro          => bookworm-wikimedia
+    component       => component/istio115
+    ensure          => present
+    ensure_packages => True
+    priority        => 1001

Package[nerdctl]

Parameters differences:

--- Package[nerdctl].orig
+++ Package[nerdctl]

+    ensure   => installed
+    provider => apt

File[/etc/ferm/conf.d/10_clamp-mss-ipv6]

Parameters differences:

--- File[/etc/ferm/conf.d/10_clamp-mss-ipv6].orig
+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv6]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => absent
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_clamp-mss-ipv6.orig
+++ /etc/ferm/conf.d/10_clamp-mss-ipv6
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_clamp-mss-ipv6: 
+
+domain (ip6) {
+	table filter {
+		chain OUTPUT {
+			outerface (ens2f0np0 lo) saddr @ipfilter(10.2.2.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1400;
+		}
+	}
+}

Exec[/usr/sbin/tc qdisc del dev lo clsact]

Parameters differences:

--- Exec[/usr/sbin/tc qdisc del dev lo clsact].orig
+++ Exec[/usr/sbin/tc qdisc del dev lo clsact]

+    onlyif => /usr/sbin/tc qdisc show dev lo | grep -q clsact

Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]

Parameters differences:

--- Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet].orig
+++ Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]

+    unless      => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem -checkend 952200
+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    require     => Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet

Group[kube]

Parameters differences:

--- Group[kube].orig
+++ Group[kube]

+    ensure => present
+    system => True

Cfssl::Cert[dse__calicoctl]

Parameters differences:

--- Cfssl::Cert[dse__calicoctl].orig
+++ Cfssl::Cert[dse__calicoctl]

+    mode            => 0740
+    group           => root
+    provide_chain   => True
+    owner           => root
+    ensure          => present
+    hosts           => []
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    names           => []
+    label           => dse
+    auto_renew      => True
+    notify_services => []
+    renew_seconds   => 952200
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    outdir          => /etc/kubernetes/pki
+    common_name     => calicoctl

Exec[ip link set up dev ipip60]

Parameters differences:

--- Exec[ip link set up dev ipip60].orig
+++ Exec[ip link set up dev ipip60]

+    path    => /bin:/usr/bin
+    unless  => ip link show ipip60 | grep -q UP
+    returns => [0, 2]

Package[tcp-mss-clamper]

Parameters differences:

--- Package[tcp-mss-clamper].orig
+++ Package[tcp-mss-clamper]

+    ensure   => absent
+    provider => apt

Ferm::Service[calico_typha]

Parameters differences:

--- Ferm::Service[calico_typha].orig
+++ Ferm::Service[calico_typha]

+    src_sets            => ['DOMAIN_NETWORKS']
+    ensure              => present
+    notrack             => False
+    prio                => 10
+    desc                => 
+    proto               => tcp
+    unrestricted_access => False
+    port                => 5473

File[/lib/systemd/system/prometheus_ferm_mss.service]

Parameters differences:

--- File[/lib/systemd/system/prometheus_ferm_mss.service].orig
+++ File[/lib/systemd/system/prometheus_ferm_mss.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/prometheus_ferm_mss.service.orig
+++ /lib/systemd/system/prometheus_ferm_mss.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Regular job to collect MSS values of ferm-based hosts
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 10.2.2.91:30443

Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    command     => /usr/bin/apt-get update 
+    refreshonly => True

Sysctl::Parameters[ipv6-fowarding-accept-ra]

Parameters differences:

--- Sysctl::Parameters[ipv6-fowarding-accept-ra].orig
+++ Sysctl::Parameters[ipv6-fowarding-accept-ra]

+    no_priority_prefix => False
+    ensure             => present
+    values             => {'net.ipv6.conf.all.forwarding': 1, 'net.ipv6.conf.ens2f0np0.accept_ra': 2}
+    priority           => 70

Kmod::Blacklist[wmf_overlay]

Parameters differences:

--- Kmod::Blacklist[wmf_overlay].orig
+++ Kmod::Blacklist[wmf_overlay]

@@
-    modules => ['overlayfs', 'overlay']
+    modules => []
@@
-    ensure  => present
+    ensure  => absent

Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

Parameters differences:

--- Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig
+++ Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

+    source => puppet:///modules/apt/sources-deb822-header.txt
+    tag    => _etc_apt_sources.list.d_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    order  => 01
+    target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Systemd::Syslog[set-rbd-readahead]

Parameters differences:

--- Systemd::Syslog[set-rbd-readahead].orig
+++ Systemd::Syslog[set-rbd-readahead]

+    group                  => root
+    force_stop             => False
+    log_filename           => syslog.log
+    owner                  => root
+    ensure                 => absent
+    base_dir               => /var/log
+    readable_by            => all
+    programname_comparison => startswith

Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

Parameters differences:

--- Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig
+++ Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]

+    mode           => 0444
+    notify         => Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
+    group          => root
+    ensure_newline => False
+    owner          => root
+    ensure         => present
+    warn           => False
+    path           => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    format         => plain
+    show_diff      => True
+    force          => False
+    backup         => puppet
+    replace        => True
+    order          => alpha

File[/etc/nagios/nrpe.d/check_disk_space.cfg]

Content differences:

--- /etc/nagios/nrpe.d/check_disk_space.cfg.orig
+++ /etc/nagios/nrpe.d/check_disk_space.cfg
@@ -1,2 +1,2 @@
 # File generated by puppet. DO NOT edit by hand
-command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i "/srv/sd[a-b][1-3]" -i "/srv/nvme[0-9]n[0-9]p[0-9]" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs
+command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs

Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    uri                      => http://apt.wikimedia.org/wikimedia
+    trust_repo               => False
+    allow_releaseinfo_change => False
+    keyfile                  => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg
+    bin                      => True
+    ensure                   => present
+    source                   => True
+    dist                     => bookworm-wikimedia
+    components               => component/kubernetes131

Ferm::Rule[ipip]

Parameters differences:

--- Ferm::Rule[ipip].orig
+++ Ferm::Rule[ipip]

+    table  => filter
+    prio   => 10
+    domain => (ip)
+    desc   => 
+    ensure => present
+    chain  => INPUT
+    rule   => saddr 172.16.0.0/12 proto ipencap ACCEPT;

File[/etc/nerdctl/nerdctl.toml]

Parameters differences:

--- File[/etc/nerdctl/nerdctl.toml].orig
+++ File[/etc/nerdctl/nerdctl.toml]

+    mode   => 0644
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/nerdctl/nerdctl.toml.orig
+++ /etc/nerdctl/nerdctl.toml
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# For documentation of the available options, see:
+# https://github.com/containerd/nerdctl/blob/main/docs/config.md
+namespace = "k8s.io"

Systemd::Unit[rsyslog-imfile-remedy.timer]

Parameters differences:

--- Systemd::Unit[rsyslog-imfile-remedy.timer].orig
+++ Systemd::Unit[rsyslog-imfile-remedy.timer]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => present
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => rsyslog-imfile-remedy.timer

File[/etc/cfssl/csr/dse__kubelet_server.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__kubelet_server.csr].orig
+++ File[/etc/cfssl/csr/dse__kubelet_server.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__kubelet_server.csr.orig
+++ /etc/cfssl/csr/dse__kubelet_server.csr
@@ -0,0 +1,17 @@
+{
+  "CN": "kubelet",
+  "hosts": [
+    "dse-k8s-wdqs-test1001",
+    "dse-k8s-wdqs-test1001.eqiad.wmnet",
+    "10.64.185.3",
+    "2620:0:861:13f:10:64:185:3",
+    "kubelet"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem].orig
+++ Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/kubernetes/pki/dse__calicoctl.pem /etc/kubernetes/pki/dse__calicoctl.chain.pem | sha512sum)" == "$(/bin/cat /etc/kubernetes/pki/dse__calicoctl.chained.pem | sha512sum)"

+    command   => /bin/cat /etc/kubernetes/pki/dse__calicoctl.pem /etc/kubernetes/pki/dse__calicoctl.chain.pem > /etc/kubernetes/pki/dse__calicoctl.chained.pem
+    require   => Exec[Generate cert dse__calicoctl refresh on intermediate ca change]
+    subscribe => ['Exec[renew certificate - dse__calicoctl]', 'File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]', 'File[/etc/kubernetes/pki/dse__calicoctl.pem]']

Class[Profile::Base]

Parameters differences:

--- Class[Profile::Base].orig
+++ Class[Profile::Base]

@@
-    overlayfs                => False
+    overlayfs                => True
@@
-    use_linux612_on_bookworm => False
+    use_linux612_on_bookworm => True
@@
-    rp_filter                => True
+    rp_filter                => {'all_rp_filter': 0, 'default_rp_filter': 1}
@@
-    cluster                  => insetup
+    cluster                  => dse_k8s

File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]

Parameters differences:

--- File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list].orig
+++ File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]

+    ensure => absent
+    group  => root
+    owner  => root

Service[rsyslog-imfile-remedy.timer]

Parameters differences:

--- Service[rsyslog-imfile-remedy.timer].orig
+++ Service[rsyslog-imfile-remedy.timer]

+    ensure   => running
+    enable   => True
+    provider => systemd

File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem].orig
+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => root

File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer.orig
+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer
@@ -0,0 +1,14 @@
+[Unit]
+Description=Periodic execution of nrpe2nodexp-check_tcp-mss-clamper_status.service
+
+[Timer]
+Unit=nrpe2nodexp-check_tcp-mss-clamper_status.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnUnitInactiveSec=5min
+OnActiveSec=1s
+RandomizedDelaySec=300
+FixedRandomDelay=true
+
+[Install]
+WantedBy=multi-user.target

Motd::Message[dse_k8s::worker::wdqs]

Parameters differences:

--- Motd::Message[dse_k8s::worker::wdqs].orig
+++ Motd::Message[dse_k8s::worker::wdqs]

+    message  => dse-k8s-wdqs-test1001 is a DSE Kubernetes worker node - dedicated to wdqs (dse_k8s::worker::wdqs)
+    ensure   => present
+    priority => 5

File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calico-cni.chain.pem].orig
+++ File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => root
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => file

File[/etc/kubernetes/pki/dse__calicoctl-key.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calicoctl-key.pem].orig
+++ File[/etc/kubernetes/pki/dse__calicoctl-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => root
+    backup    => False
+    ensure    => file

File[/etc/ferm/conf.d/10_calico_typha]

Parameters differences:

--- File[/etc/ferm/conf.d/10_calico_typha].orig
+++ File[/etc/ferm/conf.d/10_calico_typha]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => present
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_calico_typha.orig
+++ /etc/ferm/conf.d/10_calico_typha
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 5473, $DOMAIN_NETWORKS);
+
+

File[/etc/update-motd.d/05-insetup--data-platform-ferm]

Parameters differences:

--- File[/etc/update-motd.d/05-insetup--data-platform-ferm].orig
+++ File[/etc/update-motd.d/05-insetup--data-platform-ferm]

-    mode   => 0555
-    ensure => present
-    group  => root
-    owner  => root

Content differences:

--- /etc/update-motd.d/05-insetup--data-platform-ferm.orig
+++ /etc/update-motd.d/05-insetup--data-platform-ferm
@@ -1,2 +0,0 @@
-#!/bin/sh
-printf "%s\n" "dse-k8s-wdqs-test1001 is a Host being setup by Data Platform SREs (insetup::data_platform_ferm)"

File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]

Parameters differences:

--- File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list].orig
+++ File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]

+    ensure => absent
+    group  => root
+    owner  => root

Systemd::Unit[kubelet-container-runtime]

Parameters differences:

--- Systemd::Unit[kubelet-container-runtime].orig
+++ Systemd::Unit[kubelet-container-runtime]

+    require           => ['Class[Systemd]']
+    override          => True
+    ensure            => present
+    override_filename => container-runtime
+    restart           => True
+    unit              => kubelet

Mount[/srv]

Parameters differences:

--- Mount[/srv].orig
+++ Mount[/srv]

+    atboot  => True
+    options => defaults
+    pass    => 2
+    fstype  => ext4
+    ensure  => mounted
+    device  => /dev/vg_raid0/srv
+    dump    => 0

File[/var/lib/prometheus/node.d/role_owner.prom]

Content differences:

--- /var/lib/prometheus/node.d/role_owner.prom.orig
+++ /var/lib/prometheus/node.d/role_owner.prom
@@ -1,3 +1,3 @@
 # HELP role_owner The team owner of the server role
 # TYPE role_owner gauge
-role_owner{team="data-platform",role="insetup::data_platform_ferm",cluster="insetup"} 1.0
+role_owner{team="data-platform",role="dse_k8s::worker::wdqs",cluster="dse_k8s"} 1.0

Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh]

Parameters differences:

--- Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh].orig
+++ Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    refreshonly => True
+    subscribe   => File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet

Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

Parameters differences:

--- Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig
+++ Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]

+    tag    => _etc_apt_sources.list.d_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    order  => 10
+    target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Content differences:

--- component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.orig
+++ component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia
@@ -0,0 +1,5 @@
+Types: deb deb-src
+URIs: http://apt.wikimedia.org/wikimedia
+Suites: bookworm-wikimedia
+Components: component/calico329
+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg

Interface::Ipip[ipip_ipv6]

Parameters differences:

--- Interface::Ipip[ipip_ipv6].orig
+++ Interface::Ipip[ipip_ipv6]

+    ensure    => present
+    interface => ipip60
+    family    => inet6

File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf].orig
+++ File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf.orig
+++ /etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "rsyslog-release-deleted-inotify-watches" then {
+    action(
+        type="omfile" file="/var/log/rsyslog-release-deleted-inotify-watches/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

Systemd::Unit[prometheus_ferm_mss.timer]

Parameters differences:

--- Systemd::Unit[prometheus_ferm_mss.timer].orig
+++ Systemd::Unit[prometheus_ferm_mss.timer]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => prometheus_ferm_mss.timer

File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calicoctl.chained.pem].orig
+++ File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]

+    ensure  => file
+    group   => root
+    require => Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]
+    owner   => root

Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

Parameters differences:

--- Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig
+++ Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

+    source => puppet:///modules/apt/sources-deb822-header.txt
+    tag    => _etc_apt_sources.list.d_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    order  => 01
+    target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]

Parameters differences:

--- Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)].orig
+++ Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Sysctl::Conffile[kube_proxy_conntrack]

Parameters differences:

--- Sysctl::Conffile[kube_proxy_conntrack].orig
+++ Sysctl::Conffile[kube_proxy_conntrack]

+    no_priority_prefix => False
+    ensure             => present
+    priority           => 75

K8s::Kubeconfig[/etc/kubernetes/proxy.conf]

Parameters differences:

--- K8s::Kubeconfig[/etc/kubernetes/proxy.conf].orig
+++ K8s::Kubeconfig[/etc/kubernetes/proxy.conf]

+    mode        => 0400
+    group       => kube
+    require     => ['Class[K8s::Base_dirs]']
+    owner       => kube
+    username    => default-proxy
+    ensure      => present
+    auth_cert   => {'cert': '/etc/kubernetes/pki/dse__system_kube-proxy.pem', 'key': '/etc/kubernetes/pki/dse__system_kube-proxy-key.pem', 'chain': '/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem', 'chained': '/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem'}
+    master_host => dse-k8s-ctrl.svc.eqiad.wmnet

File[/var/lib/kubelet]

Parameters differences:

--- File[/var/lib/kubelet].orig
+++ File[/var/lib/kubelet]

+    mode   => 0700
+    ensure => directory
+    group  => root
+    owner  => root

Exec[disable-rp-filter-ipip60]

Parameters differences:

--- Exec[disable-rp-filter-ipip60].orig
+++ Exec[disable-rp-filter-ipip60]

+    unless  => /usr/sbin/sysctl -n net.ipv4.conf.ipip60.rp_filter |grep -- '0'
+    command => /usr/sbin/sysctl -q net.ipv4.conf.ipip60.rp_filter=0
+    require => Interface::Ipip[ipip_ipv6]

Systemd::Service[rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- Systemd::Service[rsyslog-release-deleted-inotify-watches].orig
+++ Systemd::Service[rsyslog-release-deleted-inotify-watches]

+    unit_type                => timer
+    service_params           => {}
+    require                  => Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]
+    monitoring_contact_group => admins
+    ensure                   => absent
+    restart                  => False
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => False

Class[Profile::Rsyslog::Kubernetes]

Parameters differences:

--- Class[Profile::Rsyslog::Kubernetes].orig
+++ Class[Profile::Rsyslog::Kubernetes]

+    kubernetes_cluster_name => dse-k8s-eqiad
+    kafka_brokers           => ['kafka-logging1001.eqiad.wmnet:9093', 'kafka-logging1002.eqiad.wmnet:9093', 'kafka-logging1003.eqiad.wmnet:9093', 'kafka-logging1004.eqiad.wmnet:9093', 'kafka-logging1005.eqiad.wmnet:9093']
+    enable                  => True

File[/etc/kubernetes/pki/dse__istio-cni.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__istio-cni.pem].orig
+++ File[/etc/kubernetes/pki/dse__istio-cni.pem]

+    mode   => 0440
+    ensure => absent
+    group  => root
+    owner  => root

File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]

Parameters differences:

--- File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf].orig
+++ File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]

+    mode   => 0444
+    notify => Service[rsyslog]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/rsyslog.d/08-input-file-kubernetes-json.conf.orig
+++ /etc/rsyslog.d/08-input-file-kubernetes-json.conf
@@ -0,0 +1,8 @@
+# This file managed by puppet rsyslog::input::file
+
+input(type="imfile"
+      File="/var/log/containers/*.log"
+      reopenOnTruncate="on"
+      addMetadata="on"
+      addCeeTag="on"
+      Tag="input-file-kubernetes")

Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]

+    hosts       => []
+    names       => [{'organisation': 'view'}]
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}
+    common_name => rsyslog

Systemd::Syslog[rsyslog-release-deleted-inotify-watches]

Parameters differences:

--- Systemd::Syslog[rsyslog-release-deleted-inotify-watches].orig
+++ Systemd::Syslog[rsyslog-release-deleted-inotify-watches]

+    group                  => root
+    force_stop             => True
+    log_filename           => syslog.log
+    owner                  => root
+    ensure                 => absent
+    base_dir               => /var/log
+    readable_by            => all
+    programname_comparison => startswith

File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem].orig
+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem]

+    ensure  => file
+    group   => root
+    require => Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]
+    owner   => kube

File[/etc/kubernetes/pki/dse__istio-cni-key.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__istio-cni-key.pem].orig
+++ File[/etc/kubernetes/pki/dse__istio-cni-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => root
+    backup    => False
+    ensure    => absent

Cfssl::Cert[dse__kubelet_server]

Parameters differences:

--- Cfssl::Cert[dse__kubelet_server].orig
+++ Cfssl::Cert[dse__kubelet_server]

+    mode            => 0740
+    group           => root
+    provide_chain   => True
+    owner           => kube
+    hosts           => ['dse-k8s-wdqs-test1001', 'dse-k8s-wdqs-test1001.eqiad.wmnet', '10.64.185.3', '2620:0:861:13f:10:64:185:3']
+    ensure          => present
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    names           => []
+    label           => dse
+    auto_renew      => True
+    profile         => server
+    notify_services => ['kubelet']
+    renew_seconds   => 952200
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    outdir          => /etc/kubernetes/pki
+    common_name     => kubelet

Class[Profile::Calico::Kubernetes]

Parameters differences:

--- Class[Profile::Calico::Kubernetes].orig
+++ Class[Profile::Calico::Kubernetes]

+    kubernetes_cluster_name => dse-k8s-eqiad

File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]

Parameters differences:

--- File[/etc/update-motd.d/05-dse-k8s--worker--wdqs].orig
+++ File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]

+    mode   => 0555
+    ensure => present
+    group  => root
+    owner  => root

Content differences:

--- /etc/update-motd.d/05-dse-k8s--worker--wdqs.orig
+++ /etc/update-motd.d/05-dse-k8s--worker--wdqs
@@ -0,0 +1,2 @@
+#!/bin/sh
+printf "%s\n" "dse-k8s-wdqs-test1001 is a DSE Kubernetes worker node - dedicated to wdqs (dse_k8s::worker::wdqs)"

Exec[renew certificate - dse__system_kube-proxy]

Parameters differences:

--- Exec[renew certificate - dse__system_kube-proxy].orig
+++ Exec[renew certificate - dse__system_kube-proxy]

+    unless      => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_kube-proxy.pem -checkend 952200
+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kube-proxy]']
+    require     => Exec[Generate cert dse__system_kube-proxy]
+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/kubernetes/pki/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy

File[/usr/local/bin/prometheus-ferm-mss]

Parameters differences:

--- File[/usr/local/bin/prometheus-ferm-mss].orig
+++ File[/usr/local/bin/prometheus-ferm-mss]

+    mode   => 0555
+    group  => root
+    owner  => root
+    source => puppet:///modules/prometheus/usr/local/bin/prometheus-ferm-mss.py
+    ensure => absent

Exec[Generate cert dse__system_kube-proxy refresh]

Parameters differences:

--- Exec[Generate cert dse__system_kube-proxy refresh].orig
+++ Exec[Generate cert dse__system_kube-proxy refresh]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kube-proxy]']
+    refreshonly => True
+    subscribe   => File[/etc/cfssl/csr/dse__system_kube-proxy.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy

Lvm::Volume_group[vg_raid0]

Parameters differences:

--- Lvm::Volume_group[vg_raid0].orig
+++ Lvm::Volume_group[vg_raid0]

+    followsymlinks   => False
+    physical_volumes => {'/dev/md1': {'unless_vg': 'vg_raid0'}}
+    logical_volumes  => {'srv': {'size': '10G', 'fs_type': 'ext4', 'mountpath': '/srv'}}
+    createonly       => True
+    ensure           => present

Sysctl::Parameters[increase_inotify_limits]

Parameters differences:

--- Sysctl::Parameters[increase_inotify_limits].orig
+++ Sysctl::Parameters[increase_inotify_limits]

+    no_priority_prefix => False
+    ensure             => present
+    values             => {'fs.inotify.max_user_watches': 32768, 'fs.inotify.max_user_instances': 512}
+    priority           => 70

File[/etc/kubernetes/pki/dse__kubelet_server.csr]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__kubelet_server.csr].orig
+++ File[/etc/kubernetes/pki/dse__kubelet_server.csr]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => kube

Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

Parameters differences:

--- Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig
+++ Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

+    source => puppet:///modules/apt/sources-deb822-header.txt
+    tag    => _etc_apt_sources.list.d_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources
+    order  => 01
+    target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Exec[disable-rp-filter-ens2f0np0]

Parameters differences:

--- Exec[disable-rp-filter-ens2f0np0].orig
+++ Exec[disable-rp-filter-ens2f0np0]

+    unless  => /usr/sbin/sysctl -n net.ipv4.conf.ens2f0np0.rp_filter |grep -- '0'
+    command => /usr/sbin/sysctl -q net.ipv4.conf.ens2f0np0.rp_filter=0

Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem].orig
+++ Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/kubernetes/pki/dse__kubelet_server.pem /etc/kubernetes/pki/dse__kubelet_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/kubernetes/pki/dse__kubelet_server.chained.pem | sha512sum)"

+    notify    => ['Service[kubelet]']
+    require   => Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]
+    subscribe => ['Exec[renew certificate - dse__kubelet_server]', 'File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]', 'File[/etc/kubernetes/pki/dse__kubelet_server.pem]']
+    command   => /bin/cat /etc/kubernetes/pki/dse__kubelet_server.pem /etc/kubernetes/pki/dse__kubelet_server.chain.pem > /etc/kubernetes/pki/dse__kubelet_server.chained.pem

Class[Calico]

Parameters differences:

--- Class[Calico].orig
+++ Class[Calico]

+    calicoctl_username => calicoctl
+    master_fqdn        => dse-k8s-ctrl.svc.eqiad.wmnet
+    version            => 3.29
+    auth_cert          => {'cert': '/etc/kubernetes/pki/dse__calicoctl.pem', 'key': '/etc/kubernetes/pki/dse__calicoctl-key.pem', 'chain': '/etc/kubernetes/pki/dse__calicoctl.chain.pem', 'chained': '/etc/kubernetes/pki/dse__calicoctl.chained.pem'}

Exec[ip link add name ipip0 type ipip external]

Parameters differences:

--- Exec[ip link add name ipip0 type ipip external].orig
+++ Exec[ip link add name ipip0 type ipip external]

+    path    => /bin:/usr/bin
+    unless  => ip link show ipip0
+    returns => [0, 2]

Systemd::Service[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Service[prometheus_lvs_realserver_mss].orig
+++ Systemd::Service[prometheus_lvs_realserver_mss]

+    unit_type                => timer
+    service_params           => {}
+    require                  => Systemd::Unit[prometheus_lvs_realserver_mss.service]
+    monitoring_contact_group => admins
+    ensure                   => absent
+    restart                  => False
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => False

Class[Profile::Amd_gpu]

Parameters differences:

--- Class[Profile::Amd_gpu].orig
+++ Class[Profile::Amd_gpu]

+    kubernetes_cluster_name => dse-k8s-eqiad
+    enable_opt_rocm_env     => False
+    is_basic_gpu_node       => False
+    firmwares_from_bpo      => False
+    use_rocm_amd_smi        => False
+    is_kubernetes_node      => False

File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__kubelet_server-key.pem].orig
+++ File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => kube
+    backup    => False
+    ensure    => file

File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]

Parameters differences:

--- File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service].orig
+++ File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/rsyslog-release-deleted-inotify-watches.service.orig
+++ /lib/systemd/system/rsyslog-release-deleted-inotify-watches.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Restart rsyslog to release inotify watches of deleted container logs
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/sbin/rsyslog-release-deleted-inotify-watches

Exec[Generate cert dse__calicoctl]

Parameters differences:

--- Exec[Generate cert dse__calicoctl].orig
+++ Exec[Generate cert dse__calicoctl]

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calicoctl.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__calicoctl-key.pem 2>&1)"

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]

File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]

Parameters differences:

--- File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf].orig
+++ File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]

+    mode   => 0444
+    group  => root
+    notify => Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]
+    owner  => root
+    source => puppet:///modules/profile/kubernetes/node/ferm_systemd_override
+    ensure => present

File[/etc/calico/pki]

Parameters differences:

--- File[/etc/calico/pki].orig
+++ File[/etc/calico/pki]

+    mode   => 0755
+    ensure => absent
+    group  => root
+    owner  => root

Apt::Package_from_component[kubernetes131]

Parameters differences:

--- Apt::Package_from_component[kubernetes131].orig
+++ Apt::Package_from_component[kubernetes131]

+    uri             => http://apt.wikimedia.org/wikimedia
+    packages        => []
+    distro          => bookworm-wikimedia
+    component       => component/kubernetes131
+    ensure          => present
+    ensure_packages => True
+    priority        => 1001

Exec[Generate cert dse__rsyslog refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert dse__rsyslog refresh on intermediate ca change].orig
+++ Exec[Generate cert dse__rsyslog refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[rsyslog]']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]
+    refreshonly => True
+    subscribe   => File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog

Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem].orig
+++ Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]

+    unless    => /usr/bin/test "$(/bin/cat /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem | sha512sum)" == "$(/bin/cat /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem | sha512sum)"

+    notify    => ['Service[kubelet]']
+    require   => Exec[Generate cert dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet refresh on intermediate ca change]
+    subscribe => ['Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet]', 'File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem]', 'File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem]']
+    command   => /bin/cat /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.pem /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chain.pem > /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.chained.pem

Systemd::Syslog[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Syslog[prometheus_lvs_realserver_mss].orig
+++ Systemd::Syslog[prometheus_lvs_realserver_mss]

+    group                  => root
+    force_stop             => True
+    log_filename           => syslog.log
+    owner                  => root
+    ensure                 => absent
+    base_dir               => /var/log
+    readable_by            => all
+    programname_comparison => startswith

Class[Base::Kernel]

Parameters differences:

--- Class[Base::Kernel].orig
+++ Class[Base::Kernel]

@@
-    overlayfs => False
+    overlayfs => True

Exec[Generate cert dse__kubelet_server refresh]

Parameters differences:

--- Exec[Generate cert dse__kubelet_server refresh].orig
+++ Exec[Generate cert dse__kubelet_server refresh]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    notify      => ['Service[kubelet]']
+    refreshonly => True
+    subscribe   => File[/etc/cfssl/csr/dse__kubelet_server.csr]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse -profile server /etc/cfssl/csr/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server

File[/lib/systemd/system/rsyslog-imfile-remedy.timer]

Parameters differences:

--- File[/lib/systemd/system/rsyslog-imfile-remedy.timer].orig
+++ File[/lib/systemd/system/rsyslog-imfile-remedy.timer]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /lib/systemd/system/rsyslog-imfile-remedy.timer.orig
+++ /lib/systemd/system/rsyslog-imfile-remedy.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of rsyslog-imfile-remedy.service
+
+[Timer]
+Unit=rsyslog-imfile-remedy.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=*-*-* 00/3:19:00
+RandomizedDelaySec=30
+
+[Install]
+WantedBy=multi-user.target

Sysctl::Parameters[ubuntu defaults]

Parameters differences:

--- Sysctl::Parameters[ubuntu defaults].orig
+++ Sysctl::Parameters[ubuntu defaults]

@@
-    values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 1, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}
+    values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 0, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}

File[/etc/calico]

Parameters differences:

--- File[/etc/calico].orig
+++ File[/etc/calico]

+    mode   => 0755
+    ensure => directory
+    group  => root
+    owner  => root

Systemd::Service[set-rbd-readahead]

Parameters differences:

--- Systemd::Service[set-rbd-readahead].orig
+++ Systemd::Service[set-rbd-readahead]

+    unit_type                => timer
+    service_params           => {}
+    require                  => Systemd::Unit[set-rbd-readahead.service]
+    monitoring_contact_group => admins
+    ensure                   => absent
+    restart                  => False
+    migration_task           => T407130
+    monitoring_critical      => False
+    monitoring_enabled       => False
+    override                 => False

File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr].orig
+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test1001_eqiad_wmnet.csr]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => kube

Augeas[ipip0_add_up]

Parameters differences:

--- Augeas[ipip0_add_up].orig
+++ Augeas[ipip0_add_up]

+    lens    => Interfaces.lns
+    onlyif  => match up[. = 'ip link add name ipip0 type ipip external'] size == 0
+    require => Interface::Manual[ipip_ipv4]
+    context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+    incl    => /etc/network/interfaces
+    changes => set up[last()+1] 'ip link add name ipip0 type ipip external'

File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem].orig
+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]

+    mode      => 0440
+    group     => root
+    show_diff => False
+    owner     => root
+    backup    => False
+    ensure    => file

File[/etc/kubernetes/pki/dse__istio-cni.csr]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__istio-cni.csr].orig
+++ File[/etc/kubernetes/pki/dse__istio-cni.csr]

+    mode   => 0440
+    ensure => absent
+    group  => root
+    owner  => root

File[/etc/ferm/conf.d/10_kubelet-http]

Parameters differences:

--- File[/etc/ferm/conf.d/10_kubelet-http].orig
+++ File[/etc/ferm/conf.d/10_kubelet-http]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => present
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_kubelet-http.orig
+++ /etc/ferm/conf.d/10_kubelet-http
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 10250, (@resolve((dse-k8s-ctrl1001.eqiad.wmnet dse-k8s-ctrl1002.eqiad.wmnet)) @resolve((dse-k8s-ctrl1001.eqiad.wmnet dse-k8s-ctrl1002.eqiad.wmnet), AAAA)));
+
+

Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)].orig
+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

File[/etc/default/cpufrequtils]

Parameters differences:

--- File[/etc/default/cpufrequtils].orig
+++ File[/etc/default/cpufrequtils]

+    group   => root
+    require => Package[cpufrequtils]
+    owner   => root

Content differences:

--- /etc/default/cpufrequtils.orig
+++ /etc/default/cpufrequtils
@@ -0,0 +1 @@
+GOVERNOR=performance

File[/etc/cfssl/csr/dse__calico-cni.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse__calico-cni.csr].orig
+++ File[/etc/cfssl/csr/dse__calico-cni.csr]

+    mode   => 0400
+    ensure => file
+    group  => root
+    owner  => root

Content differences:

--- /etc/cfssl/csr/dse__calico-cni.csr.orig
+++ /etc/cfssl/csr/dse__calico-cni.csr
@@ -0,0 +1,13 @@
+{
+  "CN": "calico-cni",
+  "hosts": [
+    "calico-cni"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

Ferm::Rule[clamp-mss-ipv6]

Parameters differences:

--- Ferm::Rule[clamp-mss-ipv6].orig
+++ Ferm::Rule[clamp-mss-ipv6]

+    table  => filter
+    prio   => 10
+    domain => (ip6)
+    desc   => 
+    ensure => absent
+    chain  => OUTPUT
+    rule   => outerface (ens2f0np0 lo) saddr @ipfilter(10.2.2.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1400;

File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem].orig
+++ File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]

+    mode   => 0440
+    group  => root
+    owner  => kube
+    source => puppet:///modules/profile/pki/intermediates/dse-cert.pem
+    ensure => file

Class[Adduser]

Parameters differences:

--- Class[Adduser].orig
+++ Class[Adduser]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[cpufrequtils]', 'Package[apparmor]', 'Package[socat]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[wikimedia-lvs-realserver]', 'Package[tcp-mss-clamper]', 'Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']

Interface::Clsact[clsact_lo]

Parameters differences:

--- Interface::Clsact[clsact_lo].orig
+++ Interface::Clsact[clsact_lo]

+    ensure    => absent
+    interface => lo

Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

Parameters differences:

--- Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig
+++ Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]

+    source => puppet:///modules/apt/sources-deb822-header.txt
+    order  => 01
+    target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources

Augeas[ipip0_127.0.0.42/32]

Parameters differences:

--- Augeas[ipip0_127.0.0.42/32].orig
+++ Augeas[ipip0_127.0.0.42/32]

+    lens    => Interfaces.lns
+    onlyif  => match up[. = 'ip addr add 127.0.0.42/32 dev ipip0'] size == 0
+    context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+    incl    => /etc/network/interfaces
+    changes => set up[last()+1] 'ip addr add 127.0.0.42/32 dev ipip0'

File[/etc/cni/net.d/calico-kubeconfig]

Parameters differences:

--- File[/etc/cni/net.d/calico-kubeconfig].orig
+++ File[/etc/cni/net.d/calico-kubeconfig]

+    mode   => 0400
+    ensure => present
+    group  => root
+    owner  => root

Content differences:

--- /etc/cni/net.d/calico-kubeconfig.orig
+++ /etc/cni/net.d/calico-kubeconfig
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+preferences: {}
+current-context: default-system
+contexts:
+- name: default-system
+  context:
+    cluster: default-cluster
+    user: calico-cni
+clusters:
+- name: default-cluster
+  cluster:
+    server: https://dse-k8s-ctrl.svc.eqiad.wmnet:6443
+users:
+- name: calico-cni
+  user:
+    client-certificate: /etc/kubernetes/pki/dse__calico-cni.pem
+    client-key: /etc/kubernetes/pki/dse__calico-cni-key.pem

File[/etc/default/kube-proxy]

Parameters differences:

--- File[/etc/default/kube-proxy].orig
+++ File[/etc/default/kube-proxy]

+    mode   => 0644
+    notify => Service[kube-proxy]
+    group  => root
+    owner  => root
+    ensure => file

Content differences:

--- /etc/default/kube-proxy.orig
+++ /etc/default/kube-proxy
@@ -0,0 +1,7 @@
+###
+# Kubernetes proxy config.
+
+# default config should be adequate
+
+DAEMON_ARGS="--config=/etc/kubernetes/kube-proxy-config.yaml \
+ --v=0"

Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True

Cfssl::Cert[dse__rsyslog]

Parameters differences:

--- Cfssl::Cert[dse__rsyslog].orig
+++ Cfssl::Cert[dse__rsyslog]

+    mode            => 0740
+    label           => dse
+    provide_chain   => True
+    group           => root
+    auto_renew      => True
+    owner           => root
+    notify_services => ['rsyslog']
+    ensure          => present
+    hosts           => []
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    key             => {'algo': 'ecdsa', 'size': 256}
+    before_services => []
+    names           => [{'organisation': 'view'}]
+    common_name     => rsyslog

Augeas[ipip60_manual]

Parameters differences:

--- Augeas[ipip60_manual].orig
+++ Augeas[ipip60_manual]

+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    context => /files/etc/network/interfaces
+    changes => ["set auto[./1 = 'ipip60']/1 'ipip60'", "set iface[. = 'ipip60'] 'ipip60'", "set iface[. = 'ipip60']/family 'inet6'", "set iface[. = 'ipip60']/method 'manual'"]

Service[prometheus_ferm_mss.timer]

Parameters differences:

--- Service[prometheus_ferm_mss.timer].orig
+++ Service[prometheus_ferm_mss.timer]

+    before   => ['Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]']
+    ensure   => stopped
+    enable   => False
+    provider => systemd

File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]

Parameters differences:

--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.service].orig
+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/prometheus_lvs_realserver_mss.service.orig
+++ /lib/systemd/system/prometheus_lvs_realserver_mss.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Regular job to collect MSS values of realserver endpoints
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 10.2.2.91:30443

File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calico-cni.chained.pem].orig
+++ File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]

+    ensure  => file
+    group   => root
+    require => Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]
+    owner   => root

Class[Profile::Monitoring]

Parameters differences:

--- Class[Profile::Monitoring].orig
+++ Class[Profile::Monitoring]

@@
-    nagios_group            => insetup_eqiad
+    nagios_group            => dse_k8s_eqiad
@@
-    notifications_enabled   => False
+    notifications_enabled   => True
@@
-    nrpe_check_disk_options => -w 6% -c 3% -W 6% -K 3% -l -e -A -i "/srv/sd[a-b][1-3]" -i "/srv/nvme[0-9]n[0-9]p[0-9]" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs
+    nrpe_check_disk_options => -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs
@@
-    cluster                 => insetup
+    cluster                 => dse_k8s

Package[apparmor]

Parameters differences:

--- Package[apparmor].orig
+++ Package[apparmor]

+    ensure   => installed
+    provider => apt

Logrotate::Conf[prometheus_lvs_realserver_mss]

Parameters differences:

--- Logrotate::Conf[prometheus_lvs_realserver_mss].orig
+++ Logrotate::Conf[prometheus_lvs_realserver_mss]

+    ensure => absent

File[/etc/ferm/conf.d/10_calico-bird]

Parameters differences:

--- File[/etc/ferm/conf.d/10_calico-bird].orig
+++ File[/etc/ferm/conf.d/10_calico-bird]

+    mode    => 0400
+    group   => root
+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    ensure  => present
+    tag     => ferm

Content differences:

--- /etc/ferm/conf.d/10_calico-bird.orig
+++ /etc/ferm/conf.d/10_calico-bird
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 179, ($NETWORK_INFRA 10.64.185.1));
+
+

Exec[/sbin/modprobe overlay]

Parameters differences:

--- Exec[/sbin/modprobe overlay].orig
+++ Exec[/sbin/modprobe overlay]

+    unless      => /bin/lsmod | /bin/grep -q '^overlay '
+    refreshonly => True

Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]

Parameters differences:

--- Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer].orig
+++ Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]

+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => absent
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => rsyslog-release-deleted-inotify-watches.timer

Exec[Generate cert dse__calicoctl refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert dse__calicoctl refresh on intermediate ca change].orig
+++ Exec[Generate cert dse__calicoctl refresh on intermediate ca change]

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]
+    refreshonly => True
+    subscribe   => File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]
+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test1001.eqiad.wmnet.pem -label dse  /etc/cfssl/csr/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl

File[/lib/systemd/system/set-rbd-readahead.timer]

Parameters differences:

--- File[/lib/systemd/system/set-rbd-readahead.timer].orig
+++ File[/lib/systemd/system/set-rbd-readahead.timer]

+    mode   => 0444
+    notify => Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]
+    group  => root
+    owner  => root
+    ensure => absent

Content differences:

--- /lib/systemd/system/set-rbd-readahead.timer.orig
+++ /lib/systemd/system/set-rbd-readahead.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of set-rbd-readahead.service
+
+[Timer]
+Unit=set-rbd-readahead.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=*:0/5
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

File[/etc/kubernetes/pki/dse__calico-cni.pem]

Parameters differences:

--- File[/etc/kubernetes/pki/dse__calico-cni.pem].orig
+++ File[/etc/kubernetes/pki/dse__calico-cni.pem]

+    mode   => 0440
+    ensure => file
+    group  => root
+    owner  => root

Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]

Parameters differences:

--- Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver].orig
+++ Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]

+    path        => /bin:/sbin:/usr/bin:/usr/sbin
+    subscribe   => File[/etc/default/wikimedia-lvs-realserver]
+    require     => Package[wikimedia-lvs-realserver]
+    refreshonly => True

Exec[apt_package_from_component_calico329]

Parameters differences:

--- Exec[apt_package_from_component_calico329].orig
+++ Exec[apt_package_from_component_calico329]

+    before      => ['Package[calicoctl]', 'Package[calico-cni]']
+    command     => /usr/bin/apt-get update
+    subscribe   => Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]
+    refreshonly => True

Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

Parameters differences:

--- Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig
+++ Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

+    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]']
+    ensure   => stopped
+    enable   => False
+    provider => systemd

File[/etc/modules-load.d/overlay.conf]

Parameters differences:

--- File[/etc/modules-load.d/overlay.conf].orig
+++ File[/etc/modules-load.d/overlay.conf]

+    mode   => 0444
+    notify => Exec[/sbin/modprobe overlay]
+    group  => root
+    owner  => root
+    ensure => present

Content differences:

--- /etc/modules-load.d/overlay.conf.orig
+++ /etc/modules-load.d/overlay.conf
@@ -0,0 +1 @@
+overlay

Compilation results for dse-k8s-wdqs-test1001.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

Resources only in the old catalog

Resources modified

Relevant files